👉 AWS Debug Games (Beta) - Prove your AWS expertise by solving tricky challenges.

👉 AWS Debug Games - Prove your AWS expertise.

Have you replaced IAM Users with AWS SSO yet?

Andreas Wittig – 02 Oct 2020

The most secure option to isolate workloads from each other is to use multiple AWS accounts. Many organizations use different AWS accounts for testing and production, for example. The more AWS accounts you use, the more complicated it gets to manage users and grant them access.

AWS SSO integrates with AWS Organizations

Formerly, using IAM roles for cross-account access was a popular pattern. How did that work in practice? Often, everything started with an AWS account that contained nothing but the IAM users and groups, allowing engineers to authenticate. Besides that, account administrators added IAM roles for cross-account access to every AWS account.

When an engineer wanted to access AWS account B, she needed to authenticate with her IAM user at AWS account A first. In a second step, she could assume the IAM role in AWS account B. Using temporary security credentials, she could act under the IAM role to access or modify resources in AWS account B.

Accessing AWS accounts with IAM users and roles

That’s a cumbersome approach because you need to deploy and manage many policies and roles across your AWS accounts. Also, the user experience for anyone who wants to access resources in an AWS account was far away from being simple.

AWS introduced AWS Single Sign-On (SSO) in December 2017. In the beginning, an Active Directory was a requirement to be able to use the service. But AWS SSO made astonishing progress within the last few years. Nowadays, AWS SSO is an excellent alternative to using IAM users and groups for managing access to AWS accounts for your engineers.

AWS provides three options to manage users and groups:

  1. Built-in user store.
  2. SAML to integrate with 3rd party identity providers (e.g., Google).
  3. Connect with Active Directory (requires AWS Directory Service).

The first two options are very lightweight and work well for SMBs. Next, I’ll demonstrate why you should replace your IAM users with AWS SSO next.

Free Monitoring Checklist + Mind Map

Find the blind spots in your AWS monitoring!

Setting up monitoring on AWS is hard. AWS provides countless features and sources of events. Overlooking the important settings is easy. Our prioritized checklist includes all parts of a basic monitoring setup for AWS. Additionally, use our mind map to map your monitoring goals to AWS services. Download Free Monitoring Checklist + Mind Map!

Minify Overhead: AWS Organizations

Managing tens or hundreds of AWS accounts is a challenge. AWS Organizations simplifies governing AWS accounts not only for big enterprise customers. You can think of AWS Organizations as a layer on top of AWS accounts.

There are some pitfalls when introducing AWS Organizations as well. I’ve summarized my thoughts on that in a former blog post: AWS Account Structure: Think twice before using AWS Organizations .

AWS SSO integrates with AWS Organizations. By doing so, AWS SSO provisions IAM roles and identity providers within all your AWS accounts with the click of a button. No need to roll out IAM roles manually anymore.

AWS SSO integrates with AWS Organizations

That’s a significant benefit compared to managing IAM users and roles yourself.

Improve User Experience: Login Portal

On top of that, AWS SSO comes with a login portal. First of all, the user needs to authenticate. Afterward, the login portal shows a list of all AWS accounts and permission sets (aka. roles) that the user has access to.

Login Portal showing a list of AWS accounts

From there, a user jumps into one of the AWS accounts directly. It gets even better. The AWS CLI works with AWS SSO as well.

Want to learn more about AWS SSO? Andreas shows how to use AWS SSO for SMBs in the following video.


Are you using IAM users to authenticate and jump into other AWS accounts by using IAM roles? Give AWS SSO a try. It is easy to manage for administrators and easy to use for engineers. The best comes last: AWS SSO is free of charge.

Become a cloudonaut supporter

Andreas Wittig

Andreas Wittig ( Email Twitter LinkedIn Mastodon )

We launched the cloudonaut blog in 2015. Since then, we have published 365 articles, 67 podcast episodes, and 67 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, Christopher Hipwell, e9e4e5f0faef, Jason Yorty, Jeff Finley, jhoadley, Johannes Konings, John Culkin, Jonathan Deamer, Juraj Martinka, Ken Snyder, Markus Ellers, Oriol Rodriguez, Ross Mohan, sam onaga, Satyendra Sharma, Simon Devlin, Todd Valentine, Victor Grenu, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.