X
Lab complete!
Now that you have completed this lab, make sure to update your Well-Architected review if you have implemented these changes in your workload.
Click here to access the Well-Architected Tool
Enable Single Sign On (SSO)
You will create an AWS Organization, and join two or more accounts to the management account. An organization will allow you to centrally manage multiple AWS accounts efficiently and consistently. It is recommended to have a management account that is used for security and administration, with access provided for limited billing tasks. A dedicated member account will be created for the Cost Optimization team or function, and another (or multiple) member account/s created to contain workload resources.
You will need organizations:CreateOrganization access, and 2 or more AWS accounts. When you join a member account to a management account, it will contain all billing information for that member account. Member accounts will no longer have any billing information, including historical billing information. Ensure you backup or export any reports or data before joining accounts to a management account.
Configure SSO
You will create an AWS Organization with the management account.
Login to the AWS console as an IAM user with the required permissions, start typing SSO into the Find Services box and click on AWS Single Sign-On:
Click Enable AWS SSO:
Select Groups:
Click Create group:
Enter a Group name of Cost_Optimization and a description, click Create:
Click Users:
Click Add user:
Enter the following details:
- Username
- Password
- Email address
- First name
- Last name
- Display name
- Configure the optional fields as required
click Next: Groups:
Select the Cost_Optimization group and click Add user:
The user will receive an email, with a link to Accept invitation, the Portal URL and their Username:
When the user goes to the portal, they will enter in a Password and click Update user:
The user will then Click Continue:
Users will not have permissions until you complete the rest of this step.
Click on AWS accounts, select Permission sets, and click Create permission set:
Select Create a custom permission set, enter a name of management_CostOptimization, enter a Description, set the Session duration, select Create a custom permissions policy. Use the policy below as a starting point, modify it to your requirements and paste it in the policy field, click Create.
You MUST work with your security team/specialist to ensure you create the policies inline with least privileges for your organization.
Click Create permission set
Select Create a custom permission set, enter a name of Member_CostOptimization, enter a Description, set the Session duration, select Create a custom permissions policy. Use the policy below as a starting point, modify it to your requirements, replace (management CUR bucket) and (Cost Optimization Member Account ID) and paste it in the policy field, click Create.
You MUST work with your security team/specialist to ensure you create the policies inline with least privileges for your organization.
Click AWS organization, select the management account, click Assign users:
Select Groups, select the Cost_Optimization group, click Next: Permission sets:
Select the management_CostOptimization Permission set, click Finish:
Click Proceed to AWS accounts:
setup the Cost Optimization member account, select the Memeber account, click Assign users
Select Groups, select the Cost_Optimization group, click Next: Permission sets:
Select the Member_CostOptimization Permission set, click Finish
Click Proceed to AWS accounts
You have now setup your Cost Optimization users, group and their permissions.