As many customer, you may be running resources on multiple cloud providers, like Azure and AWS.
You can now use Azure AD (and the additional AAD capabilities like conditional access and/or MFA) for authentication when accessing AWS console.
With this integration you will also be able to provision AWS roles to your Azure AD.
The high level steps to implement AWS SSO with Azure AD are:
- Register an Azure AD Enterprise application
- Implement SSO
- Enable provisioning
Then access the Enterprise applications blade
Then click on New application and select Amazon Web Services (AWS) and then click on Create to provision the Azure AD AWS application
Then access the Single Sign On blade to configure SSO
Select the SAML SSO option
The SAML SSO has been already preconfigured; you can click on Save Single Sign On settings now if you want or choose to do it late
Download the SAML metadata (Federation Metadata XML) from the the SAML Signing Certificate section
Then logon to you AWS console (https://console.aws.amazon.com/) and access the IAM configuration blade
Access the Identity Provider section to create a new provider
Select SAML as provider type and name your provider (no space authorized) – let say AzureAD – and upload the Federation Metadata file you have downloaded earlier
Then go to the Roles section to create a new role for the Identity Provider you just created
Select SAML 2.0 for the type of trusted entity and select the provider you have created earlier and enable the Allow programmatic and AWS Management console access
During the next step you can set the permission policies as per your requirements
Then you can set tags and finally complete the creation of the role by naming it
Now, access the Policies section to create a new policy to fetch all roles from your AWS accounts
When creating the new policy, select JSON and copy the below code and complete the creation of the policy
Then access the Users blade to create user account for the user account provisioning
When creating the user account select Programmatic Access
Assign the permission policy you just have created and complete the user creation process
Once the user is created copy the values for the Acces key ID and Secret access key to save it into the Azure AD application provisioning section
Go back to your AWS Azure AD application to access the Provisioning blade
Select Automatic provisioning and paste the Access key and secret from your AWS user
You are good to go.