AWS Single Sign-On (SSO) is integrated with AWS Organizations to allow quick and easy access to cross-account IAM roles to manage all of your AWS accounts with ease. This simplifies cross-account management and relieves password fatigue for users, however this functionality hasn’t been extended from commercial accounts to GovCloud accounts. GovCloud will allow you to assume a role with SAML, so with a little heavy lifting on the admin side, you can add GovCloud cross-account access from your commercial AWS SSO account.
My last post discussed how to add MFA to SSO and assumed that we were using an AWS AD Connector to connect to our AWS Managed Microsoft AD directory. We’ll keep that same assumption for this scenario, although your AD Connector could be reaching out to virtually any identity store. One caveat: You’ll need to create a custom application for each GovCloud account/role you’re trying to access, if you’re using AWS Managed Microsoft AD. You could get a little creative if you’re connecting to a true Active Directory store, but for now, let’s not get too creative.
Let’s get building! (more…)