Better Living Through Narratology

AWS SSO from Commercial to GovCloud

AWS Single Sign-On (SSO) is integrated with AWS Organizations to allow quick and easy access to cross-account IAM roles to manage all of your AWS accounts with ease.  This simplifies cross-account management and relieves password fatigue for users, however this functionality hasn’t been extended from commercial accounts to GovCloud accounts.  GovCloud will allow you to assume a role with SAML, so with a little heavy lifting on the admin side, you can add GovCloud cross-account access from your commercial AWS SSO account.

My last post discussed how to add MFA to SSO and assumed that we were using an AWS AD Connector to connect to our AWS Managed Microsoft AD directory.  We’ll keep that same assumption for this scenario, although your AD Connector could be reaching out to virtually any identity store.  One caveat: You’ll need to create a custom application for each GovCloud account/role you’re trying to access, if you’re using AWS Managed Microsoft AD.  You could get a little creative if you’re connecting to a true Active Directory store, but for now, let’s not get too creative.

Let’s get building! (more…)

Posted in AWS, GovCloud, SSO | No Comments

Connect AWS SSO to Duo MFA

Amazon’s Single Sign-On (SSO) service allows you to connect your directory / user store to several applications and AWS accounts.  The benefits are pretty obvious as you start to pile on lots of accounts and apps, but the AWS documentation on configuration is a little vague, so I thought I’d throw this out there for whoever it might help.

My MFA solution is Duo.  I often use Google Authenticator, but one of the requirements for MFA in my situation is to run a RADIUS server.  AWS SSO can be configured in many ways, but for the purposes of this article, I’m using an AWS AD Connector to connect to AWS Managed Microsoft AD.  I’ll assume that:

  1. You know your AD.
  2. You are mildly familiar with Duo.
  3. You have established network connectivity from your AWS SSO account to your AD user store (whether through VPC peering or Direct Connect, etc.).
  4. You have created a secret key to be used between RADIUS and SSO.

Let’s get right to it! (more…)

Posted in AWS, Duo, MFA, SSO | 1 Comment