First AWS SSO Setup
Enterprise auth.
Overview
The first AWS SSO setup (now AWS IAM Identity Center) moves access from per-account IAM users to centralised identity. Long-lived credentials disappear; group-driven access drives permissions; the patterns established here scale across every future account.
- Centralised identity. One identity provider for every AWS account. Per-account IAM users become a legacy migration item.
- Permission sets per account. Reusable permission templates assigned to groups. New accounts inherit the same access patterns.
- Group-driven access. Active Directory or Okta groups map to permission sets. HR change in the IdP propagates to AWS access.
- CLI integration plus session-based access.
aws configure ssohandles CLI auth; short-lived session credentials replace long-lived API keys.
The approach
Three habits make the first AWS SSO setup land cleanly: enable through Organizations, drive access through groups, and wire CLI integration from day one.
- Enable via Organizations. Org-wide Identity Center covers every account in one configuration. Per-account enable is how coverage gaps appear.
- Reusable permission sets. Templates per role (admin, developer, viewer) assigned to groups. Avoids per-user permission drift.
- Group-driven access. AD or Okta groups drive permission-set assignment. Lifecycle automation is upstream of AWS.
- CLI integration plus documented assignments.
aws configure ssofrom day one; per-team access patterns documented in the wiki.
Why this compounds
The first SSO integration takes effort to wire correctly. Each subsequent account inherits the patterns; the team’s identity posture compounds without per-account work.
- Stronger security. Short-lived session credentials replace long-lived API keys. Credential-leak blast radius shrinks dramatically.
- Lifecycle management. Group-driven access automates onboarding and offboarding. HR change propagates to AWS access within minutes.
- Operational velocity. CLI SSO replaces credential juggling. Engineers stop maintaining ~/.aws/credentials by hand.
- Year-one investment, year-two habit. The first setup is heavy lift. By year two, every new account ships with SSO from creation.