# Single sign-on access to AWS accounts
<a name="useraccess"></a>

You can assign users in your connected directory permissions to the management account or member accounts in your organization in AWS Organizations based on [common job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html). Or you can use custom permissions to meet your specific security requirements. For example, you can grant database administrators broad permissions to Amazon RDS in development accounts but limit their permissions in production accounts. IAM Identity Center configures all the necessary user permissions in your AWS accounts automatically.

**Note**  
You might need to grant users or groups permissions to operate in the AWS Organizations management account. Because it is a highly privileged account, additional security restrictions require you to have the [IAMFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/IAMFullAccess) policy or equivalent permissions before you can set this up. These additional security restrictions are not required for any of the member accounts in your AWS organization.

**Topics**
+ [

# Assign user or group access to AWS accounts
](assignusers.md)
+ [

# Remove user and group access to an AWS account
](howtoremoveaccess.md)
+ [

# Revoke active IAM role sessions created by permission sets
](revoke-user-permissions.md)
+ [

# Delegate who can assign single sign-on access to users and groups in the management account
](howtodelegatessoaccess.md)

# Assign user or group access to AWS accounts
<a name="assignusers"></a>

Use the following procedure to assign single sign-on access to users and groups in your connected directory and use permission sets to determine their level of access.

To check existing user and group access, see [View and change a permission set](howtoviewandchangepermissionset.md).

**Note**  
To simplify administration of access permissions, we recommended that you assign access directly to groups rather than to individual users. With groups you can grant or deny permissions to groups of users rather than having to apply those permissions to each individual. If a user moves to a different organization, you simply move that user to a different group and they automatically receive the permissions that are needed for the new organization.

**To assign user or group access to AWS accounts**

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
**Note**  
Make sure that the IAM Identity Center console is using the Region where your AWS Managed Microsoft AD directory is located before you move to the next step.

1. In the navigation pane, under **Multi-account permissions**, choose **AWS accounts**.

1. On the **AWS accounts** page, a tree view list of your organization displays. Select the checkbox next to the AWS account to which you want to assign access. If you are setting up administrative access for IAM Identity Center, select the checkbox next to the management account .
**Note**  
You can select up to 10 AWS accounts at a time per permission set when you assign single sign-on access to users and groups. To assign more than 10 AWS accounts to the same set of users and groups, repeat this procedure as required for the additional accounts. When prompted, select the same users, groups, and permission set.

1. Choose **Assign users or groups**. 

1. For **Step 1: Select users and groups**, on the **Assign users and groups to "*AWS-account-name*"** page, do the following:

   1. On the **Users** tab, select one or more users to whom to grant single sign-on access.

      To filter the results, start typing the name of the user that you want in the search box.

   1. On the **Groups **tab, select one or more groups to which to grant single sign-on access.

      To filter the results, start typing the name of the group that you want in the search box.

   1. To display the users and groups that you selected, choose the sideways triangle next to **Selected users and groups**.

   1. After you confirm that the correct users and groups are selected, choose **Next**.

1. For **Step 2: Select permission sets**, on the **Assign permission sets to "*AWS-account-name*"** page, do the following:

   1. Select one or more permission sets. If required, you can create and select new permission sets.
      + To select one or more existing permission sets, under **Permission sets**, select the permission sets that you want to apply to the users and groups that you selected in the previous step.
      + To create one or more new permission sets, choose **Create permission set**, and follow the steps in [Create a permission set](howtocreatepermissionset.md). After you create the permission sets that you want to apply, in the IAM Identity Center console, return to **AWS accounts** and follow the instructions until you reach **Step 2: Select permission sets**. When you reach this step, select the new permission sets that you created, and proceed to the next step in this procedure.

   1. After you confirm that the correct permission sets are selected, choose **Next**.

1. For **Step 3: Review and Submit**, on the **Review and submit assignments to "*AWS-account-name*"** page, do the following:

   1. Review the selected users, groups, and permission sets.

   1. After you confirm that the correct users, groups, and permission sets are selected, choose **Submit**.

**Considerations**
   + The user and group assignment process might take a few minutes to complete. Leave this page open until the process successfully completes.
   + 
**Note**  
You might need to grant users or groups permissions to operate in the AWS Organizations management account. Because it is a highly privileged account, additional security restrictions require you to have the [IAMFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/IAMFullAccess) policy or equivalent permissions before you can set this up. These additional security restrictions are not required for any of the member accounts in your AWS organization.

1. If either of the following applies, follow the steps in [Prompt users for MFA](mfa-getting-started.md) to enable MFA for IAM Identity Center:
   + You're using the default Identity Center directory as your identity source.
   + You're using an AWS Managed Microsoft AD directory or a self-managed directory in Active Directory as your identity source and you are not using RADIUS MFA with AWS Directory Service.
**Note**  
If you are using an external identity provider, note that the external IdP, not IAM Identity Center, manages MFA settings. MFA in IAM Identity Center is not supported for use by external IdPs. 

When you set up account access for the administrative user, IAM Identity Center creates a corresponding IAM role. This role, which is controlled by IAM Identity Center, is created in the relevant AWS account, and the policies specified in the permission set are attached to the role. 

Alternatively, you can use [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SSO.html) to create and assign permission sets and assign users to those permission sets. Users can then [sign in to the AWS access portal](howtosignin.md) or use [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/singlesignon/latest/userguide/integrating-aws-cli.html) commands.

# Remove user and group access to an AWS account
<a name="howtoremoveaccess"></a>

Use this procedure to remove single sign-on access to an AWS account for one or more users and groups in your connected directory. Alternatively, you can use the [delete-account-assignment](https://docs.aws.amazon.com//cli/latest/reference/sso-admin/delete-account-assignment.html) AWS CLI.

**Note**  
When you need to deprovision IAM Identity Center users or groups, you should first [remove any assignments of permission sets](howtoremovepermissionset.md) from your users and groups before deleting the users and groups.

**To remove user and group access to an AWS account**

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. In the navigation pane, under **Multi-account permissions**, choose **AWS accounts**.

1. On the **AWS accounts** page, a tree view list of your organization appears. Select the name of the AWS account that contains the users and groups for whom you want to remove single sign-on access.

1. On the **Overview** page for the AWS account, under **Assigned users and groups**, select the name of one or more users or groups, and choose **Remove access**.

1. In the **Remove access** dialog box, confirm that the names of the users or groups are correct, and choose **Remove access**. 

# Revoke active IAM role sessions created by permission sets
<a name="revoke-user-permissions"></a>

 The following is a general procedure for revoking an active permission set session for an IAM Identity Center user. The procedure assumes that you want to remove all access for a user who has compromised credentials or for a bad actor who is in the system. The prerequisite is to have followed the guidance in [Prepare to revoke an active IAM role session created by a permission set](prereqs-revoking-user-permissions.md#prepare-to-revoke-session). We assume that the deny all policy is present in a service control policy (SCP). 

**Note**  
AWS recommends you build automation to handle all steps except console-only operations.

1. **Obtain the user ID of the person whose access you must revoke.** You can use the identity store APIs to find the user by their username.

1. **Update the Deny policy to add the user ID from step 1 in your service control policy (SCP).** After completing this step, the target user loses access and is unable to take actions with any roles that the policy affects.

1. **Remove all permission set assignments for the user.** If access is assigned through group memberships, remove the user from all groups and all direct permission set assignments. This step prevents the user from assuming any additional IAM roles. If a user has an active AWS access portal session and you disable the user, they can continue to assume new roles until you remove their access. 

1. **If you use an identity provider (IdP) or Microsoft Active Directory as an identity source, disable the user in the identity source. ** Disabling the user prevents the creation of additional AWS access portal sessions. Use your IdP or Microsoft Active Directory API documentation to learn how to automate this step. If you are using the IAM Identity Center directory as an identity source, do not disable user access yet. You'll disable user access in step 6.

1.  **In the IAM Identity Center console, find the user and delete their active session.** 

   1. Choose **Users**.

   1. Choose the user whose active session you want to delete.

   1. On the user's detail page, choose the **Active sessions **tab.

   1. Select the check boxes next to the sessions you want to delete and choose **Delete session**.

    After deleting a user session, the user will immediately lose access to the AWS access portal. Learn about [session duration](authconcept.md). 

1. **In the IAM Identity Center console, disable user access. **

   1. Choose **Users**.

   1. Choose the user whose access you want to disable.

   1. On the user's detail page, expand **General information** and choose the **Disable user access** button to prevent further logins of the user. 

1. **Leave the Deny policy in place for at least 12 hours.** Otherwise, the user with an active IAM role session will have restored actions with the IAM role. If you wait 12 hours, active sessions expire and the user will not be able to access the IAM role again.

**Important**  
If you disable a user’s access before stopping the user session (you completed step 6 without completing step 5), you can no longer stop the user session through the IAM Identity Center console. If you inadvertently disable user access before stopping the user session, you can re-enable the user, stop their session, and then disable their access again.

 You can now change the user's credentials if their password was compromised and [restore their assignments](useraccess.md). 

# Delegate who can assign single sign-on access to users and groups in the management account
<a name="howtodelegatessoaccess"></a>

Assigning single sign-on access to the management account using the IAM Identity Center console is a privileged action. By default, only an AWS account root user or a user who has the **AWSSSOMasterAccountAdministrator** and **IAMFullAccess** AWS managed policies attached, can assign single sign-on access to the management account. The **AWSSSOMasterAccountAdministrator** and **IAMFullAccess** policies manage single sign-on access to the management account within an AWS Organizations organization.

Alternatively, you can use AWS CLI to create, attach policies to, and assign permission sets. The following lists the commands for each step:
+ To create a permission set: [create-permission-set](https://docs.aws.amazon.com//cli/latest/reference/sso-admin/create-permission-set.html)
+ To attach AWS Managed Policy to a permission set: [attach-managed-policy-to-permission-set](https://docs.aws.amazon.com//cli/latest/reference/sso-admin/attach-managed-policy-to-permission-set.html)
+ To attach customer managed policy to a permission set: [attach-customer-managed-policy-to-permission-set](https://docs.aws.amazon.com//cli/latest/reference/sso-admin/attach-customer-managed-policy-reference-to-permission-set.html)
+ To assign a permission set to a principal: [create-account-assignment](https://docs.aws.amazon.com//cli/latest/reference/sso-admin/create-account-assignment.html)

Use the following steps to delegate permissions to manage single sign-on access to users and groups in your directory.

**To grant permissions to manage single sign-on access to users and groups in your directory**

1. Sign in to the IAM Identity Center console as a root user of the management account or with another user who has administrator permissions to the management account.

1. Follow the steps in [Create a permission set](howtocreatepermissionset.md) to create a permission set, and then do the following:

   1. On the **Create new permission set** page, select the **Create a custom permission set** check box, and then choose **Next: Details**.

   1. On the **Create new permission set page**, specify a name for the custom permission set and optionally, a description. If required, modify the session duration and specify a relay state URL. 
**Note**  
For the relay state URL, you must specify a URL that is in the AWS Management Console. For example:  
 **https://console.aws.amazon.com/ec2/**  
For more information, see [Set relay state for quick access to the AWS Management Console](howtopermrelaystate.md).

   1. Under **What policies do you want to include in your permission set?**, select the **Attach AWS managed policies** check box.

   1. In the list of IAM policies, choose both the **AWSSSOMasterAccountAdministrator** and **IAMFullAccess** AWS managed policies. These policies grant permissions to any user and groups who are assigned access to this permission set in the future.

   1. Choose **Next: Tags**.

   1. Under **Add tags (optional)**, specify values for **Key** and **Value (optional)**, and then choose **Next: Review**. For more information about tags, see [Tagging AWS IAM Identity Center resources](tagging.md).

   1. Review the selections you made, and then choose **Create**.

1. Follow the steps in [Assign user or group access to AWS accounts](assignusers.md) to assign the appropriate users and groups to the permission set that you just created.

1. Communicate the following to the assigned users: When they sign in to the AWS access portal and choose the **Accounts** tab, they must choose the appropriate role name to be authenticated with the permissions that you just delegated.