AWS Single Sign-On
User Guide

Single Sign-On Access

You can assign users in your connected directory permissions to master or member AWS accounts in your AWS Organizations organization based on common job functions. Or you can use custom permissions to meet your specific security requirements. For example, you can grant database administrators broad permissions to Amazon RDS in development accounts but limit their permissions in production accounts. AWS SSO configures all the necessary user permissions in your AWS accounts automatically.


Only the IAM account root user or a user who has the AWSSSOMasterAccountAdministrator IAM policy attached can grant users in your connected directory permissions to the master AWS account. For more information on how to delegate these permissions, see Delegate Who Can Assign SSO Access to Users in the Master Account.

Assign User Access

Use the following procedure to assign SSO access to users and groups in your connected directory and use permission sets to determine their level of access.


To simplify administration of access permissions, we recommended that you assign access directly to groups rather than to individual users. With groups you can grant or deny permissions to groups of users rather than having to apply those permissions to each individual. If a user moves to a different organization, you simply move that user to a different group and they automatically receive the permissions that are needed for the new organization.

To assign access to users or groups

  1. Open the AWS SSO console.


    Make sure that the AWS SSO console is using the Region where your AWS Managed Microsoft AD directory is located before you move to the next step.

  2. Choose AWS accounts.

  3. Under the AWS organization tab, in the list of AWS accounts, choose an account to which you want to assign access.

  4. On the AWS account details page, choose Assign users.

  5. On the Select users or groups page, type a user or group name and choose Search connected directory. Once you have selected all the accounts that you want to assign access to, choose Next: Permission sets. You can specify multiple users or groups by selecting the applicable accounts as they appear in search results.

  6. On the Select permission sets page, select the permission sets that you want to apply to the user or group from the table. Then choose Finish. You can optionally choose to Create a new permission set if none of the permissions in the table meets your needs. For detailed instructions, see Create Permission Set.

  7. Choose Finish to begin the process of configuring your AWS account.


    If this is the first time you have assigned SSO access to this AWS account, this process creates a service-linked role in the account. For more information, see Using Service-Linked Roles for AWS SSO.


    The user assignment process may take a few minutes to complete. It is important that you leave this page open until the process successfully completes.

Remove User Access

Use this procedure when you need to remove SSO access to an AWS account for a particular user or group in your connected directory.

To remove user access from an AWS account

  1. Open the AWS SSO console.

  2. Choose AWS accounts.

  3. In the table, select the AWS account with the user or group whose access you want to remove.

  4. On the Details page for the AWS account, under Assigned users and groups, locate the user or group in the table. Then choose Remove access.

  5. In the Remove access dialog box, confirm the user or group name. Then choose Remove access.

Delegate Who Can Assign SSO Access to Users in the Master Account

Assigning single sign-on access to the master account using the AWS SSO console is a privileged action. By default, only an AWS account root user, or a user who has the AWSSSOMasterAccountAdministrator AWS managed policy attached, can assign SSO access to the master account. The AWSSSOMasterAccountAdministrator provides manage SSO access to the master account within an AWS Organizations organization.

Use the following steps to delegate permissions to manage SSO access to users in your directory.

To grant permissions to manage SSO access to users in your directory

  1. Sign in to the AWS SSO console as a root user of the master account or with another IAM user who has IAM administrator permissions to the master account.

  2. Use the procedure Create Permission Set to create a permission set. When you get to step 5c, select the option Attach AWS managed policies. In the list of IAM policies that appear in the table, choose the AWSSSOMasterAccountAdministrator AWS managed policy. This policy grants permissions to any user who will be assigned access to this permission set in the future.

  3. Use the procedure Assign User Access to assign the appropriate users to the permission set that you just created.

  4. Communicate the following to the assigned users: When they sign in to the user portal and select the AWS Account icon, they must choose the appropriate IAM role name to be authenticated with the permissions that you just delegated.