fbpx

How exactly to enable secure seamless individual sign-upon to Amazon EC2 Home windows instances with AWS SSO

Today, we’re launching new functionality that simplifies the knowledge to gain access to your AWS compute instances running Microsoft Windows securely. We took with this update to react to customer feedback around developing a more streamlined experience for administrators and users to more securely access their EC2 Windows instances. The brand new experience utilizes your existing identity answers to run and manage your Microsoft Windows workloads on AWS. It is possible to create and administer users in AWS Single Sign-On (AWS SSO) or an AWS SSO supported identity provider (such as for example Okta, Ping, and OneLogin), and offer a one-click single sign-on to your EC2 Windows instances from the AWS Fleet Manager console. You should use your existing corporate usernames also, passwords, and multi-factor authentication devices to securely access your EC2 windows instances, and never have to enter your credentials multiple times.

Using AWS SSO eliminates the usage of shared administrator credentials and the necessity to configure remote access client software. It is possible to centrally grant and revoke usage of your EC2 Windows instances at scale across multiple AWS accounts. For instance, if a worker is removed by you from your own AWS SSO integrated identity system, their usage of all AWS resources (including EC2 Windows instances) is automatically revoked. Individual user actions can be looked at in the Amazon EC2 Windows instances event log now, making it simpler to meet compliance and audit requirements.

 

AWS SSO background

AWS SSO simplifies managing SSO usage of aws business and accounts applications, which is the central location where you can create or connect your workforce identities in AWS. It is possible to control SSO user and access permissions across all of your AWS accounts in AWS Organizations. You can elect to manage usage of your AWS accounts, to cloud applications, or both.

When managing usage of AWS accounts, AWS SSO lets you define and assign roles across your aws Organizations account using permission sets centrally. Permission sets are role definitions (templates) that AWS SSO uses to generate and keep maintaining roles in your AWS Organizations accounts. The permission set defines the session policies and duration for the role. Once you assign a permission set to an organization or user in a selected AWS account, AWS SSO creates a corresponding role in the mark account, and AWS SSO controls usage of the role through the AWS SSO user portal.

This post runs on the permission set that manages usage of AWS Fleet Manager to provide one-click access into EC2 instances.

You’ll make this happen in three steps:

  1. Create an AWS SSO permission set (for instance, demoFMPermissionSet)
  2. Assign the permission set to a preexisting AWS SSO group (for instance, demoFMGroup)
  3. Login to the AWS SSO User Portal and hook up to your EC2 Windows instance via the AWS Fleet Manager console

Prerequisites

The prerequisites because of this example are that you have:

  1. Configured AWS SSO in your account with provisioned groups&lt and users;/a>
  2. An EC2 Windows instance managed by AWS Systems Manager Fleet Manager

Solution architecture

The next diagram shows the steps you’ll follow to configure and use an AWS SSO user identity to login to an EC2 Windows instance.

Figure 1: Architecture diagram showing steps implemented in this solution

Figure 1: Architecture diagram showing steps implemented in this solution

How it works

The AWS SSO permission set creates a job in a target account that provides a certified user permissions to utilize AWS Fleet Manager to sign into EC2 Windows instances. Once the role is chosen by way of a user in the account, an individual signs onto the AWS Fleet Manager console and selects the EC2 instance where they would like to register.

AWS Fleet Manager creates an area Windows user account and a credential for that user, and automates their sign-in to the instance then.

To generate an AWS SSO permission set

This process creates a permission set that grants assigned users and groups permissions to utilize AWS Fleet Manager for single sign-on to EC2 instances.

  1. From the AWS SSO console, head to AWS Accounts, choose the Permission sets tab, select Create permission set and choose Develop a custom permission set.
  2. Name your permission set, and complete the required fields, making certain to choose Develop a custom permissions policy in the bottom of the page. See Sample custom permissions policy below for information on the policy.
  3. After creating the custom permissions policy, it is possible to apply optional tagging also. If you are done, review and choose Create to complete creating your custom permission set, as shown in Figure 2.

Figure 2: Reviewing the custom permission set

Figure 2: Reviewing the custom permission set

Sample custom permissions policy

This is actually the sample policy you’ll use; it is possible to it here download.
Code sample

This permission policy includes a separate statement ID (Sid) for every service, with the mandatory actions for every.

Online 84, notice the mention of an AWSSSO-CreateSSOUser document resource. This document is in charge of developing a local Windows account in line with the AWS SSO logged in user, in addition to setting/resetting the user’s password for automatic get on the Windows instance.

On lines 96-98, you shall visit a new ssm-guiconnect action. This is used to help make the secure link with your EC2 Windows instance, and render the GUI desktop in the Fleet Manager console.

To assign your AWS SSO group

Assign your AWS SSO group to the AWS Fleet Manager permission occur your selected accounts

In this process, we will select two AWS accounts inside our AWS organization, and grant our AWS SSO group usage of the previously-created permission set that allows sign-in via Fleet manager.

    1. From the AWS SSO console, navigate to AWS accounts and choose an account (for instance, demoAccount1 and demoAccount2), as shown in Figure 3.
    2. Pick the Assign users button. If you want, you might assign usage of multiple groups or even to users individually also.

Figure 3: Selecting AWS Account to assign users or groups

Figure 3: Selecting AWS Account to assign users or groups

  • Make it possible for multiple AWS SSO users to gain access to this feature, choose an AWS SSO group from the Groups tab and pick the Next button, as shown in Figure 4

 

 

 

Figure 4: Assigning group to AWS accounts

Figure 4: Assigning group to AWS accounts

 

 

  • Choose the permission set you created and pick the &lt previously;strong>Next button.

 

 

 

Figure 5: Selecting permission set to AWS accounts

Figure 5: Selecting permission set to AWS accounts

 

 

  • Review your alternatives, and press Submit to submit your assignments, as shown in Figure 6.

 

 

 

Figure 6: Reviewing submit assignments to AWS accounts

Figure 6: Reviewing submit assignments to AWS accounts

 

 

AWS SSO shall now utilize the permission set definition to make a role in each selected account, which grants users usage of register via Fleet Manager. Users access that role by signing in to the AWS SSO user portal.

To gain access to Fleet Managed EC2 instances

    1. From the console, navigate to your AWS SSO user portal URL and login as any AWS SSO user who’s an associate of the group (e.g., demoFMGroup) you selected in step three 3 above.
    2. From the AWS SSO user portal page, choose Management console and demand Fleet Manager console where you have your EC2 Windows managed instance, as shown in Figure 7

Figure 7: Navigating to the Management console from an individual portal

Figure 7: Navigating to the Management console from an individual portal

  • Decide on a managed Windows instance and choose Instance actions and &lt then;strong>Connect to Remote Desktop as shown in Figure 8.

 

 

 

Figure 8: Connecting with Remote Desktop

Figure 8: Connecting with Remote Desktop

 

 

  • Select Single Sign-On and select &lt then;strong>Connect, as shown in Figure 9.

 

This logs you in making use of your AWS SSO credential automatically. If this is actually the first-time connecting to the instance, a fresh local user will be created.

 

Figure 9: Selecting Single Sign-On

Figure 9: Selecting Single Sign-On

 

 

Connected once, you shall see your EC2 Windows instance in the All sessions tab, helping you to need to four concurrent sessions within a view up, as shown in Figure 10. For an individual session view, choose the Instance ID tab.

 

Figure 10: Selecting expanded desktop view

Figure 10: Selecting expanded desktop view

 

 

  • From the single session tab, we are able to note that AWS Fleet Manager created an area Windows Server user for the AWS SSO user (demoUser1).

 

After creating the neighborhood user, AWS Fleet Manager used the credentials it intended to sign in to the EC2 Windows server as sso-demoUser1 from the Windows Event Viewer, providing you individual user logging on your own EC2 Windows servers. These logs can be found from within the Fleet Manager console also.

Figure 11: Showing AWS SSO username in Amazon EC2 Windows instance event log

Figure 11: Showing AWS SSO username in Amazon EC2 Windows instance event log

Conclusion

This post described how exactly to give a single sign-in experience to Windows EC2 instances using AWS Fleet Manager with AWS Single Sign-On. Achieving this lets you create users in AWS SSO, or even to connect any supported identity provider to AWS SSO, also to give users one-click usage of their EC2 instances through AWS Fleet Manager.

That is done by creating an AWS SSO permission set that grants users usage of AWS Fleet Manager, then assigning a combined group from AWS SSO to the permission occur the selected AWS accounts. Users can sign in to the AWS SSO user portal, demand AWS Fleet Manager, select their Windows EC2 instance, and land in the Windows user experience and never have to enter Windows credentials separately.

For more information about AWS SSO, go to the AWS Single Sign-On Documentation. For more information about Fleet Manager, go to the AWS Systems Manager Fleet Manager Documentation.

When you have feedback about this post, submit comments in the Comments section below. When you have questions concerning this post, take up a new thread on the AWS Single Sign-On forum.

Want more AWS Security news? Follow us on Twitter.

%d bloggers like this: