Migrate IAM Users to AWS SSO

Question

Hello everyone,
Is there a way to migrate IAM Users to AWS SSO? So, I don't have to re-enter the users again.
I know I can list my users with the following command: ```aws organizations list-accounts```

Cheers
Edu

Answer

It's not an easy task, you need to have a plan because it not just involves copy-and-paste the username, but also the permission configuration in your account (Otherwise, you'll just create a bunch of users without any permission).

1. First, you need to gather the list of IAM users, and categorise them into groups according to their permission level.
2. For every permission level, you need to create a [permission set](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html) 
3. [Create SSO users](https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html) (Note that the information required is more than IAM users, you'll need the users' email address. So you can't simply copying the IAM username here) 
4. [Create group](https://docs.aws.amazon.com/singlesignon/latest/userguide/addgroups.html) and [add the SSO users into them](https://docs.aws.amazon.com/singlesignon/latest/userguide/adduserstogroups.html) by the permission category you defined earlier
5. [Assign permission sets to different groups](https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html#assignusers)

Migrating to AWS SSO is not just a technical task but also an opportunity to review the access management of your organisation.

Migrate IAM Users to AWS SSO

関連するコンテンツ