AWS SSO - what OU/account to use?
Hi,
We have a greenfield environment and I am looking at the best way to set up AWS Organization and underlying OUs with accounts. We also use SSO. According to https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.pdf#benefits-of-using-multiple-aws-accounts , we should only have any services in management account. I am trying to figure out OU/account should SSO go to according to that document. Should it go to Shared Infra? Or are there any limitations that I should know of and SSO must be part of Management account?
Easiest way to setup the landing zone is to use Control Tower. The only caveat with SSO is that you need to deploy CT in the management account in the same region where the existing SSO is deployed. Control Tower wont change the existing SSO. SSO will live in the management account and is not considered a "workload".
References:
Relevant questions
AWS SSO - what OU/account to use?
asked 2 months agoAWS SSO + Azure AD, no way to access AWS Console?
Accepted Answerasked 5 months agoAWS SSO user with AdministratorAccess cannot access root owned resources
asked 4 months agoELI5: AWS CLI and SSO
asked 7 months agoHow to use EKS with AWS SSO
asked a year agoHow do I sign into re:Post using AWS SSO?
Accepted Answerasked 7 months agoEnable AWS SSO programatically?
asked 2 months agoAWS SSO and multiple regions
asked 4 months agoHow to use IAM users, groups and roles with SSO
asked a month agoAWS Service Catalog. Grant SSO Users to the Portfolio
asked 2 months ago