- Newest
- Most votes
- Most comments
The AWS SSO (or AWS Identity Center as it is called now), is a service that allows you to set up an IDP (like Okta). Due to the nature of the service it is supposed to be available via the Internet from anywhere.
However, you can enable MFA (multi-factor authentication) to provide another layer of security for your SSO service. This will require your authorized users to prove they are who they say they are by requesting that they provide a second form of identification.
If you want to limit access to AWS services that you have SSO in front of, you can restrict access using the Permission Sets and restrict by IP. You can read more about this here - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html
Hope this helps,
I don't think it is possible to put IP restrictions on URLs.
How about putting IP restrictions on SSO user policies instead?
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html
like deny all logins if source Ip Address is not from vpn ip range and putting permission sets at the OU level to restrict user interactions on the aws?
I think it is possible to log in to the management console. However, it is secure because only authorized IP addresses will be able to perform subsequent operations.
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
AWS OFFICIALUpdated a month ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
I was planning to use MFA also. The requirement was also to restrict the SSO portal url itself from public access to only vpn ip address range.
This is currently not possible, but you can restrict access to the applications in your Permission sets if you are trying to restrict access to Consoles, but external applications are not possible right now Here's someone who asked this question and AWS response - https://bit.ly/41RQbHF