AWS singlesignon medium security documentation change
Summary
Updated quick start guide for IAM Identity Center default directory configuration. Changes include clarifying administrative user setup, adding prerequisites, restructuring steps, and adding MFA configuration guidance.
Security assessment
Added explicit instruction to configure MFA for IAM Identity Center users ('You can configure multi-factor authentication...') and linked to MFA documentation. This directly documents security features.
Diff
diff --git a/singlesignon/latest/userguide/quick-start-default-idc.md b/singlesignon/latest/userguide/quick-start-default-idc.md index a096ca403..37b50b953 100644 --- a//singlesignon/latest/userguide/quick-start-default-idc.md +++ b//singlesignon/latest/userguide/quick-start-default-idc.md @@ -7 +7 @@ -When you enable IAM Identity Center for the first time, it's automatically configured with an Identity Center directory as your default identity source, so you don't need to choose an identity source. If your organization uses another identity provider such as AWS Directory Service for Microsoft Active Directory, Microsoft Entra ID, or Okta consider integrating that identity source with IAM Identity Center instead of using the default configuration. +When you enable IAM Identity Center for the first time, it's automatically configured with an Identity Center directory as your default identity source, so you don't need to choose an identity source. If your organization uses another identity provider such as Microsoft Active Directory, Microsoft Entra ID, or Okta consider integrating that identity source with IAM Identity Center instead of using the default configuration. @@ -11 +11 @@ When you enable IAM Identity Center for the first time, it's automatically confi -In this tutorial, you will use the default directory as your identity source and set up and test user access. In this scenario, you manage all users and groups in IAM Identity Center. Users sign in through the AWS access portal. This tutorial is intended for users that are new to AWS or that have been using IAM to manage users and groups. In the next steps, you will create the following: +In this tutorial, you'll use the default directory as your identity source and an IAM Identity Center organization instance to set up and test an administrative user. This administrative user creates and manages users and groups and grants AWS access with permission sets. In the next steps, you'll create the following: @@ -22 +22 @@ In this tutorial, you will use the default directory as your identity source and -To verify everything was created correctly, you will sign in and set the administrative user's password. After completing this tutorial you can use the administrative user to add more users in IAM Identity Center, create additional permission sets, and set up organizational access to applications. +To verify everything was created correctly, you'll sign in and set the administrative user's password. After completing this tutorial, you can use the administrative user to add more users in IAM Identity Center, create additional permission sets, and set up organizational access to applications. Alternatively, if you want to grant users access to application, you can follow step 1 of this procedure and [configure application access](./manage-your-applications.html). @@ -24 +24 @@ To verify everything was created correctly, you will sign in and set the adminis -If you haven't enabled IAM Identity Center yet, see [Enable IAM Identity Center](./enable-identity-center.html). +The following prerequisites are needed to complete this tutorial: @@ -26 +26,5 @@ If you haven't enabled IAM Identity Center yet, see [Enable IAM Identity Center] -Do either of the following to sign in to the AWS Management Console. + * [Enable IAM Identity Center](./enable-identity-center.html) and have an [organization instance of IAM Identity Center](./organization-instances-identity-center.html). + + * If you have an [account instance](./account-instances-identity-center.html) of IAM Identity Center, you can create users and groups as well as grant them access to applications. For more information, see [Application access](./manage-your-applications.html). + + * Sign in to the AWS Management Console and access the IAM Identity Center console either as a: @@ -31,0 +36,4 @@ Do either of the following to sign in to the AWS Management Console. + * For more help signing in to the AWS Management Console, see [AWS Sign-In Guide.](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) + + * You can configure multi-factor authentication for your IAM Identity Center users. For more information, see [Configure MFA in IAM Identity Center](./mfa-configure.html). + @@ -35 +43 @@ Do either of the following to sign in to the AWS Management Console. -Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). + 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). @@ -37 +45 @@ Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesign - 1. In the IAM Identity Center navigation pane, choose **Users** , then select **Add user**. + 2. In the IAM Identity Center navigation pane, choose **Users** , then select **Add user**. @@ -39 +47 @@ Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesign - 2. On the **Specify user details** page, complete the following information: + 3. On the **Specify user details** page, complete the following information: @@ -59 +67 @@ This option sends the user an email addressed from Amazon Web Services, with the - 3. Choose **Next**. The **Add user to groups** page appears. We're going to create a group to assign administrative permissions to instead of giving them directly to `Nikki`. + 4. Choose **Next**. The **Add user to groups** page appears. We're going to create a group to assign administrative permissions to instead of giving them directly to `Nikki`. @@ -71 +79 @@ A new browser tab opens to display the **Create group** page. - 4. In the **Groups** area, select the **Refresh** button. The `Admin team` group appears in the list. + 5. In the **Groups** area, select the **Refresh** button. The `Admin team` group appears in the list. @@ -75 +83 @@ Select the checkbox next to `Admin team`, and then choose **Next**. - 5. On the **Review and add user** page, confirm the following: + 6. On the **Review and add user** page, confirm the following: @@ -88,5 +96 @@ A notification message informs you that the user was added. -Next, you will add administrative permissions for the `Admin team` group so that `Nikki` has access to resources. - -###### Note - -To complete this step, you'll need an Organization instance of IAM Identity Center. For more information, see [Organization and account instances of IAM Identity Center](./identity-center-instances.html). +Next, you'll add administrative permissions for the `Admin team` group so that `Nikki` has access to resources. @@ -135 +139 @@ You have successfully set up your first user, group, and permission set. -In the next portion of this tutorial you will test `Nikki's` access by signing in to the AWS access portal with their administrative credentials and set their password. Sign out of the console now. +In the next portion of this tutorial you'll test `Nikki's` access by signing in to the AWS access portal with their administrative credentials and set their password. Sign out of the console now. @@ -137 +141 @@ In the next portion of this tutorial you will test `Nikki's` access by signing i -Now that `Nikki Wolf` is a user in your organization, they can sign in and access the resources to which they're granted permission according to their permission set. To verify that the user is correctly configured, in this next step you will use `Nikki's` credentials to sign in and set up their password. When you added the user `Nikki Wolf` in Step 1 you chose to have `Nikki` receive an email with password setup instructions. It's time to open that email and do the following: +Now that `Nikki Wolf` is a user in your organization, they can sign in and access the resources to which they're granted permission according to their permission set. To verify that the user is correctly configured, in this next step you'll use `Nikki's` credentials to sign in and set up their password. When you added the user `Nikki Wolf` in Step 1 you chose to have `Nikki` receive an email with password setup instructions. It's time to open that email and do the following: @@ -143 +147 @@ Now that `Nikki Wolf` is a user in your organization, they can sign in and acces -The email also includes `Nikki's` user name and the AWS access portal URL that they will use to sign in to the organization. Record this information for future use. +The email also includes `Nikki's` user name and the AWS access portal URL that they'll use to sign in to the organization. Record this information for future use. @@ -145 +149 @@ The email also includes `Nikki's` user name and the AWS access portal URL that t -You are taken to the **New user sign up** page where you can set `Nikki's` password. +You are taken to the **New user sign up** page where you can set `Nikki's` password and [register their MFA device](./enable-mfa.html).