Skip to main content

Prerequisites

Before managing users and groups, make sure of properly setting up user management profile.
1

Install Required Software

Described in Getting Started section.
2

Set up AWS SSO locally

As described in Set up AWS SSO locally
3

Clone and Access the Repository

Clone your organization’s Infrastructure as Code (IaC) repository:
git clone <iac-repository-url>
Navigate to the user management directory:
cd Infrastructure/infrastructure/<aws-region>/permissions/sso/main
Initialize the module:
terragrunt init

Core Concepts

Users

Users represent individuals who need access to AWS resources and applications. Each user:
  • Requires MFA (Multi-Factor Authentication) – Enforced on the first login for security
  • Has unique credentials – Separate from traditional AWS IAM (Identity and Access Management) users
  • Belongs to groups – Access is granted and managed through group membership
  • Can access multiple accounts – Single sign-on across all assigned AWS accounts

Access Groups

Access Groups is an abstraction we create to manage the underlying AWS IAM Identity Center components: groups, permission sets, and account attachments. This abstraction simplifies the complex relationships between these components and provides a more intuitive way to manage user access across multiple AWS accounts.
Access groups define what users can do and where they can do it. They are built using IAM Identity Center groups and permission sets, typically in a one-to-one relationship:
  • Accounts – Which AWS accounts the group provides access to
  • Policies – What permissions users in the group have in those accounts
  • Applications – Which integrated applications users can access (these are attached manually)
  • Session Duration – How long temporary access tokens remain valid

Policy Types

Access groups rely on policies to define permissions. Here are the main types:
Pre-built policies maintained by AWS. Common examples:
  • AdministratorAccess – Full administrative permissions
  • PowerUserAccess – All permissions except IAM and billing
  • ReadOnlyAccess – View-only permissions across services
  • ViewOnlyAccess – Basic read permissions
Custom policies created and managed within your access group:
  • Defined inside the access group itself
  • Applied automatically to all accounts assigned to the group
  • Useful for granular permissions
They must already exist in target accounts:
  • Not managed directly by the access group
  • Must be created in each target account before being referenced

Understanding the Users&Groups Parameter

Always test changes in a development environment before applying to production accounts.
Important: User management changes affect access across your entire AWS organization. Always coordinate with your team and follow your organization’s change management process.
Users and groups configurations are managed through Terragrunt parameters, in an input.hcl file. Here’s what the structure looks like: 
locals {
  # Access group definitions
  access_groups = [
    {
      name                      = "DevelopmentTeam"
      description              = "Access for development team members"
      session_duration         = "PT8H"
      aws_managed_policies     = ["arn:aws:iam::aws:policy/PowerUserAccess"]
      inline_policies          = []
      customer_managed_policies = []
      accounts_names           = ["<development_workload_account>"]
    }
  ]

  # User definitions
  users = [
    {
      display_name = "John Doe"
      email       = "[email protected]"
      given_name  = "John"
      family_name = "Doe"
      groups      = ["DevelopmentTeam"]
    }
  ]
}