What Is AWS SSO? Security Definition
On This Page
Quick Definition
AWS SSO is a service that lets you log in once and then access all your company's AWS accounts and popular business apps without entering your password again. It works like a master key for your work accounts. You don't need to remember different usernames and passwords for each system. This makes logging in simpler and more secure.
Commonly Confused With
IAM users are long-term credentials created within a single AWS account. They are tied to that specific account and cannot be used to access other accounts without complex cross-account role configuration. In contrast, AWS SSO manages access across many accounts from a central service, using temporary credentials. IAM users are best for service accounts or individuals with access to only one account. AWS SSO is designed for human users who need access to multiple accounts.
A developer needs access to dev, test, and prod accounts. Using IAM users, you create three separate IAM users, one per account. Using AWS SSO, you create one user in the directory and assign a permission set once to all three accounts.
AWS Cognito is designed for customer-facing identity management, that is, for users of your own applications (like app users logging in from a mobile app). AWS SSO is designed for workforce identity, your employees and internal contractors accessing AWS accounts and business applications. Cognito also provides user pools and identity pools for external authentication, whereas AWS SSO focuses on federation with enterprise directories.
Use Cognito if you are building a mobile game where players sign in with Google or Facebook. Use AWS SSO if your employees need to sign in to the AWS Management Console to manage infrastructure.
AWS Directory Service provides managed Microsoft Active Directory in the cloud. It can serve as an identity source for AWS SSO, but it is not the same service. Directory Service manages the directory itself (users, groups, passwords). AWS SSO consumes users and groups from that directory to enable single sign-on across accounts and applications. Directory Service is the underlying directory; AWS SSO is the access management layer on top.
You might use AWS Managed Microsoft AD to host your corporate directory in AWS. Then you would connect AWS SSO to that directory so your employees can log in to AWS accounts using their AD credentials.
Must Know for Exams
AWS SSO is a significant topic in multiple AWS certification exams because it represents a core shift in how identity and access management is implemented in the cloud. On the AWS Certified Solutions Architect – Associate (SAA-C03) exam, you will encounter questions about designing secure, multi-account architectures. AWS SSO (now IAM Identity Center) is the recommended service for centralizing user access across an AWS Organization. You need to understand how permission sets map to IAM roles, how identity sources connect, and how the service integrates with AWS Organizations to provide cross-account access. Expect scenario-based questions where you must choose the best solution to give developers SSO access to development, test, and production accounts while enforcing MFA.
On the AWS Certified Security – Specialty (SCS-C02) exam, AWS SSO appears with higher frequency and depth. Security specialists need to know how to configure SAML federation between an external IdP (like Okta or Azure AD) and AWS SSO. Questions may ask about the flow of SAML assertions, attribute mapping, and the role of the AWS SSO assertion endpoint. You may also see questions about using AWS SSO to enforce MFA policies centrally, or to set up conditional access rules based on user attributes. The exam might present a scenario where an organization wants to use their existing Active Directory to grant access to third-party SaaS applications, the correct answer will involve AWS SSO with SAML 2.0 connectors.
On the AWS Certified SysOps Administrator – Associate (SOA-C02) exam, you will find administrative tasks related to AWS SSO. Questions might ask about configuring automatic provisioning of users and groups using SCIM, or troubleshooting why a user cannot access a specific account after being assigned a permission set. SysOps administrators must understand how to update permission sets, manage session durations, and review CloudTrail logs for SSO events. The exam could also ask about the relationship between AWS SSO and IAM roles, specifically that AWS SSO creates temporary IAM roles in target accounts behind the scenes.
The AWS Certified Developer – Associate (DVA-C02) exam touches on AWS SSO in the context of application access. Developers might need to know how to integrate custom applications with AWS SSO using SAML or OIDC. Questions may ask how to configure a custom application to trust AWS SSO as an identity provider, or how to obtain temporary credentials for accessing AWS APIs from a user's session. Understanding the token exchange flow (SAML to AWS temporary credentials) is valuable.
For general IT certifications like CompTIA Security+, the concept of single sign-on and federation is covered conceptually. While you will not be tested on AWS-specific implementation details, understanding AWS SSO as a real-world example of SAML and OAuth federation helps answer broader questions about identity management, MFA integration, and centralized access control. The exam might present a scenario where you need to recommend a solution to reduce password fatigue, SSO is a likely correct answer.
In all these exams, the key is to remember that AWS SSO is about centralizing identity and delegating access. It is not about creating standalone IAM users in each account. Questions often try to trick you into creating IAM users across accounts, which is the legacy approach. The correct, modern answer is always AWS SSO (IAM Identity Center) combined with AWS Organizations.
Simple Meaning
Imagine you work in a large office building that has many different rooms. Each room contains a different tool you need for your job. One room has the payroll system, another has the project management board, and a third holds the customer database. In the old way, you would need a separate key for every single room. You would have to carry a huge keychain, and if you lost one key, you could not get into that room. Worse, if someone else needed a copy of a key, you had to make a physical duplicate.
AWS SSO is like getting a single master key that opens every room you are allowed to enter. When you arrive at the building, you prove who you are once, usually by typing your password and maybe a code from your phone. After that, you can walk into any room you have permission to use, without pulling out a key again. The building manager (your IT team) decides which rooms you can access and can change your permissions instantly from a central desk.
In technical terms, AWS SSO connects your company's existing user directory, like Microsoft Active Directory or a cloud directory such as Azure AD, to your AWS environment. When you log in to the AWS SSO portal, it authenticates you against that directory and then gives you temporary credentials to access AWS accounts and connected applications. You never have to share long-term passwords across different services. The system handles all the behind-the-scenes security handshakes using industry-standard protocols like SAML 2.0 and OAuth 2.0.
The key idea is that AWS SSO separates the act of proving who you are (authentication) from the act of deciding what you can do (authorization). Your identity is managed in one place, and your permissions are managed in another. This makes life easier for users and much simpler for administrators who no longer have to create separate accounts in every single AWS account or application.
Full Technical Definition
AWS SSO is a cloud-based identity and access management service that provides a centralized, secure way to manage user access to multiple AWS accounts and business applications. It acts as an identity provider (IdP) and a service provider (SP) in the same solution, enabling federation and single sign-on across a diverse set of resources. The service builds on industry-standard protocols, primarily Security Assertion Markup Language (SAML) 2.0 for web-based applications and OAuth 2.0 with OpenID Connect (OIDC) for modern API-based access.
From an implementation perspective, AWS SSO integrates with an organization's existing identity source. This can be AWS IAM Identity Center's built-in identity store (a lightweight directory service), or an external IdP such as Microsoft Azure Active Directory (Azure AD), Okta, Ping Identity, or OneLogin. The connection uses SAML 2.0 or SCIM (System for Cross-domain Identity Management) to synchronize user and group information from the external directory into AWS SSO. Once synchronized, AWS SSO becomes the authoritative point for assigning users and groups to AWS accounts and applications.
When a user initiates a login to AWS SSO, the user's browser is redirected to the configured identity source for authentication. After successful authentication, the identity source generates a SAML assertion containing attributes about the user (like username, groups, and email). This assertion is sent back to the AWS SSO service. AWS SSO validates the assertion, checks its internal permission mappings, and generates temporary, scoped-down AWS credentials (access keys, secret keys, and session tokens) for the user. These credentials are valid for a configurable session duration, typically 1 to 8 hours. The user is then redirected to the AWS SSO user portal or directly to the requested AWS account console or application.
A critical component is the use of AWS Organizations. AWS SSO works in conjunction with AWS Organizations to manage accounts at scale. The service can centrally manage access to all accounts within an organization, including management accounts and member accounts. Permission sets, essentially IAM role definitions, are created within AWS SSO and assigned to users or groups for specific accounts. When a user accesses an account, AWS SSO creates a temporary IAM role in that account and assumes it on the user's behalf, effectively granting the permissions defined in the permission set.
AWS SSO also supports application assignment through pre-integrated application connectors for popular SaaS tools like Salesforce, Microsoft 365, Box, and Slack. These connectors use SAML 2.0 to establish trust between AWS SSO and the external application. The administration of user access to these applications is handled from the same AWS SSO console, providing a unified access governance interface.
On the security side, AWS SSO enforces multi-factor authentication (MFA) at the identity source level or through an integrated MFA service. It also provides detailed audit logs via AWS CloudTrail, capturing who authenticated, which account or application they accessed, and at what time. This enables compliance with frameworks like SOC 2, ISO 27001, and PCI DSS. The service is regionally available but operates globally, and it is free to use, you only pay for the underlying AWS resources accessed by users, such as compute or storage in the accounts they sign into.
For IT professionals preparing for certification exams, it is important to understand that AWS SSO has been rebranded as AWS IAM Identity Center. The two names refer to the same service. Older exam materials and documentation may use the term AWS SSO, but current AWS documentation and newer exams use IAM Identity Center. The functionality remains identical, but the naming change reflects a broader scope of identity capabilities beyond just single sign-on.
Real-Life Example
Think of a large hospital with many departments. Dr. Patel works in the cardiology wing but sometimes needs to consult with the radiology department and check lab results. In the old system, Dr. Patel had to carry a badge, a separate key for the cardiology door, a code for the radiology room, and a password for the lab computer. That is four different credentials just to do her job. If she forgot the lab password, she could not access patient test results until IT reset it.
Now imagine the hospital implements a central security desk. Dr. Patel shows her employee badge and scans her fingerprint once at the main entrance. The security desk takes a photo of her and records that she is authorized to enter cardiology, radiology, and the lab. For the rest of the day, every time she approaches a door, the door reads her badge, checks with the central security desk, and opens if she is allowed. She never needs to remember a separate code or key for each area. The security desk also has a master log of everywhere she went, which helps with security audits.
In the IT world, Dr. Patel is the user, the hospital building is the AWS environment, the different departments are AWS accounts or business applications, the badge and fingerprint are the single sign-on credentials (like username, password, and MFA), and the central security desk is AWS SSO. The desk does the hard work of verifying identity once and then issuing quick permissions for every resource the user needs to access. The hospital's administrator (the security manager) can also revoke Dr. Patel's access to the lab immediately if she changes roles, without needing to go to each room to change the lock.
This mapping shows how SSO eliminates the friction of managing multiple passwords while strengthening security. Users get a seamless experience, administrators get centralized control, and auditors get a complete trail of who accessed what and when. The same principle applies whether you are a developer accessing staging and production accounts, a data analyst querying multiple databases, or a finance officer reconciling accounts across an organization.
Why This Term Matters
In modern IT environments, organizations rarely have just one AWS account. A typical company might have separate accounts for development, testing, production, security logging, shared services, and data analytics. Each account needs its own set of user permissions. Without AWS SSO, IT administrators would have to create a separate IAM user in every single account for every employee. For an organization with 500 employees and 20 AWS accounts, that means creating 10,000 user accounts. Managing passwords, rotating keys, and revoking access across all those accounts becomes a nightmare of manual work and potential security holes.
AWS SSO solves this by providing a single, centralized identity layer. An administrator defines users and groups once, typically in a directory like Azure AD or the AWS SSO built-in directory. Then they assign those groups to permission sets in AWS SSO. When a new employee joins, the administrator adds them to the appropriate group in the directory, and within minutes, that employee has access to all the AWS accounts and applications they need. When an employee leaves, removing them from the directory instantly revokes access everywhere. This automation reduces the risk of orphaned accounts that attackers could exploit.
From a security standpoint, AWS SSO encourages best practices. Because users authenticate against a central identity source, the organization can enforce strong password policies, mandatory MFA, and conditional access rules (like requiring access to come from a corporate network). The temporary credentials issued by AWS SSO have a limited lifespan, so even if a session token is leaked, the window of vulnerability is small. Audit logs are centralized, making it easier to detect anomalous access patterns.
For compliance, AWS SSO helps meet requirements from regulations like GDPR, HIPAA, and SOX. Auditors want to see that user access is managed, monitored, and promptly revoked. AWS SSO provides the tools to demonstrate these controls. It also simplifies the principle of least privilege, administrators can assign exactly the permissions needed for a job without giving standing access to every account.
Finally, AWS SSO improves the user experience. Employees no longer need to track dozens of passwords. They have one secure login that works across all their work resources. This reduces password reset requests and speeds up onboarding. In short, AWS SSO is not just a convenience; it is a foundational component of secure, scalable, and auditable cloud access management.
How It Appears in Exam Questions
Exam questions about AWS SSO typically fall into three patterns: scenario-based architecture design, configuration and troubleshooting, and conceptual understanding.
Scenario-based questions often describe a company with multiple AWS accounts and a growing number of users. For example: A company has 15 AWS accounts managed through AWS Organizations. They have 200 employees who need access to different accounts based on their roles. The security team wants to enforce MFA and centralize user management. Which solution should the architect recommend? The correct answer is AWS SSO (IAM Identity Center) with an external identity provider. Distractors might include creating IAM users in each account, using cross-account roles only, or using a single IAM user shared across accounts. The exam tests your ability to identify that AWS SSO is the only service designed for this exact use case.
Another common scenario involves an organization that wants to give their employees access to third-party SaaS applications like Salesforce and Microsoft 365 using the same credentials they use for AWS. The question may present a choice between federation, custom federation, or directory connectors. The correct answer uses AWS SSO's pre-built application connectors, which support SAML 2.0 and require no custom code.
Configuration-based questions might ask: An administrator has assigned a permission set to a group in AWS SSO, but a user in that group cannot access the target account. What is the most likely cause? The answer could be that the user has not logged in since the permission set was assigned (permissions are refreshed at login), or that the user is not synchronized from the external identity source, or that the permission set does not include the necessary IAM policies. These questions test your understanding of the synchronous nature of permission assignment.
Troubleshooting questions often involve mismatches between the external IdP and AWS SSO. For example: Users can authenticate against their corporate Active Directory, but when redirected to AWS SSO, they see an access denied error. The issue could be an incorrect SAML audience URL in the IdP configuration, or an attribute mapping that does not match the user's group membership. Understanding the SAML assertion flow is essential here.
Conceptual questions might ask: What protocol does AWS SSO use to communicate with external identity providers? The answer is SAML 2.0. Or: How does AWS SSO enable access to an AWS account? It creates a temporary IAM role in the target account and assumes it on the user's behalf. These direct recall questions test foundational knowledge.
Finally, some questions combine AWS SSO with AWS Organizations. For instance: A company wants to grant a contractor access to only the billing information across all accounts. Which combination of services should they use? AWS Organizations to structure accounts, and AWS SSO to create a permission set with billing read-only access assigned to the contractor's group. This tests integration knowledge.
To succeed, focus on the relationship between identity sources (built-in, Active Directory, external IdP), permission sets (which define the IAM role), and target accounts. Remember that AWS SSO does not store user passwords itself, it delegates authentication to the identity source.
Practise AWS SSO Questions
Test your understanding with exam-style practice questions.
Example Scenario
A mid-sized e-commerce company, ShopFast, uses AWS to run its online store. They have four AWS accounts: one for development, one for testing, one for production, and one for security monitoring. The company has 80 employees: developers, testers, DevOps engineers, and security auditors. Before implementing AWS SSO, the IT team created separate IAM users in each account for every person. Developers had accounts in dev, test, and prod. Testers only needed test and prod. Security auditors only needed the security account. The IT team spent hours each week handling password resets, and when a developer left the company, they had to manually delete users from all three accounts. Sometimes they missed one, leaving an open security gap.
ShopFast decides to implement AWS SSO to solve these problems. First, they connect AWS SSO to their existing corporate directory, Microsoft Azure AD, which already has all employee accounts and group memberships. They create groups in Azure AD such as Developers, Testers, DevOps, and SecurityTeam. Then, in the AWS SSO console, they create permission sets. The developer permission set grants administrator access in dev, read-only in test, and limited read-only in prod (for viewing logs). The tester permission set grants full access in test and read-only in prod. The security team gets full access to the security account and read-only to all others.
Next, they assign these permission sets to the corresponding Azure AD groups in AWS SSO. For example, they map the Azure AD group Developers to the developer permission set in the dev, test, and prod accounts. They also create an application assignment for Slack, so developers can access Slack through the same portal. After configuration, each employee logs in to the AWS SSO user portal using their Azure AD credentials (plus MFA), and they see all the AWS accounts and applications they are allowed to access. They click a button to open the dev account console, and AWS SSO handles the rest.
When a new developer, Priya, joins the company, the HR system automatically adds her to the Developers group in Azure AD. Within minutes, she logs in to the AWS SSO portal and sees the dev, test, and prod accounts along with Slack. She never needs an IT ticket. When a tester, John, leaves the company, HR removes him from all groups. His access to all AWS accounts and Slack is revoked automatically. The security team runs a monthly audit using CloudTrail logs and sees exactly who accessed each account and when. ShopFast has eliminated manual user management, improved security, and made employees happier with a single login.
Common Mistakes
Assuming AWS SSO creates IAM users in each account.
AWS SSO does not create IAM users. It creates temporary IAM roles through permission sets. Users authenticate against the identity source, and AWS SSO assumes a role in the target account on their behalf. There is never a long-term IAM user created.
Remember that AWS SSO uses temporary credentials issued through role assumption, not by creating static IAM users in each account.
Thinking that AWS SSO is the same as IAM Identity Center and that one is a legacy service that should not be used.
AWS SSO was renamed to IAM Identity Center. They are the exact same service with the same functionality. The name change reflects an expanded feature set, but all existing AWS SSO deployments continue to work. Using either name in an exam answer is acceptable, but IAM Identity Center is the current official name.
Treat AWS SSO and IAM Identity Center as synonymous. In new deployments, use IAM Identity Center. In legacy exam questions, AWS SSO is correct.
Believing that AWS SSO can only use its built-in identity store and cannot connect to external identity providers.
AWS SSO fully supports external identity sources including Microsoft Active Directory, Azure AD, Okta, Ping Identity, and any SAML 2.0 compatible IdP. The built-in store is just one option for smaller organizations without an existing directory.
Know that AWS SSO integrates with external IdPs via SAML 2.0 and SCIM for user provisioning. The built-in store is optional.
Confusing AWS SSO permission sets with IAM policies or IAM roles directly.
A permission set is a collection of one or more IAM policies (managed and/or inline) that AWS SSO uses to create a temporary IAM role in a target account. You do not create a traditional IAM role in each account separately; AWS SSO creates it dynamically.
Understand that permission sets are templates. AWS SSO automatically creates and manages the IAM roles based on these templates when users access accounts.
Thinking that AWS SSO grants access to AWS accounts only, not to third-party SaaS applications.
AWS SSO can assign access to thousands of pre-integrated third-party applications like Salesforce, Microsoft 365, Box, Slack, and many more, using SAML 2.0 federation. It also supports custom SAML 2.0 applications.
Recall that AWS SSO is a central hub for both AWS account access and business application access, providing a single portal for all work resources.
Assuming that MFA is configured within AWS SSO itself and not at the identity source level.
AWS SSO does not have its own MFA service. MFA is enforced by the external identity provider (e.g., Azure AD, Okta) or by the AWS SSO built-in identity store's own MFA settings, which uses AWS's MFA capabilities.
Remember that MFA configuration is done where the user's identity is stored. If using an external IdP, MFA is enforced there. AWS SSO trusts the authentication result from the IdP.
Exam Trap — Don't Get Fooled
{"trap":"A question asks how to grant a user access to multiple AWS accounts. A tempting distractor suggests creating an IAM user in each account and then giving those users the same password. Another distractor recommends using a single IAM user with cross-account roles configured manually in each account."
,"why_learners_choose_it":"Learners who are familiar with basic IAM concepts may remember that cross-account roles exist and think that manually creating roles in each account is a valid solution. They might also recall that IAM users are the standard way to give access, so creating one per account seems logical. They do not yet understand that AWS SSO automates this process at scale and is the recommended approach."
,"how_to_avoid_it":"Always think about the requirement for centralization and scalability. If the question mentions managing access for many users across many accounts, the answer is AWS SSO (IAM Identity Center). AWS SSO automatically creates the cross-account roles behind the scenes using permission sets, eliminating manual work.
If the question does not mention scalability or central management, a cross-account role might still be appropriate, but for multi-account environments with many users, SSO is the best practice."
Step-by-Step Breakdown
Choose an identity source
Before using AWS SSO, you must decide where user identities will live. You can use the AWS SSO built-in identity store (a simple directory managed by AWS), connect to an existing Microsoft Active Directory via AWS Directory Service, or federate with an external IdP like Okta or Azure AD using SAML 2.0. This step defines the source of truth for user accounts and authentication.
Enable AWS Organizations and choose the management account
AWS SSO requires AWS Organizations to be enabled. The service runs from the management account (formerly the master account) of the organization. You create permission sets and assign users to accounts from this central location. All member accounts in the organization become targets for access assignment.
Create permission sets
A permission set is a predefined set of IAM policies that define what a user can do in a target account. You can use AWS managed policies (like AdministratorAccess, ReadOnlyAccess) or create custom inline policies. Permission sets are reusable across multiple accounts. When a user accesses an account, AWS SSO creates a temporary IAM role in that account matching the permission set.
Assign users and groups to accounts and applications
In the AWS SSO console, you assign users or groups (from your chosen identity source) to specific AWS accounts and select the permission set for that assignment. You can also assign users to pre-integrated SaaS applications using SAML connectors. These assignments determine which resources each user can access after login.
User authenticates through the identity source
When a user tries to access the AWS SSO user portal or a specific application, they are redirected to the configured identity source (e.g., the built-in store or external IdP). The user enters their credentials and completes any required MFA challenge. The identity source authenticates the user and issues a SAML assertion confirming the user's identity and attributes.
AWS SSO validates the assertion and issues temporary credentials
AWS SSO receives the SAML assertion from the identity source, validates it, and checks its internal mappings to determine which accounts and applications the user is authorized to access. For each requested account, AWS SSO calls the AWS Security Token Service (STS) to assume the corresponding IAM role (created from the permission set). STS returns temporary access keys, secret keys, and a session token, which are passed to the user's browser session.
User accesses the resource
With the temporary credentials, the user can now access the AWS Management Console, AWS CLI, or SDK for the target account. The credentials are valid for the configured session duration (default 1 hour, configurable up to 12 hours). If the user accesses another account, a new set of temporary credentials is issued. When the session expires, the user may need to re-authenticate.
Practical Mini-Lesson
In practice, implementing AWS SSO (IAM Identity Center) requires careful planning around identity source selection and permission set design. Many organizations already have a corporate directory, most commonly Microsoft Active Directory or Azure AD. The cleanest integration is to connect AWS SSO to that existing directory using SAML 2.0 federation and SCIM for automatic user and group provisioning. SCIM (System for Cross-domain Identity Management) is particularly important because it synchronizes group membership changes automatically. Without SCIM, administrators would need to manually manage groups in both the directory and AWS SSO, defeating the purpose of centralization.
When designing permission sets, adhere to the principle of least privilege. Instead of granting AdministratorAccess to every developer, create custom permission sets with only the policies needed for their role. For example, developers might need full access to development accounts, but only read-only access to production. Use AWS managed policies as a starting point but combine them with custom inline policies when necessary. Also consider using permission boundaries to further restrict the maximum permissions a role can have.
A common real-world challenge is session duration management. By default, AWS SSO sessions last 1 hour, but users often need longer sessions for tasks like running long scripts or monitoring dashboards. You can increase the session duration in the AWS SSO settings, but this reduces security because stolen tokens remain valid longer. A better approach is to educate users to use the AWS CLI with the aws sso login command, which configures temporary credentials that refresh automatically within the session window.
Another practical consideration is the user portal URL. Each AWS SSO deployment has a unique portal URL (e.g., https://my-app.awsapps.com/start). Users should bookmark this URL and always start their access from there. If users try to access individual account login pages directly, they will be prompted for credentials and may get confused. Training users to always go through the portal is essential for a smooth experience.
What can go wrong? Several issues frequently appear. First, if the identity source becomes unavailable (e.g., Azure AD outage), users cannot log in to any AWS account because authentication fails. To mitigate this, consider setting up a backup identity source or enabling local AWS SSO users for emergency break-glass access, though this reduces centralization. Second, permission set updates do not take effect until the user logs out and logs back in. If you grant a new permission, the user must re-authenticate to see the change. This is a common point of confusion where users think access is broken when really they just need to log out and back in.
Third, SAML attribute mapping errors are common when connecting external IdPs. The identity source must send the correct attribute (usually the user's email or username) that matches the AWS SSO user store. If the attribute name does not match, the SAML assertion will be rejected. Always test with a single user before rolling out to the entire organization.
Finally, for organizations using AWS Control Tower, AWS SSO is automatically enabled and integrated. Control Tower creates a baseline permission set and assigns it to root users. However, administrators can customize these assignments. Understanding this integration is important for exams covering AWS Control Tower.
For professionals, the key takeaway is that AWS SSO is not a one-time setup; it requires ongoing governance. Regularly review permission set assignments, audit CloudTrail logs for unusual access patterns, and ensure MFA is enforced. A well-implemented AWS SSO deployment significantly reduces the attack surface and administrative overhead compared to traditional per-account IAM user management.
Memory Tip
Remember: AWS SSO = One identity, many accounts. Think of it as the bouncer at the entrance of a club who checks your ID once, then gives you a wristband to access different rooms.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
220-1102CompTIA A+ Core 2 →CS0-003CompTIA CySA+ →SC-900SC-900 →MD-102MD-102 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
A/B testing is a controlled experiment that compares two versions of a single variable to determine which one performs better against a predefined metric.