About AWS user and group access management

Connecting Okta to multiple Amazon Web Services (AWS) instances using groups is supported primarily in an external directory. Administrators work with two logical sets of external directory groups: AWS role-specific groups and management groups.

AWS role-specific groups

A group must exist within an external directory for each specific account and role combination for which you want to provide access. Think of these groups as AWS role-specific groups. The group name should follow a particular syntax.

A user who is a member of a role-specific group is granted a single-entitlement access to one specific role in one specific AWS account. A role-specific group can be created by a script, exported as a list from AWS, or created manually.

Management groups

It's not efficient to manage user access by assigning each user to specific AWS role groups. Instead, create a number of groups—management groups, for all distinct user sets in your organization that require different sets of AWS entitlements.

These groups may already exist in your external directory hierarchy in the form of different department-specific groups, but you can also create them solely for AWS.

The management groups are the administration layer where you assign users (as groupMembers) and map these users to specific entitlements through AWS role groups (as Members Of).

Once you create the management groups in an external directory, usw these groups to perform all administrative tasks including:

  • Adding and removing users
  • Granting access to AWS accounts and roles
  • Updating specific entitlements by adding or removing AWS Role Groups in the Member Of group property