AWS user and group access management

Connecting Okta to multiple Amazon Web Services (AWS) instances using groups is supported primarily in an external directory. Administrators work with two logical sets of external directory groups: AWS role-specific groups and management groups.

AWS role-specific groups

A group must exist within an external directory for each specific account and role combination for which you want to provide access. Think of these groups as AWS role-specific groups.

A user who is a member of a role-specific group is granted a single-entitlement access to one specific role in one specific AWS account. You can create a role-specific group using a script, exporting a list of users from AWS, or creating one manually.

Management groups

It's not efficient to manage user access by assigning each user to specific AWS role groups. Instead, create groups-management groups for all distinct user sets in your organization that require different sets of AWS entitlements.

These groups may exist in your external directory hierarchy in the form of different department-specific groups, but you can also create them solely for AWS.

The management groups are the administration layer where you assign users (as groupMembers) and map these users to specific entitlements through AWS role groups (as Members Of).

After you create the management groups in an external directory, use those groups to perform all administrative tasks, which include the following:

• Adding and removing users
• Granting access to AWS accounts and roles
• Updating specific entitlements by adding or removing AWS Role Groups in the Member Of group property