AWS Restricted Data - Granting Users Access to the AWS Management Console using NetID Authentication

AWS accounts are configured to allow users to sign in to the AWS Management Console using NetID authentication. This is done through the management of groups in Manifest.

Note:   these instructions are for Amazon Web Services (AWS) for Sensitive and Restricted Data and/or NIH STRIDES Program Offerings accounts, which are are accessed with URLs starting with uw-madison-dlt3 or uw-madison-fourpoints.   

For all other accounts, see AWS - Granting Users Access to the AWS Management Console using NetID Authentication

Default Roles

AWS accounts come with several NetID roles

AWSSSOAdministratorAccess - This role has access to all AWS services.  

  • Good for most people who need to run AWS services
  • Maps to the AWS "AdministratorAccess" managed policy.    
  • Account Owner and Technical Contacts from original account request will be initially mapped to this group
  • Administrators can manage all elements in Identity Management other than policies set at the organization level

AWSSSOPowerUser - Povides full access to AWS services and resources, but does not allow management of Users and groups

  • Good for people who will be using AWS services, but should not be able to alter security or other users' access.
  • Maps to the AWS "PowerUser" managed policy
  • Account Owner and Technical Contacts from original account request will be initially mapped to this group

AWSReadOnlyAccessGrants permissions to view resources and basic metadata across all AWS services, including billing data

  • Maps to the AWS "ViewOnlyAccess" managed policy
  • Account Owner and Technical Contacts from original account request will be initially mapped to this group

To audit, add, or remove the members in the groups

  • Open https://manifest.services.wisc.edu
    • By default, only the Account Owner and Primary Technical Contact associated with an AWS account will have permission to modify the Manifest groups associated with an AWS account
  • Open Groups I Administer in the top navigation -OR- enter your AWS Account ID into the "Quick launch" box
  • Open Details for the AWS account that you'd like to manage
    • The folder will be named uw:domain:cci.wisc.edu:AWS:<AWS-account-id> where <AWS-account-id> is your 12-digit AWS Account Id
  • Switch to the Groups tab and open Details for the group you wish to modify
  • Switch to the Members tab to view, add, and remove group members
    • Note: It may take up to an hour before changes take effect. Users already logged into the AWS Management Console will need to sign out and sign in again to see the membership changes.
    • Note: When adding a member, manifest supports setting a time when a NetID will be removed from a role.  This can be good for offering temporary access, such as to an employee with a limited term or support personnel.

To change who can manage the Manifest groups associated with your AWS account

  • Switch to the Privileges tab to audit and manage who can manage the Manifest groups associated with your AWS account

To create new Manifest groups & roles in your AWS account

  • Within restricted data accounts, we have restricted the ability to create custom role & group mappings
  • Should you need to design a custom role & map it to use a group group, Contact the Public Cloud Team

See Also:

If you have any questions, feedback or ideas please Contact Us

Commonly Referenced Docs:

UW Madison Public Cloud Team Events
Online Learning Classes for Cloud Vendors
What Data Elements are allowed in the Public Cloud




Keywords:aws management console sign in log login signin access accessing web netid shibboleth manifest saml cloud restricted data roles policy policies   Doc ID:116997
Owner:Chris L.Group:Public Cloud
Created:2022-02-25 15:27 CDTUpdated:2022-02-25 18:01 CDT
Sites:Public Cloud
Feedback:  0   0