AWS - Granting Users Access to the AWS Management Console using NetID Authentication
AWS accounts are configured to allow users to sign in to the AWS Management Console using NetID authentication. This is done through the management of groups in Manifest.
******* Note: these instructions are for accounts in our newer AWS Organization. If you are unsure which AWS Organization your account is in, see the AWS - Determining the AWS Organization in which your AWS account resides
For accounts in DLT1, see AWS - Granting Users Access to the AWS Management Console using NetID Authentication
******* Important: AWS account owners should periodically review the membership of the Manifest groups associated with their AWS accounts. It is the responsibility of account owners to ensure that only the appropriate individuals have access to their AWS accounts. Individuals whose University affiliation has changed will not be automatically reflected in the Manifest group memberships associated with AWS accounts.
Default Roles
AWSSSOAdministratorAccess - This role has access to all AWS services.
- Good for most people who need to run AWS services
- Maps to the AWS "AdministratorAccess" managed policy.
- Account Owner and Technical Contacts from original account request will be initially mapped to this group
- Administrators can manage all elements in Identity Management other than policies set at the organization level
AWSSSOPowerUser - Povides full access to AWS services and resources, but does not allow management of Users and groups
- Good for people who will be using AWS services, but should not be able to alter security or other users' access.
- Maps to the AWS "PowerUser" managed policy
- Account Owner and Technical Contacts from original account request will be initially mapped to this group
AWSReadOnlyAccess - Grants permissions to view resources and basic metadata across all AWS services, including billing data
- Maps to the AWS "ViewOnlyAccess" managed policy
- Account Owner and Technical Contacts from original account request will be initially mapped to this group
To audit, add, or remove the members in the groups
- Open https://manifest.services.wisc.edu
- By default, only the Account Owner and Primary Technical Contact associated with an AWS account will have permission to modify the Manifest groups associated with an AWS account
- Open Groups I Administer in the top navigation -OR- enter your AWS Account ID into the "Quick launch" box
- Open Details for the AWS account that you'd like to manage
- The folder will be named uw:domain:cci.wisc.edu:AWS:<AWS-account-id> where <AWS-account-id> is your 12-digit AWS Account Id
- Switch to the Groups tab and open Details for the group you wish to modify
- Switch to the Members tab to view, add, and remove group members
- Note: It may take up to an hour before changes take effect. Users already logged into the AWS Management Console will need to sign out and sign in again to see the membership changes.
- Note: When adding a member, manifest supports setting a time when a NetID will be removed from a role. This can be good for offering temporary access, such as to an employee with a limited term or support personnel.
To change who can manage the Manifest groups associated with your AWS account
- Switch to the Privileges tab to audit and manage who can manage the Manifest groups associated with your AWS account
To create new Manifest groups & roles in your AWS account
- Within restricted data accounts, we have restricted the ability to create custom role & group mappings
- Should you need to design a custom role & map it to use a group group, Contact the Public Cloud Team
If you have any questions, feedback or ideas please Contact Us
Commonly Referenced Docs:
UW Madison Public Cloud Team Events Online Learning Classes for Cloud Vendors What Data Elements are allowed in the Public Cloud