I'm currently using AWS IAM to provision access to the AWS resources for the users. Recently I created an AWS Organization to separate the Dev & Prod environments. While doing this I supposed to create another IAM user for all users for the Dev AWS Organization Account. so there is 2 IAM user for every user so that all users can access the resources in both Dev & Prod environments. (Yes, its conditional access, not all AWS resources is provisioned).
We started to implement AWS SSO using SAML & came to know about the IAM Identity Center, using which a single user can access resources in both the AWS accounts (Organizations) with a single username itself which is good.
I've some queries regarding the AWS SSO,
Question 1
- AWS SSO requires AWS Organization to be enabled by default with an message. What does this means? Once AWS SSO is enabled I can't create new additional/sub organizations?
After you create an organization, you cannot join this account to another organization until you delete its current organization
Question 2
Once I setup AWS Organization & AWS SSO and changed the identity source it syncs the groups & users to the AWS root account using which we can provision the resources. Will it remove/delete the existing IAM user & role?
If NO, can I still be able to login with the IAM username & password other than this AWS SSO?
Question 3
- While I change the identity source using the AWS SSO it warns that the MFA configurations will be deleted. Will it delete the MFA for the root account and the IAM users? or Just the users inside the AWS SSO?
IAM Identity Center will delete your current multi-factor authentication (MFA) configuration.
Question 4
- Why I can't setup the AWS SSO from an organization account? Is there any specific reason?
Final Question
- Did I understood the AWS SSO (IAM Identity Center) Properly?