Can I Restrict an AWS SSO user to Console Only?
ACM.128 Investigating possible means to prevent AWS SSO users from taking programmatic actions on AWS via the CLI or otherwise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: AWS Security | Cloud Security Architecture | IAM
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post I covered some of my concerns about the ability for an AWS SSO user to leverage the AWS CLI. To understand why I am doing what I’m doing in this post please read the last post first:
I want to restrict AWS SSO users from using anything but the AWS Console. In other words, I want to disallow all programmatic actions using AWS SSO user credentials by using a code to link an AWS SSO session with AWS SSO user credentials.
As noted, there’s no option currently to restrict AWS SSO (IAM Identity Center) users to only use the console from within the…