How We Built A Secure Multi-Account AWS Environment with IAM and Identity Center

Chinazor Nwode — Mon, 14 Jul 2025 01:05:42 +0000

AWS IAM, Identity Center & Organization Project

Team Leader: Chinazor Nwode

Co-Leader: Ifunanya Benedicta

This document provides a complete overview of our AWS Organization setup project. The objective was to build a secure, multi-account AWS environment with centralized billing, role-based access control, and comprehensive identity management using AWS Identity Center.

Project Date: 11-07-2025
Team Members: POD 15
Cohort: 15
Key Achievements:
- 1 Management account + 3 Member accounts (Dev, Staging, Production)
- AWS Identity Center configured with 5 users in 3 role-based groups
- 4 permission sets created and assigned across accounts
- MFA enforced for all users
- Complete cross-account access validation

🏢 Organization Setup

✅ 1 Management Account (Root)
✅ 3 Member Accounts (Dev, Staging, Production)
✅ Centralized billing & governance
✅ Account isolation & security

👥 Identity Center (SSO)

✅ 5 Users in 3 Groups
✅ 4 Permission Sets
✅ Single Sign-On Portal
✅ MFA for all users

🔐 Security & Testing

✅ Multi-Factor Authentication
✅ Least Privilege Access
✅ Login Testing & Verification
✅ Complete Documentation

TASK 1: Set up AWS Organization

1.1 Organization Setup

Navigate to AWS Organizations:

Search for "Organizations" in the services search bar
Click on "AWS Organizations"

Create Organization:

Click "Create organization" button
Choose "Enable all features" (recommended)
Click "Create organization"

Create Member Accounts:

Development Account:

Click "Add an AWS account"
Select "Create an AWS account"
Account name: [Saintic ORG Development](https://us-east-1.console.aws.amazon.com/organizations/v2/home/accounts/808872802004)**
Email: chinazornwode+SainticOrgDevelopment@gmail.com
IAM role name: OrganizationAccountAccessRole
Click "Create AWS account"

Staging Account:

Repeat the process with:
Account name: Saintic ORG Staging
Email: chinazornwode+SainticOrgStaging@gmail.com

Production Account:

Repeat the process with:
Account name: Saintic ORG Production
Email: chinazornwode+SainticOrgProduction@gmail.com

1.2 Create Organizational Units (OUs)

Management OU:

On the organization tab, click on the checkbox before the root
click on “Action” Dropdown button
Then click “Create New”

Click "Create organizational unit"
Name: Management OU

Development OU:

Create OU with name: Development OU

Staging OU:

Create OU with name: Staging OU

Production OU:

Create OU with name: Production OU

1.3 Move Accounts to their OUs:

Moved each account to its corresponding OU
Verify organizational structure

In Task 1, the team successfully established a comprehensive AWS Organization structure that serves as the foundation for the entire multi-account environment.

Created one management account and three specialized member accounts (Development, Production, and Staging)
Organized these accounts into logical Organizational Units (OUs) based on function (Management, Development, Production, and Staging)[[2]]
Implemented centralized billing and governance mechanisms
Established clear account security boundaries

This organizational structure provides the architectural foundation for implementing role-based access control, centralized security policies, and effective resource management across all AWS accounts. The hierarchical OU structure also enables more granular policy application and ensures proper separation between development, staging, and production environments.

TASK 2: Create Users and Groups in Identity Center

Overview Flowchart

2.1 Enable IAM Identity Center

Navigate to Identity Center:

Search for "IAM Identity Center" in the AWS Console
Click "Enable IAM Identity Center"

Choose Region:

Select your preferred region for Identity Center
Click "Enable"

Identity Center Dashboard:

Verified successful enablement
Accessed the Identity Center dashboard

2.2 Create Team Groups

Admin Team Group:

Navigated to "Groups" in Identity Center
Click "Create group"
Group name: Admin-Team
Description: Admin-Team IAM Identity Group
Click "Create group"

Developer Team Group:

Created group with name: Developer-Team
Description: Developer-Team IAM Identity Group

DevOps Team Group:

Create group with name: DevOps-Team
Description: DevOPs-Team IAM Identity Group

Screenshot Overview of the Group Created for the IAM Identity Groups

2.3 Create Users and Assign to Groups

Admin User Creation:

Navigate to "Users" in Identity Center
Click "Add user"
Username: Admin-User1
Email: Chinazornwode+admin-user1@gmail.com
First name: Admin
Last name: User 1
Display name: Admin User 1

Assign Admin User to Group:

Select "Admin-Team" group
Click "Add user"
Choose "Send an email to the user with password setup instructions"

Review settings

Then create

We’ve created additional user accounts and assigned them to their respective groups for our project, following the same process as above.

DevOps Users Creation:

Create DevOPs-User1 with email Chinazornwode+DevOPs-user1@gmail.com
Create DevOPs-User2 with email Chinazornwode+DevOPs-user2@gmail.com
Assign both to DevOps-Team group

Developer Users Creation:

Create Developer-User1 with email Chinazornwode+Developer-user1@gmail.com
Create Developer-User2 with email Chinazornwode+Developer-user2@gmail.com
Assign both to Developer-Team group

Screenshot Overview of the Users Assigned to Group Created for the IAM Identity Users

In Task 2, the team successfully implemented AWS IAM Identity Center (formerly SSO) as the central authentication and identity management system.

Enabled IAM Identity Center in their chosen AWS region
Created three functional groups (Admin-Team, Developer-Team, DevOps-Team) to reflect organizational roles
Established five user accounts and assigned them to appropriate groups based on their responsibilities

This identity management foundation enables centralized user administration, simplifies access management across accounts, and establishes the groundwork for implementing the principle of least privilege through role-based access control.

TASK 3: Create Permission Sets

Overview Flowchart

3.1 Navigate to Permission Sets

Access Permission Sets:

In Identity Center, navigate to "Permission sets"
Click "Create permission set"

3.2 Create Admin Permission Set

Admin-Team Permission Set:

Name: Admin-Team-Permission-Set
Description: Full administrative access for Admin team members
Session duration: 8 hours
Click "Next"

Assign Policies:

Select "AWS managed policies"
Search and add: AdministratorAccess
Click "Next" → "Create"

I repeated the same steps to create additional permission sets for the other teams, similar to the screenshot for the Admin-Team-Permission-Set.

3.3 Create Additional Permission Sets

PowerUser Permission Set:

Name: Power-User-Permission-Set
Description: Permission set for Power user Team
Session duration: 8 hours
Add policies: PowerUserAccess

SystemAdmin Permission Set:

Name: Sysadmin-Permission-Set
Description: Permission set for Sysadmin team
Session duration: 8 hours
Add policies: SystemAdministrator

DataScientist Permission Set:

Name: Datascientist-Permission-Set
Description: Permission set for data scientist team
Session duration: 8 hours
Add policies: DataScientist

SCREEN SHOT OVERVIEW OF THE PERMISSION SET

In Task 3, the team defined standardized permission sets that establish the access boundaries for different user roles.

Created four distinct permission sets (Admin-Team-Permission-Set, Power-User-Permission-set, Sysadmin-Permission-Set, and Datascientist-Permission-Set)[[1]]
Configured appropriate session durations (8 hours) to balance security with user convenience[[2]]
Established clear permission boundaries aligned with job functions across the organization[[3]] These standardized permission sets create reusable access policies that can be consistently applied across accounts, ensuring appropriate access levels while maintaining security and compliance requirements.

TASK 4: Assign Permissions to Groups

Overview Flowchart

4.1 Assigning appropriate permissions to each group using Permission-set policies to enable multi Account Role Switch

Navigate to AWS Accounts:

In Identity Center, go to "AWS accounts"
Selected my first account in the Development OU Development OU
Click "Assign users or groups"

Assign Admin-Team to Development Account:

Click "Assign users or groups"
Select "Groups" tab
Choose "Admin-Team"
Click "Next"

Select Permission Set:

Choose "Admin-Team-Permission-Set"
Click "Next"
Review and click "Submit"

Then we review our choice and Clicked submit

Repeat for All Accounts:

Assign Admin-Team to Management, Staging, and Production accounts
Use the same Admin-Team-Permission-Set for all

Assign DevOps-Team Permissions:

For each account, assign DevOps-Team to:
- Power-User-Permission-Set
- Sysadmin-Permission-Set
Repeat for all four accounts

Assign Developer-Team Permissions:

For each account, assign Developer-Team to:
- Datascientist-Permission-Set
Repeat for all four accounts

Screenshot Overview of the Multi Account Permission

Screen shot of the all team assigned to the development team with appropriate permission set

Screen shot of all teams being assigned to all the accounts in the organization

Task 4 Achievement: In Task 4, the team implemented and validated the cross-account access strategy. Assigned team groups to appropriate AWS accounts with their corresponding permission sets, established access pathways across all organizational accounts for each team, tested the entire implementation through user login validation, verified MFA enforcement for enhanced security, and confirmed appropriate access levels and permission set functionality.

TASK 5: Multi-Factor Authentication Setup

Overview Flowchart

5.1 Configure MFA Settings

Navigate to Authentication Settings:

In Identity Center, go to "Settings"
Click "Authentication" tab

Configure MFA Policy:

Under "Multi-factor authentication"

Select "Users must provide a second factor to sign in"
Choose "Authenticator apps" and "Security keys"

Apply Settings:

Click "Save changes"
Verify MFA enforcement is active

5.2 Test MFA with All User Types

Test Admin-User1 MFA:

Complete MFA setup process

Verify successful authentication

We were logged into the dashboard, and saw the accounts which we were assigned permission to switch role on.

Task 5 Achievement: Successfully configured and enforced Multi-Factor Authentication across all user accounts, ensuring enhanced security posture for the organization. All users now require both password and MFA token for authentication, significantly reducing the risk of unauthorized access.

TASK 6 : Account Allocation Check

Overview Flowchart

6.1 Check Account Allocations

Admin-Team Allocation

DevOPs-Team Allocation

Developer-Team Allocation

6.2 Check Account Permission Set

OVERVIEW OF THE PERMISSION SET

Task 6 Achievement: Successfully checked and validated the complete user permission set for all user groups in their various AWS accounts within the organization, confirming that all necessary permissions are properly assigned.

TASK 7: User Login Testing and Account Switching

Overview Flowchart

7.1 Complete User Login Testing

Test Admin-User1 Complete Flow:

Navigate to SSO portal
Enter username and password (first authentication)

Enter MFA code (second authentication)

Access dashboard and switch accounts

Click on the dropdown on the “Saintic ORG Development”

So we click the "Admin-Team-Permission-Set" button on the "Saintic ORG Development"

The Link took us to a new page, which means we now logged as admin in the development account

Lets Verify this

Checked our Account Policies

Verify account role

Question: why are some permissions in the admin account?

ANSWER: We made a mistake earlier by assigning unnecessary permissions. AWS logs all actions for audit purposes, so the logs still show what happened even if permissions are removed later.

7.2 Account Switching Documentation

SSO Portal Interface:

Document the user experience
Show account switching
Show permission set selection

Task 7 Achievement: Successfully tested the full login, MFA, and account switching process, confirming seamless user experience across all roles.

TASK 8: Documentation and Final Validation

Overview Flowchart

flowchart TD
    A[Compile Documentation] --> B[Organize Screenshots]
    B --> C[Create Final Report]
    C --> D[Validate All Requirements]
    D --> E[Prepare Submission]
    E --> F[Project Complete]

    style A fill:#e1f5fe
    style F fill:#c8e6c9

8.1 Documentation Checklist

Screenshots Completed:

[x] AWS Organizations dashboard with all accounts
[x] Organizational Units structure
[x] Identity Center users and groups
[x] All permission sets created
[x] Permission assignments for each account
[x] MFA configuration and testing
[x] Complete login flows for all user types
[x] Account switching demonstrations
[x] Cross-account access verification

8.2 Final Validation

Requirements Verification:
✅ Organization Setup: 4 AWS accounts (Management, Dev, Staging, Production)
✅ User Management: 5 users distributed across 3 groups
✅ Permission Management: 4 permission sets properly configured
✅ Access Control: All groups have appropriate permissions across all accounts
✅ Security: MFA enabled and working for all users
✅ Functionality: Account switching works seamlessly
✅ Documentation: Complete screenshot documentation of all processes

🎓 Lessons Learned

Strategic Value of Multi-Account Architecture: The team discovered that a well-structured multi-account strategy doesn't just improve security, but also creates clearer ownership boundaries and simplifies cost allocation across development, staging, and production environments.
Proactive Security Through Identity Federation: Beyond simply implementing MFA, the team learned that AWS Identity Center creates a centralized authentication point that significantly reduces credential management overhead and security risks compared to managing multiple IAM users across accounts.
Permission Templating for Scalability: The creation of standardized permission sets revealed that defining access patterns once and deploying them consistently across accounts dramatically improves governance and reduces the risk of permission drift over time.
Cross-Account Access Workflow Optimization: The team gained practical experience in balancing security with usability by establishing seamless role-switching capabilities that maintain strict security boundaries while providing a friction-free user experience.
Documentation as Risk Mitigation: The detailed documentation process wasn't just for knowledge transfer - it created an auditable trail that reduces organizational risk by ensuring configurations can be replicated, troubleshot, or validated against compliance requirements.
Naming Convention Discipline: The team discovered that consistent naming conventions across accounts, groups, and permission sets significantly reduced operational complexity and created a more intuitive user experience for both administrators and end users.
IAM Trust Relationship Criticality: The team gained deeper appreciation for how IAM trust relationships form the foundation of cross-account access, and how small misconfiguration details can completely break otherwise well-designed security architectures.

This project was completed by the dedicated team members who demonstrated exceptional technical skills and collaborative spirit throughout the implementation.

Thank you for your attention to this comprehensive AWS Organization project.

Signed by SainTiCon

DEV Community: Chinazor Nwode

How We Built A Secure Multi-Account AWS Environment with IAM and Identity Center

AWS IAM, Identity Center & Organization Project

Team Leader: Chinazor Nwode

Co-Leader: Ifunanya Benedicta

🏢 Organization Setup

👥 Identity Center (SSO)

🔐 Security & Testing

TASK 1: Set up AWS Organization

1.1 Organization Setup

1.2 Create Organizational Units (OUs)

1.3 Move Accounts to their OUs:

TASK 2: Create Users and Groups in Identity Center

Overview Flowchart

2.1 Enable IAM Identity Center

2.2 Create Team Groups

Screenshot Overview of the Group Created for the IAM Identity Groups

2.3 Create Users and Assign to Groups

Screenshot Overview of the Users Assigned to Group Created for the IAM Identity Users

TASK 3: Create Permission Sets

Overview Flowchart

3.1 Navigate to Permission Sets

3.2 Create Admin Permission Set

3.3 Create Additional Permission Sets

SCREEN SHOT OVERVIEW OF THE PERMISSION SET

TASK 4: Assign Permissions to Groups

Overview Flowchart

4.1 Assigning appropriate permissions to each group using Permission-set policies to enable multi Account Role Switch

Screenshot Overview of the Multi Account Permission

TASK 5: Multi-Factor Authentication Setup

Overview Flowchart

5.1 Configure MFA Settings

5.2 Test MFA with All User Types

TASK 6 : Account Allocation Check

Overview Flowchart

6.1 Check Account Allocations

6.2 Check Account Permission Set

TASK 7: User Login Testing and Account Switching

Overview Flowchart

7.1 Complete User Login Testing

7.2 Account Switching Documentation

TASK 8: Documentation and Final Validation

Overview Flowchart

8.1 Documentation Checklist

Screenshots Completed:

8.2 Final Validation

🎓 Lessons Learned