CloudWarden
← All field reports
FR-01 Identity & Access

Zero-Trust SSO Federation for Multi-Account AWS

B2B SaaS platform · multi-account AWS · ~12 platform engineers
AWS IAM Identity CenterGoogle WorkspaceSAML 2.0SCIMMFA
100%cloud access behind corporate IdP + MFA
0orphaned permissions after cutover
66users, groups & assignments reconciled
Corporate IdP SSO + MFA SAML Identity Center groups · perm sets AWS account 1 AWS account 2 AWS account 3

Architecture — illustrative, anonymized

01 The situation

  • Engineers signed into the AWS access portal with a separate set of credentials, outside the company identity provider — a second password surface, inconsistent MFA, and no single off-boarding switch.
  • Leadership wanted every path into the cloud to run through corporate SSO so that disabling one account instantly revoked all AWS access — a hard requirement for the upcoming SOC 2 cycle.
  • The migration was high-risk: identity changes can silently strand permission-set assignments, group memberships, and per-application access, leaving either locked-out engineers or invisible over-privilege.

02 The approach

  • Captured a complete pre-migration snapshot — every user, group, membership, permission set, and account assignment across all org accounts — as the source of truth to verify against.
  • Reconciled each cloud identity 1:1 against the corporate directory before touching anything; flagged and resolved every account that lacked a clean match.
  • Validated the federation design against vendor documentation (NameID format, attribute mapping, SCIM provisioning behavior) so the cutover followed the documented-correct path rather than trial and error.
  • Executed the identity rebuild, then ran an exhaustive stale-reference sweep — application assignments, account assignments, group memberships, and per-principal lookups for every retired identity — catching dangling references that a naive migration leaves behind.
  • Shipped end-user documentation and a coordinated comms rollout so engineers hit zero surprises on first SSO login.

03 The outcome

  • Every user, membership, and assignment reconciled to byte-for-byte parity with the pre-migration snapshot — provably no access gained or lost.
  • All AWS access now flows through corporate SSO with enforced MFA; off-boarding is a single action in one directory.
  • No orphaned permissions, no stranded application access, and a documented rollback path — delivered without a maintenance-window outage.
Have something like this?

Let’s scope your version.

If this maps to what you’re facing, a 20-minute call is the fastest way to find out whether I can help — and a Cloud Quick-Win is the lowest-risk way to start.

Book a call ↗ Next report: FR-02 →