AWS SSO 不由 Control Tower 管理

Question

What I'm trying to achieve

When trying to manage users in Control Tower I'm seeing this:

(This page applies only to customers using an SSO directory managed by AWS Control Tower - for Google basically, I couldn't find it there)

I don't have specific goal regarding this error I'm simply afraid it might prevent me from doing something in the future.

What I did

I first created the AD Connector connection to my self-hosted AD, then connected this directory to SSO, afterwards I created Control Tower (Due to an error message saying I cannot provision Control Tower without SSO).

Some more weird behavior

Under User portal URL there's a never ending spinner and I'm not sure if there's any setting I can change from the SSO side to affect this error (correct me if I'm wrong).

Answer 1

Sounds like you're wondering if this error means you'll be missing out on something. The answer: you do not need to worry about it since you're using your own solution for this aspect of AWS Control Tower: identity, access management and SSO.

I think the best way to show you what you're missing out on (but don't need) is with a few screenshots, as of the October 2020 edition of the AWS Management Console.

What this page (AWS Control Tower > Users and access) would show you if you had let AWS Control Tower set up the default AWS SSO for you:

And if you follow the link to "View in AWS Single Sign-On", you'll be able to see AWS SSO's mappings between Users, Permission sets and Accounts: Note that the permissions sets tab has the following explanation:

Permission sets define the level of access that assigned users and groups have to this AWS account. The sets are stored in AWS SSO and appear in this account as IAM roles. You can update any of the permission sets associated with this AWS account to reapply or reset your permissions policies in IAM.