AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all your AWS accounts and cloud applications. Specifically, it helps you manage SSO access and user permissions across all your AWS accounts in AWS Organizations. AWS SSO also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS SSO-integrated applications as well as custom applications that support Security Assertion Markup Language (SAML) 2.0.
| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| aws_single_sign-on | AWS Single Sign-On | protect | partial | T1078 | Valid Accounts |
|
| aws_single_sign-on | AWS Single Sign-On | protect | partial | T1078.002 | Domain Accounts |
Comments
This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.
References
|
| aws_single_sign-on | AWS Single Sign-On | protect | partial | T1078.004 | Cloud Accounts |
Comments
This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.
References
|
| aws_single_sign-on | AWS Single Sign-On | protect | partial | T1110 | Brute Force |
Comments
This control may not provide any mitigation against password cracking.
References
|
| aws_single_sign-on | AWS Single Sign-On | protect | significant | T1110.001 | Password Guessing |
Comments
This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.
References
|
| aws_single_sign-on | AWS Single Sign-On | protect | significant | T1110.003 | Password Spraying |
Comments
This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.
References
|
| aws_single_sign-on | AWS Single Sign-On | protect | significant | T1110.004 | Credential Stuffing |
Comments
This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.
References
|
| aws_single_sign-on | AWS Single Sign-On | protect | significant | T1133 | External Remote Services |
Comments
This control may protect against abuse of external remote services by requiring multi-factor authentication for single sign-on accounts.
References
|