1. Home
  2. Mapping Frameworks
  3. AWS Home
  4. AWS Single Sign-On

AWS aws_single_sign-on Mappings

AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all your AWS accounts and cloud applications. Specifically, it helps you manage SSO access and user permissions across all your AWS accounts in AWS Organizations. AWS SSO also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS SSO-integrated applications as well as custom applications that support Security Assertion Markup Language (SAML) 2.0.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
aws_single_sign-on AWS Single Sign-On protect partial T1078 Valid Accounts
Comments
References
  1. https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
aws_single_sign-on AWS Single Sign-On protect partial T1078.004 Cloud Accounts
Comments
This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.
References
    aws_single_sign-on AWS Single Sign-On protect partial T1078.002 Domain Accounts
    Comments
    This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.
    References
      aws_single_sign-on AWS Single Sign-On protect significant T1133 External Remote Services
      Comments
      This control may protect against abuse of external remote services by requiring multi-factor authentication for single sign-on accounts.
      References
      1. https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
      aws_single_sign-on AWS Single Sign-On protect partial T1110 Brute Force
      Comments
      This control may not provide any mitigation against password cracking.
      References
      1. https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
      aws_single_sign-on AWS Single Sign-On protect significant T1110.001 Password Guessing
      Comments
      This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.
      References
        aws_single_sign-on AWS Single Sign-On protect significant T1110.003 Password Spraying
        Comments
        This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.
        References
          aws_single_sign-on AWS Single Sign-On protect significant T1110.004 Credential Stuffing
          Comments
          This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.
          References