We're reaching out to Mozillians who are responsible for AWS accounts in an effort to standardize the authentication methods used for all of Mozilla's AWS accounts.
By standardizing your account and enabling Mozilla Single Sign On (SSO), you'll be able to use your existing Mozilla SSO web browser session to access AWS (no more typing your AWS password or AWS MFA token needed) and avoid storing static AWS API keys on your laptop. We will improve our ability to de-provision users when an employee leaves, gain enhanced visibility and auditability if your AWS account is compromised, reduce risk of exposure of AWS API keys and avoid manual processes.
We've created a set of instructions for AWS account owner(s) to enable federated AWS login with Single Sign On in your AWS account. The instructions can be found here. We'd like this to be completed within 2 weeks (4/20/20).
After enabling Single Sign on in your AWS account, you'll be able to access your account via the AWS Web Console, the CLI or in code using these instructions.
Once your team has used AWS with Single Sign On for a few weeks, you'll be ready to remove the existing IAM users of the Mozillians that use your AWS account. We will likely follow up with you in this ticket about the removal of those IAM users when the time comes.
If, in the process of enabling Single Sign On in your AWS account, you encounter any problems or have any questions, feel free to ask them here in this bug.
If you'd like to learn more about this project, more detail about the tech and more ways you can implement this single sign on system you can find that on this page.