So as to follow best security practices especially for remote access, I wanted to make sure that users in respective groups needed to authenticate themselves multiple times. Below was the process I followed.
Enable SSO & Customize Portal: This was done by simply clicking enable in the SSO dashboard. I then customized my User Portal as seen in Image 1 (note this name assignment can only be done once).
Setup the AWS SSO groups and users: I added two groups, one for production and one for development (Image 2). My Cost Optimization group already existed from prior work. I then added users to the groups (Image 3).
I then selected the prior permission sets used in a previous lab for the same users. In a real setting it would probably be ideal to create new permission sets depending on the size of the organization and who should have access to what.
I then assigned users to the groups as seen in Image 4 & 5 to ensure they had access with the right permissions.
Enable Multifactor Authentification (MFA): I went to Settings in the SSO Console, and in the MFA section I clicked Configure (Image 6). For Users should be prompted for MFA, I chose “Every time they sign in.” For Users can authenticate with these MFA types, I chose “Authenticator Apps.” For If a user does not yet have a registered MFA device, I chose “Require them to provide a one-time password sent by email to sign in.” I then saved the changes.
I then registered the MFA devices. I like to use Google MFA on my mobile device.
Now in order to access their groups, users will be prompted to use MFA before gaining access.