OculusCyber Logo

OculusCyber

Home

Browse Topics

Security Best Practices

AI Security Frameworks

Threat Intelligence

Compliance

Building a Secure Multi-Account AWS Setup with SSO and CLI Access

By Oculus

October 27, 2025

Building a Secure Multi-Account AWS Setup with SSO and CLI Access

When you start deploying multiple apps in AWS, keeping everything inside a single account quickly becomes messy — permissions blur, billing gets confusing, and mistakes (like deploying to the wrong environment) can get expensive.

The right approach is to use AWS Organizations + IAM Identity Center (SSO) to manage multiple accounts securely.Here's how I set up a clean, production-grade multi-account AWS environment for my apps — OculusCyber and OculusSpecialVoter — with full CLI access and zero long-term credentials.

Step 1 – Create the AWS Organization

Start with a dedicated management account (for billing, policy, and SSO setup).This becomes the "root" of your AWS Organization.

From there:

  • Enable AWS Organizations
  • Choose "Create an AWS Organization"
  • Keep it in the us-east-2 (Ohio) region (Identity Center and Amplify both run great here)

The management account (for example, myemail+mgmt@gmail.com) controls all other accounts.

Step 2 – Create Member Accounts

In AWS Organizations, click Add an AWS account → Create an AWS account.

I created:

  • oculuscyber-dev → for app development and testing(Email: myemail+
    oculuscyber-dev@gmail.com
    )
  • oculuscyber-prod → for production deployments(Email: myemail+
    oculuscyber-prod@gmail.com
    )
  • oculusspecialvoter → for a separate app project(Email: myemail+
    oculusspecialvoter@gmail.com
    )

Use Gmail aliases — myemail+something@gmail.com — they all go to your main inbox but are treated as unique AWS accounts.

Step 3 – Set Up IAM Identity Center (SSO)

Next, turn on IAM Identity Center (formerly AWS SSO) in us-east-2 (Ohio).

This replaces the need for IAM users entirely.From now on, you'll log in once at your portal, like:

https://d-9a67510823.awsapps.com/start

Create an SSO user (for example, Nandu Babu) and assign them the AdministratorAccess permission set for each AWS account.

✅ Result: one login → choose an account → enter the AWS console or CLI instantly.

Step 4 – Remove Old IAM Users

If you previously created manual IAM users (like mgmtadmin), delete them now.They were useful before SSO existed, but today they're an unnecessary risk.All human access should go through IAM Identity Center.

Step 5 – Configure the AWS CLI with SSO

Set up separate CLI profiles for each account.For example, for oculuscyber-dev:

aws configure sso --profile oculuscyber-dev

Enter:

SSO start URL: https://d-9a67510823.awsapps.com/start
  SSO region: us-east-2
  Default client region: us-east-2
  Default output format: json

You'll be prompted to log in through your browser — pick your oculuscyber-dev account and the AdministratorAccess role.

Then verify:

aws sts get-caller-identity --profile oculuscyber-dev

It should show:

"Account": "040692276344"

Repeat the same for oculuscyber-prod and oculusspecialvoter:

aws configure sso --profile oculuscyber-prod
aws configure sso --profile oculusspecialvoter

Now you can deploy to the right account just by specifying the profile.

Step 6 – Check Which Account You're In Before Deploying

Always double-check before running deployment commands (like npx ampx sandbox):

aws sts get-caller-identity --profile oculuscyber-dev

If it shows:

"Account": "040692276344"

you're in Dev.If it shows your production ID, you're in Prod.

Then deploy safely:

AWS_PROFILE=oculuscyber-dev npx ampx sandbox

or for production:

AWS_PROFILE=oculuscyber-prod npx ampx sandbox

Step 7 – (Optional) Give Accounts Readable Aliases

Inside each AWS account:

  1. Go to IAM → Dashboard
  2. Under AWS Account Alias, click Create alias
  3. Name them:
    • oculuscyber-dev
    • oculuscyber-prod
    • oculusspecialvoter

This makes it obvious which account you're viewing in the AWS Console.

Step 8 – Recommended OU Structure

Organize your accounts inside AWS Organizations like this:

Root
├── Management
│   └── oculus-mgmt
├── Development
│   └── oculuscyber-dev
├── Production
│   └── oculuscyber-prod
└── OtherProjects
    └── oculusspecialvoter

This structure makes it easier to apply stricter Service Control Policies (SCPs) for production later.

Step 9 – Verify CLI Profiles

List all your configured profiles:

aws configure list-profiles

Expected output:

oculuscyber-dev
  oculuscyber-prod
  oculusspecialvoter
  mgmt

Now you can switch between accounts seamlessly.

✅ Final Result

You now have a clean, secure, modern AWS setup:

  • One login for all AWS accounts (SSO)
  • Separate accounts for Dev, Prod, and other projects
  • No static IAM credentials
  • CLI-ready deployments
  • Clear account isolation for security and billing

Example deploy:

AWS_PROFILE=oculuscyber-dev npx ampx sandbox

and then:

AWS_PROFILE=oculuscyber-prod npx ampx sandbox

Takeaway

Managing multiple apps in AWS doesn't have to mean chaos.By combining AWS Organizations with IAM Identity Center, you get:

  • Centralized sign-in
  • Short-lived credentials
  • Environment isolation
  • Secure, auditable access control

In short: you work faster, safer, and smarter — no more "oops, I deployed to production."