Skip to content
Gallery
14. Security in the Cloud
AWS Directory Service
Identity Providers and Federation
Encryption Primer
AWS Key Management Service
AWS Certificate Manager
AWS Security Hub
AWS Web Application Firewall (WAF)
AWS Shield and Shield Advanced
Amazon Inspector
Amazon Macie
Amazon GuardDuty
AWS Audit Manager
More
Share
Explore
Identity Providers and Federation

icon picker
AWS IAM Identity Center

AWS IAM Identity Center is the recommended AWS service for managing human user access to AWS resources. It is a single place where you can assign your workforce users, also known as
workforce identities
, consistent access to multiple AWS accounts and applications. IAM Identity Center is offered at no additional charge.
With IAM Identity Center, you can create or connect workforce users and centrally manage their access across all their AWS accounts and applications. You can use multi-account permissions to assign your workforce users access to AWS accounts. You can use application assignments to assign your users access to AWS managed and customer managed applications.
image.png

IAM Identity Center capabilities

IAM Identity Center includes the following core capabilities and features:

Manage workforce identities

Human users who build or operate workloads in AWS are also known as workforce users, or workforce identities. Workforce users are employees or contractors who you allow to access AWS accounts in your organization and internal business applications. These individuals might be developers who build your internal and customer-facing systems, or users of internal database systems and applications. You can create workforce users and groups in IAM Identity Center, or connect and synchronize to an existing set of users and groups in your own identity source for use across all your AWS accounts and applications.

Manage instances of IAM Identity Center

IAM Identity Center supports two types of instances: organization instances and account instances.
An organization instance is the best practice. It's the only instance that enables you to manage access to AWS accounts and it's recommended for all production use of applications. An organization instance is deployed in the AWS Organizations management account and gives you a single point from which to manage user access across the AWS environment.
Account instances are bound to the AWS account in which they are enabled. Use account instances of IAM Identity Center only to support isolated deployments of select AWS managed applications. For more information, see Manage organization and account instances of IAM Identity Center.

Manage access to multiple AWS accounts

With multi-account permissions, you can plan for and centrally implement permissions across multiple AWS accounts at one time without needing to configure each of your accounts manually. You can create permissions based on common job functions or define custom permissions that meet your security needs. You can then assign those permissions to workforce users to control their access over specific accounts.
This optional feature is available only for organization instances. If you're using per-account IAM role management in your environment, both systems can coexist. If you want to try multi-account permissions, you can start by implementing this system on a limited basis and migrate more of your environment to use this system over time.

Manage access to applications

IAM Identity Center enables you to simplify application access management. With IAM Identity Center, you can grant your workforce users in IAM Identity Center single sign-on access to applications.
AWS managed applications
AWS provides applications such as Amazon Redshift, Amazon Managed Grafana, and Amazon Monitron, that integrate with IAM Identity Center. These applications can use IAM Identity Center for authentication, directory services, and trusted identity propagation. Your users benefit from a consistent single sign-on experience, and because the applications share a common view of users, groups, and group membership, users also have a consistent experience when sharing application resources with others. You can configure AWS managed applications to work with IAM Identity Center directly from within the relevant application consoles or through the APIs.
Customer managed applications
You can grant your workforce users in IAM Identity Center single sign-on access to applications that support identity federation with SAML 2.0. Many commonly used SAML 2.0 applications, such as Salesforce and Microsoft 365, work with IAM Identity Center and are available in the application catalog in the IAM Identity Center console. This is an optional feature that can be helpful if you use such applications and you create your users and groups in IAM Identity Center, or you use Microsoft Active Directory Domain Service as your identity source.
Trusted identity propagation across applications
Trusted identity propagation provides a streamlined single sign-on experience for users of query tools and business intelligence (BI) applications who require access to data in AWS services. Data access management is based on a user's identity, so administrators can grant access based on users' existing user and group memberships. User access to AWS services and other events is recorded in service-specific logs and in CloudTrail events, so that auditors know what actions the users took and which resources the users accessed.

AWS access portal access for your users

The AWS access portal is a simple web portal that provides your users with seamless access to all their assigned AWS accounts and applications.

Loading
docs.aws.amazon.com
IAM Identity Center capabilities
Manage workforce identities
Manage instances of IAM Identity Center
Manage access to multiple AWS accounts
Manage access to applications
AWS access portal access for your users
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.