AWS IAM Identity Center (formerly AWS SSO) helps you centrally manage access to multiple AWS accounts and cloud applications using single sign-on (SSO). It streamlines access management across your organization while increasing security and visibility.
In this post, weβll cover:
- What IAM Identity Center is
- How to configure it
- Integrating with Service Control Policies (SCPs)
- How it works with roles, permission sets, and identity providers
- Visual architecture and examples
π What is IAM Identity Center?
IAM Identity Center provides a centralized hub for managing user identities and access to AWS accounts and business applications.
π Core Features:
- Centralized access control for AWS Organizations
- Built-in or external identity provider support
- Assign permissions across multiple accounts
- Supports SAML 2.0, Azure AD, Okta, and more
𧩠Architecture Diagram
π’ Securing AWS Organizations with Service Control Policies (SCPs)
SCPs define the maximum permissions available for accounts within an AWS Organization. They do not grant permissionsβthey act as filters.
π Example: Block all access to unapproved AWS regions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyUnapprovedRegions", "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "us-east-1", "us-west-2" ] } } } ] } βοΈ Configuring IAM Identity Center (First-Time Setup)
Hereβs how to set it up:
- Go to AWS IAM Identity Center in the console
- Choose identity source (AWS Directory or external IdP)
- Create or connect users/groups
- Assign users to AWS accounts with permission sets
πΈ Setup UI
π Supported Identity Providers
IAM Identity Center supports:
- AWS-native users
- Microsoft Entra ID (Azure AD)
- Okta
- OneLogin
- Google Workspace (SAML)
- Any SAML 2.0-compliant IdP
π See full list of supported IdPs
π§Ύ Permission Sets: Fine-Grained Access
Permission sets are IAM policy templates you apply to users or groups.
𧱠Example YAML Permission Set for Admin Access:
Name: AdminAccess ManagedPolicies: - "arn:aws:iam::aws:policy/AdministratorAccess" SessionDuration: "PT1H" π― Assign this to a group to allow full access to a specific AWS account.
π₯ Managing Multiple Users with Groups
IAM Identity Center allows group-based permission management for easier scaling.
π‘ Limitations:
- No nested group support
- Group sync depends on IdP capability
Use groups like DevOps-Team, Security-Analysts, etc., to manage access at scale.
π Using Service Roles for Automated Access
AWS services like Lambda or CloudFormation use service-linked roles to interact with other AWS resources.
π List of AWS services using IAM roles
π‘ Combine this with permission sets to allow trusted services to perform actions on behalf of users.
π Temporary Access with IAM Roles
IAM Identity Center also supports temporary access via role assumption.
π οΈ Cross-account access:
- Create a permission set in Account A
- Allow it to assume a role in Account B
π Trust policy example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AccountA>:role/SSOUserRole" }, "Action": "sts:AssumeRole" } ] } β Summary
AWS IAM Identity Center simplifies identity and access management across AWS Organizations by providing:
- Centralized access management
- Integration with IdPs and AWS SCPs
- Scalable role and permission handling
- SSO support for apps and services
π Combine it with SCPs and best practices for robust enterprise security.
Top comments (0)