AWS IAM Identity Center features

Why AWS IAM Identity Center?

AWS IAM Identity Center makes it easy to centrally manage access to multiple AWS accounts and business applications. It provides your workforce with single sign-on access to all assigned accounts and applications from one place. With IAM Identity Center, you can easily manage centralized access and user permissions to all your accounts in AWS Organizations. IAM Identity Center configures and maintains all the necessary permissions for your accounts automatically, without requiring any additional setup in the individual accounts. You can assign user permissions based on common job functions and customize these permissions to meet your specific security requirements. IAM Identity Center also includes built-in integrations to AWS applications, such as AWS Analytics services, Amazon SageMaker Studio, AWS Systems Manager Change Manager, and many business applications, such as Salesforce, Box, and Microsoft 365.

You can create and manage user identities in IAM Identity Center’s identity store, or easily connect to your existing identity source, including Microsoft Active Directory, Okta, Ping Identity, JumpCloud, and Microsoft Entra ID (formerly Azure AD). IAM Identity Center allows you to select user attributes, such as cost center, title, or locale, from your identity source, and then use them for attribute-based access control (ABAC) in AWS.

It is easy to get started with IAM Identity Center. With just a few clicks in the IAM Identity Center management console you can connect to your existing identity source. From there, you can configure permissions that grant your users access to their assigned accounts in AWS Organizations and hundreds of pre-configured cloud applications, all from a single user portal.

Page Topics

Centralized identity management Fine-grained permissions and assignments Administrative and governance features

Centralized identity management

IAM Identity Center provides you an identity store by default that you can use to create users and organize them in groups within IAM Identity Center. You can create users in IAM Identity Center by configuring their email address and name. When you create a user, by default IAM Identity Center sends an email to the user so that your users can set their own password. Within minutes, you can grant your users and groups permissions to AWS resources in all your AWS accounts as well as many business applications. Your users sign in to a user portal with credentials they configured in IAM Identity Center to access all of their assigned accounts and applications in a single place.

You can connect IAM Identity Center to Okta Universal Directory, Microsoft Entra ID, or another supported identity provider (IdP) via Security Assertion Markup Language (SAML) 2.0 so your users can sign in with their existing credentials. And, IAM Identity Center also supports System for Cross-domain Identity Management (SCIM) for automation of user provisioning. You can manage your users in your IdP, get them into AWS quickly, and centrally manage their access to all AWS accounts and business applications. IAM Identity Center also allows you to select multiple user attributes, such as cost center, title, or locale, from your Okta Universal Directory, and then use them for ABAC to simplify and centralize your access administration.

With IAM Identity Center, you can manage single sign-on access to accounts and applications using your existing corporate identities from Microsoft Active Directory Domain Services (AD DS). IAM Identity Center connects to AD DS through AWS Directory Service and enables you to grant users access to accounts and applications simply by adding the users to the appropriate AD groups. For example, you can create a group for a team of developers working on an application and grant the group access to the AWS accounts for the application. When new developers join the team and you add them to the AD group, they are granted access to all the AWS accounts for the application automatically. IAM Identity Center also allows you to select multiple user attributes, such as cost center, title, or locale, from your AD, and then use them for ABAC to simplify and centralize your access administration.

IAM Identity Center allows you to enforce MFA for all your users, including the requirement for the users to set up MFA devices during sign-in. With IAM Identity Center, you can use standards-based strong authentication capabilities for all your users across all your identity sources. If you use a supported SAML 2.0 IdP as your identity source, you can enable multi-factor authentication (MFA) capabilities of your provider. When using Active Directory or IAM Identity Center as your identity source, IAM Identity Center supports the Web Authentication specification to help you secure user access to AWS accounts and business applications using a FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable time-based one-time-passwords (TOTPs) using authenticator apps such as Google Authenticator or Twilio Authy.

Fine-grained permissions and assignments

IAM Identity Center builds on AWS Identity and Access Management (IAM) roles and policies to help you manage access centrally across all AWS accounts in your AWS organization. IAM Identity Center uses permission sets, which are collections of one or more IAM policies. You then assign permission set(s) to define the access for your users/groups. Based on those assignments, the service creates an IAM Identity Center-controlled IAM role, and attaches the policies specified in the permission set to those roles within each assigned account. No additional configuration is required in the individual accounts.  

IAM Identity Center offers temporary elevated access through a range of partner integration options. AWS has validated that you can use CyberArk Secure Cloud AccessTenable Cloud Security, and Okta Access Requests to help you address a range of temporary elevated access scenarios, including sensitive operations demanding full auditability, multi-cloud environments with complex entitlements and audit needs, and organizations using multiple identity sources and application integrations. Your workforce user who does not have standing permissions to perform sensitive operations, such as changing configuration on a high-value resource in a production environment, can request access, receive approval, and perform the operation during a specified time. And, your auditors can view a log of actions and approvals in the partner solution.

Inside the IAM Identity Center console, use application assignments to provide single sign-on access to many SAML 2.0 business applications, including Salesforce, Box, and Microsoft 365. You can easily configure single sign-on access to these applications by following step by step instructions inside IAM Identity Center. It will guide you through entering the required URLs, certificates, and metadata. For a full list of business applications pre-integrated with IAM Identity Center, see IAM Identity Center cloud applications.

Trusted identity propagation is built on the OAuth 2.0 Authorization Framework, which allows applications to access data and other resources on behalf of a specific user, without sharing that user's credentials. This feature of IAM Identity Center simplifies data access management for users, auditing, and improves the sign-in experience for analytics users across multiple AWS analytics applications. To get started, the owner of the application, identity source, and data admin connect the app to the service, and start managing access based on users and groups. Resource admins can then configure and manage data resource access within applications using existing identities and group memberships from their identity source. Auditing and security teams can trace access to data resources back to each user. Data analysts can seamlessly access their assigned data across AWS Analytics services (Amazon Redshift, Amazon Quicksight, Amazon S3, Amazon EMR, and AWS LakeFormation) using a familiar single sign-on experience. Learn more about trusted identity propagation

IAM Identity Center makes it easy for you to create and use fine-grained permissions for your workforce based on user attributes defined in your IAM Identity Center identity store. IAM Identity Center allows you to select multiple attributes, such as cost center, title, or locale, and then use them for attribute-based access control (ABAC) to simplify and centralize your access administration. You can define permissions once for your entire AWS organization, and then grant, revoke, or modify AWS access by simply changing the attributes in the identity source.

Learn more about ABAC »

Administrative and governance features

IAM Identity Center supports centralized administration and API access from an AWS Organizations delegated administrator account for all member accounts in your organization. This means you can designate an account in your organization that can be used to centrally administer all member accounts. With delegated administration, you can adhere to recommended practices by reducing the need to use your management account.

IAM Identity Center supports security standards and compliance requirements, including support for Payment Card Industry - Data Security Standard (PCI DSS), International Organization for Standardization (ISO), System and Organization Controls (SOC) 1, 2, and 3, Esquema Nacional de Seguridad (ENS) High, the Financial Market Supervisory Authority (FINMA) International Standard on Assurance Engagements (ISAE) 3000 Type 2 Report requirements, and Multi-Tier Cloud Security (MTCS). The service remains Information Security Registered Assessors Program (IRAP) assessed at the PROTECTED level.

IAM Identity Center can be deployed as an organization instance or as an account instance. An organization instance of IAM Identity Center is deployed in the management account of AWS Organizations. It is the best practice and recommended approach to authenticate and authorize your workforce. It is a single, central access control point for AWS accounts and applications in a multi-account production environment. An account instance of IAM Identity Center is a limited-scope deployment that can be done by business users for the purpose of quickly evaluating a supported AWS application (e.g. Amazon Redshift) and makes it available to a narrow set of application users. The administrator of an organization instance can control business users’ ability to create account instances through Service Control Policies (SCPs), a feature of AWS Organizations.

You can create single sign-on integrations to SAML 2.0-enabled applications using the IAM Identity Center application assignments configuration wizard. The application assignments configuration wizard helps you select and format the information to send applications to enable single sign-on access. For example, you can create a SAML attribute for username and specify the format for the attribute based on a user’s email address from their AD profile.

All administrative and multi-account access activity is recorded in AWS CloudTrail, giving you the visibility to audit IAM Identity Center activity centrally. Through CloudTrail, you can view activity such as sign in attempts, application assignments, and directory integration changes. For instance, you can see the applications that a user accessed over a given period or when a user was given access to a specific application.