Copy of IAM Identity Center
IAM Identity Center is AWS’s recommended service for federated authentication and centralized access management across multiple AWS accounts.
How IAM Identity Center Manages Access
Authenticates users via a corporate Identity Provider (IdP) (e.g., Azure AD, Okta, Google Workspace).
Maps corporate users/groups to AWS IAM Roles dynamically.
Eliminates the need for IAM Users in AWS.
Supports Single Sign-On (SSO) and Multi-Factor Authentication (MFA).
IAM Identity Center is the best way to implement Federated Access in AWS instead of using IAM Users with long-term credentials.
Federated Access with IAM Identity Center
Federated Access allows users to log in to AWS using corporate credentials.
How Federated Access Works with IAM Identity Center
Users do not authenticate directly with AWS.
Instead, they log in via an external Identity Provider (IdP) like:
Azure AD
Okta
Google Workspace
Active Directory (via AWS Directory Service)
IAM Identity Center acts as a bridge between AWS and the external IdP, issuing temporary IAM Role credentials for users based on their group membership.
Understanding Federated Access vs. IAM Identity Center (AWS SSO)
Concept
IAM Identity Center (AWS SSO)
Traditional Federated Access (IAM Federation via SAML/OIDC)
IAM Users Required?
No IAM Users needed
No IAM Users needed
Authentication Method
Directly integrated with external IdP (Azure AD, Okta, Google Workspace, etc.)
Uses IAM Federation via SAML/OIDC with STS AssumeRole
Permission Management
Uses Permission Sets, which create IAM Roles dynamically in each AWS account
Uses IAM Roles, but requires configuring SAML providers & trust relationships manually
Access to AWS Console & CLI?
Supports AWS Console & CLI via aws sso login
Supports AWS Console & CLI via SAML login
Best For?
Multi-account AWS Organizations setups needing centralized access
Third-party IdP integration without using AWS Organizations
How IAM Identity Center Integrates with Directory Services
IAM Identity Center can authenticate users from
Cloud-based Identity Providers (IdPs)
Azure AD
Okta
Google Workspace
Ping Identity
On-Premises Directory Services (via AWS Directory Service)
AWS Managed Microsoft AD (Fully managed Active Directory in AWS)
AD Connector (Links AWS to an on-prem Active Directory)
Simple AD (Basic AD-compatible directory service)
Organizations using Microsoft Active Directory can federate AWS access via AWS Directory Service and IAM Identity Center.
Single-Account vs. Multi-Account Federated Access
🔹 IAM Identity Center in a Single AWS Account
Users authenticate via Azure AD or Okta.
IAM Identity Center maps users to IAM Roles in the AWS account.
Best for smaller organizations with only one AWS account.
IAM Identity Center + Federated Access + Directory Services
Feature
How It’s Used in IAM Identity Center
Federated Access
IAM Identity Center enables users to log in with corporate credentials instead of IAM Users.
Directory Services
IAM Identity Center integrates with Azure AD, Okta, Google, and AWS Directory Service.
Single-Account Setup
Direct integration with an Identity Provider (IdP) for one AWS account.
Multi-Account Setup
IAM Identity Center centralizes authentication across multiple AWS accounts via AWS Organizations.
IAM Identity Center provides federated authentication without requiring IAM Users.
Federated authentication is managed via third-party Identity Providers (IdPs).
IAM Identity Center scales seamlessly across AWS Organizations for centralized management.
SecureCart Use Case: IAM Identity Center (AWS SSO) for Centralized Access Management
📌 Business Context
SecureCart is an e-commerce platform that operates across multiple AWS accounts for development, testing, and production environments. To maintain secure and scalable access control, SecureCart uses AWS IAM Identity Center (AWS SSO) to centralize authentication and authorization across all accounts.
📌 Security Challenges for SecureCart
🔹 Manage user access across multiple AWS accounts without IAM Users. 🔹 Ensure users have the right level of permissions based on their roles. 🔹 Eliminate the need for static IAM credentials and enforce temporary access. 🔹 Allow external partners and auditors controlled access without IAM User creation. 🔹 Enforce MFA (Multi-Factor Authentication) for security compliance.
📌 How SecureCart Uses IAM Identity Center
SecureCart assigns roles and permission sets to users and groups based on their job functions, ensuring that each user has only the necessary permissions to perform their tasks.
Requirement
Solution
SecureCart Implementation
Centralized user management for all AWS accounts
IAM Identity Center (AWS SSO)
SecureCart integrates IAM Identity Center with Okta for federated access.
Grant access based on job roles
IAM Identity Center Groups
SecureCart assigns permission sets to IAM Identity Center groups.
Eliminate IAM Users for human access
IAM Identity Center with IAM Roles
Users assume IAM Roles dynamically through IAM Identity Center.
Control access to production vs. dev environments
Permission Sets
SecureCart assigns ReadOnlyAccess to production, AdministratorAccess to development.
Provide temporary access to external partners
AWS STS + IAM Identity Center
SecureCart allows short-lived access for third-party vendors.
Enable CLI access for developers
AWS CLI with IAM Identity Center
Developers use aws sso login for temporary CLI sessions.
AWS IAM Identity Center (SSO) Integration with IAM
In AWS IAM Identity Center (SSO), IAM Roles are automatically created and mapped to Permission Sets when you assign users or groups to an AWS account.
Process Overview
Create a Permission Set → Defines permissions using IAM Policies.
Assign a User/Group to an AWS Account → Assigns the Permission Set to the user/group for the specific account.
AWS IAM Identity Center Automatically Creates an IAM Role in the Account → The Permission Set maps to an IAM Role in the assigned AWS account.
User Assumes the IAM Role when Logging into AWS → They get the permissions defined in the Permission Set.
No need for IAM Users or IAM Groups—Identity Center manages user authentication and authorization at scale.
IAM Identity Center (AWS SSO) Groups → Groups do not directly grant IAM permissions. Instead, IAM Identity Center Groups organize users and assign Permission Sets at the account level. A Permission Set maps to an IAM Role in the assigned AWS account, granting the necessary permissions.
SecureCart IAM Identity Center Role Assignments
SecureCart assigns permission sets and IAM Roles to different user groups.
✅ IAM Identity Center Group & Role Assignments
User Group
AWS Account
IAM Role / Permission Set
SecureCart-Developers
Dev
AdministratorAccess
SecureCart-Developers
Staging
PowerUserAccess
SecureCart-Developers
Production
ReadOnlyAccess
SecureCart-Ops
All Accounts
AdministratorAccess
SecureCart-Support
Production
ReadOnlyAccess
SecureCart-Auditors
Production
SecurityAudit
📌 Impact: ✅ Developers only have full permissions in Dev, but read-only in Production. ✅ Operations teams have admin access across all AWS accounts. ✅ Support teams can troubleshoot but cannot modify resources. ✅ External auditors have time-limited access to logs and security settings.
📌 SecureCart Login Flow with IAM Identity Center
SecureCart employees log in via IAM Identity Center without needing IAM Users.
✅ Login Steps for a Developer in SecureCart 1️⃣ User accesses SecureCart IAM Identity Center Portal:
https://securecart.awsapps.com/start2️⃣ Okta / Corporate Credentials Used (Federated Authentication). 3️⃣ IAM Identity Center dynamically assigns the right IAM Role based on group membership. 4️⃣ User selects AWS account and assumes the correct role (e.g.,SecureCart-DeveloperRole). 5️⃣ User gets temporary credentials and accesses AWS Console or AWS CLI.
✅ Example: SecureCart Developer Accessing AWS via CLI
📌 Impact: ✅ No IAM User or long-term credentials needed. ✅ Session expires automatically after a defined period.
📌 SecureCart Use Case: Enforcing MFA with IAM Identity Center
To enhance security, SecureCart enforces Multi-Factor Authentication (MFA) for all AWS users.
✅ IAM Identity Center MFA Policy
✅ MFA is required for all users accessing SecureCart AWS environments.
✅ Users can authenticate via an authenticator app (e.g., Google Authenticator, Okta Verify).
✅ If MFA is not enabled, access is denied.
📌 Example: IAM Identity Center MFA Enforcement Policy
📌 Impact: ✅ Users without MFA cannot perform any actions in SecureCart AWS accounts. ✅ Enhances protection against compromised credentials.
📌 SecureCart Use Case: Temporary Vendor Access via IAM Identity Center
SecureCart occasionally allows third-party security vendors to review logs and perform audits. Instead of creating IAM Users, SecureCart grants temporary access via IAM Identity Center.
✅ Process for Vendor Access 1️⃣ Vendor account is added to SecureCart-Vendor Group in IAM Identity Center.
2️⃣ Assigned a temporary IAM Role with SecurityAudit permissions.
3️⃣ Vendor logs in via IAM Identity Center using a restricted permission set.
4️⃣ Access expires automatically after the session duration.
📌 Impact: ✅ Vendors never receive permanent credentials. ✅ Access is tightly controlled and monitored via AWS CloudTrail.
📌 Key Benefits of IAM Identity Center for SecureCart
🔹 No IAM Users needed – All human access is managed via IAM Identity Center. 🔹 RBAC (Role-Based Access Control) implemented – Developers, Ops, and Auditors have predefined roles. 🔹 MFA enforced for all users – Enhances security and compliance. 🔹 Cross-account access simplified – One login for all SecureCart AWS accounts. 🔹 Temporary access for external vendors – Reduces security risks. 🔹 CLI authentication via SSO login – Eliminates the need for static credentials.
📌 IAM Identity Center provides SecureCart with centralized, secure, and scalable access control across all AWS accounts. 🚀🔐
SecureCart Use Case: Federated Access with Okta
📌 Business Context
SecureCart, a multi-account e-commerce platform, needs to provide secure, centralized access to AWS for its employees and partners. To simplify access control, SecureCart integrates Okta with AWS IAM Identity Center (AWS SSO) for federated access. This allows users to log in to AWS using their Okta credentials instead of manually managing IAM Users.
📌 Security Challenges for SecureCart
🔹 Eliminate IAM Users for human access and manage access through a corporate identity provider (IdP). 🔹 Ensure users can seamlessly log in to AWS using Okta credentials without creating multiple AWS accounts. 🔹 Grant role-based access across multiple AWS accounts (Dev, Staging, Production). 🔹 Ensure security compliance by enforcing MFA (Multi-Factor Authentication). 🔹 Provide temporary access for external vendors and auditors via Okta.
📌 How SecureCart Uses Federated Access with Okta
SecureCart integrates Okta with AWS IAM Identity Center (AWS SSO) to enable federated authentication and role-based access control.
Requirement
Solution
SecureCart Implementation
Users log in using Okta credentials
Okta as an IdP + IAM Identity Center
SecureCart users access AWS via Okta Single Sign-On (SSO).
Manage AWS access centrally
IAM Identity Center (AWS SSO)
Users assume AWS roles dynamically via IAM Identity Center.
Role-based access control (RBAC) for different teams
IAM Identity Center Groups & Permission Sets
SecureCart assigns AWS roles based on Okta groups.
MFA enforcement for AWS access
Okta MFA Policy
SecureCart requires Okta MFA before logging into AWS.
Allow third-party vendors temporary AWS access
AWS STS AssumeRole + Okta
SecureCart vendors receive time-limited access via Okta.
Enable CLI access for developers
AWS CLI with IAM Identity Center
SecureCart developers authenticate via Okta using aws sso login.
📌 SecureCart’s Federated Access Workflow with Okta
1️⃣ User logs into Okta → Authenticates with corporate credentials.
2️⃣ Okta SSO initiates authentication request to AWS IAM Identity Center.
3️⃣ IAM Identity Center validates user and assigns the correct AWS IAM Role based on Okta group membership.
4️⃣ User is redirected to AWS Console → Can access only the AWS accounts and services assigned to them.
5️⃣ For CLI access, the user runs aws sso login, and Okta issues temporary AWS credentials.
✅ SecureCart Employees & Vendors Access AWS Without Needing IAM Users!
📌 SecureCart’s IAM Identity Center Role Assignments (Mapped from Okta)
Okta Group
AWS Account
IAM Role / Permission Set
SecureCart-Developers
Dev
AdministratorAccess
SecureCart-Developers
Staging
PowerUserAccess
SecureCart-Developers
Production
ReadOnlyAccess
SecureCart-Ops
All Accounts
AdministratorAccess
SecureCart-Support
Production
ReadOnlyAccess
SecureCart-Vendors
Production
SecurityAudit
📌 Impact: ✅ Developers have full access to Dev but only read access in Production. ✅ Operations teams manage infrastructure across all AWS accounts. ✅ Third-party vendors get temporary read-only access to security logs.
📌 Enforcing MFA for SecureCart’s AWS Access via Okta
SecureCart requires Multi-Factor Authentication (MFA) before users can access AWS.
✅ Okta MFA Policy for SecureCart Users
MFA is required for all AWS users.
Users authenticate via Okta Verify, Google Authenticator, or SMS.
If MFA is not enabled, AWS access is denied.
📌 Example: Okta Enforcing MFA Before AWS Access 1️⃣ User logs into Okta → Enters username/password. 2️⃣ Okta prompts for MFA (Authenticator app or SMS code). 3️⃣ Once MFA is validated, Okta grants access to AWS IAM Identity Center.
✅ No AWS IAM User passwords are stored in AWS – everything is handled via Okta!
📌 Temporary Access for SecureCart Vendors Using Okta
SecureCart allows external vendors (security auditors, consultants, etc.) to access AWS for a limited time.
✅ Vendor Access Process 1️⃣ Okta Admin adds vendor to SecureCart-Vendor Group. 2️⃣ IAM Identity Center assigns vendor a SecurityAudit Role (read-only). 3️⃣ Vendor logs into Okta → Gets temporary AWS access via IAM Identity Center. 4️⃣ Vendor access automatically expires after a defined session time.
📌 Impact: ✅ Vendors never receive permanent AWS credentials. ✅ Access is tightly controlled and logged in AWS CloudTrail.
📌 SecureCart’s CLI Access via IAM Identity Center & Okta
SecureCart developers and DevOps engineers need CLI access to AWS, but without storing IAM credentials.
✅ Developers Use Okta to Authenticate via AWS CLI
📌 Impact: ✅ No need for static IAM credentials. ✅ Users receive short-lived credentials via IAM Identity Center.
📌 Key Benefits of Federated Access with Okta for SecureCart
🔹 No IAM Users needed – All human access is managed via Okta + IAM Identity Center. 🔹 RBAC (Role-Based Access Control) enforced – Users only assume appropriate AWS roles. 🔹 MFA enforced via Okta – SecureCart ensures compliance with security policies. 🔹 Seamless login experience – Users access AWS with corporate credentials. 🔹 Temporary vendor access via Okta – Reduces security risks. 🔹 CLI authentication via Okta SSO – Eliminates the need for static credentials.
Last updated