Ctrlk
Courses

IAM Identity Center

IAM Identity Center (SSO)

  • IAM Identity Center (formerly AWS SSO) provides centralized authentication for multiple AWS accounts.

  • It eliminates the need for IAM Users by integrating with identity providers like Okta, Azure AD, or Google Workspace.

How SecureCart Uses IAM Identity Center

  • Developers log in once and access multiple AWS accounts.

  • IAM Identity Center groups replace IAM Groups.

  • Enforces MFA and session timeouts for security.

Example of IAM Identity Center Group Setup

IAM Identity Center Group

AWS Permissions Assigned

SecureCart-Developers

AWSCodeDeployFullAccess

SecureCart-Security

SecurityAudit

SecureCart-Finance

Billing

IAM Identity Center is AWS’s recommended service for federated authentication and centralized access management across multiple AWS accounts.

How IAM Identity Center Manages Access

  • Authenticates users via a corporate Identity Provider (IdP) (e.g., Azure AD, Okta, Google Workspace).

  • Maps corporate users/groups to AWS IAM Roles dynamically.

  • Eliminates the need for IAM Users in AWS.

  • Supports Single Sign-On (SSO) and Multi-Factor Authentication (MFA).

IAM Identity Center is the best way to implement Federated Access in AWS instead of using IAM Users with long-term credentials.

Federated Access with IAM Identity Center

Federated Access allows users to log in to AWS using corporate credentials.

How Federated Access Works with IAM Identity Center

Users do not authenticate directly with AWS.

Instead, they log in via an external Identity Provider (IdP) like:

  • Azure AD

  • Okta

  • Google Workspace

  • Active Directory (via AWS Directory Service)

IAM Identity Center acts as a bridge between AWS and the external IdP, issuing temporary IAM Role credentials for users based on their group membership.

How IAM Identity Center Integrates with Directory Services

IAM Identity Center can authenticate users from

Cloud-based Identity Providers (IdPs)

  • Azure AD

  • Okta

  • Google Workspace

  • Ping Identity

On-Premises Directory Services (via AWS Directory Service)

  • AWS Managed Microsoft AD (Fully managed Active Directory in AWS)

  • AD Connector (Links AWS to an on-prem Active Directory)

  • Simple AD (Basic AD-compatible directory service)

Organizations using Microsoft Active Directory can federate AWS access via AWS Directory Service and IAM Identity Center.

AWS IAM Identity Center (SSO) Integration with IAM

In AWS IAM Identity Center (SSO), IAM Roles are automatically created and mapped to Permission Sets when you assign users or groups to an AWS account.

Process Overview

  • Create a Permission Set → Defines permissions using IAM Policies.

  • Assign a User/Group to an AWS Account → Assigns the Permission Set to the user/group for the specific account.

  • AWS IAM Identity Center Automatically Creates an IAM Role in the Account → The Permission Set maps to an IAM Role in the assigned AWS account.

  • User Assumes the IAM Role when Logging into AWS → They get the permissions defined in the Permission Set.

No need for IAM Users or IAM Groups—Identity Center manages user authentication and authorization at scale.

IAM Identity Center (AWS SSO) Groups → Groups do not directly grant IAM permissions. Instead, IAM Identity Center Groups organize users and assign Permission Sets at the account level. A Permission Set maps to an IAM Role in the assigned AWS account, granting the necessary permissions.

📌 SecureC

Last updated