IAM Identity Center

AWS IAM Identity Center is an authentication and authorization service that enables organizations to centrally manage access to AWS accounts, applications, and resources. It serves as a single sign-on (SSO) solution that integrates with existing identity providers (IdPs) or supports native user management.

Key Features

Centralized Access Management: Assign user and group permissions to AWS accounts and applications from a single location.
SSO for AWS and Third-Party Apps: Provides seamless authentication for AWS services and supported business applications (e.g., Salesforce, Microsoft 365).
Integration with Identity Providers: Supports external IdPs such as Microsoft Entra ID (formerly Azure AD), Okta, Google Workspace, and Active Directory using SAML 2.0 and OIDC.
Fine-Grained Permissions: Uses IAM policies and permission sets to control access across multiple AWS accounts in AWS Organizations.
Multi-Factor Authentication (MFA): Enhances security with MFA enforcement for user authentication.
Audit and Compliance: Provides AWS CloudTrail logging for access and authentication activities.

How SecureCart Uses IAM Identity Center

Developers log in once and access multiple AWS accounts.
IAM Identity Center groups replace IAM Groups.
Enforces MFA and session timeouts for security.

Example of IAM Identity Center Group Setup

IAM Identity Center Group

AWS Permissions Assigned

SecureCartDevelopers

AWSCodeDeployFullAccess

SecureCart-Security

SecurityAudit

SecureCart-Finance

Billing

How IAM Identity Center Integrates with Directory Services

AWS IAM Identity Center (successor to AWS SSO) allows organizations to centrally manage access to AWS accounts and applications using directory services integrated through AWS Directory Service. This enables users to authenticate with their Active Directory (AD) credentials and seamlessly access AWS resources.

Integration Options:

IAM Identity Center does not directly connect to on-premises Active Directory (AD) but supports directory integration via AWS Directory Service. The following options are available:

1. AWS Managed Microsoft AD (Full Active Directory in AWS)

A fully managed Active Directory (AD) service within AWS.
IAM Identity Center natively integrates with AWS Managed Microsoft AD.
Allows organizations to use existing AD users and groups to assign AWS permissions.
Ideal for companies migrating from on-prem AD or requiring Group Policy, Kerberos, and LDAP support in AWS.

2. AD Connector (Proxy to On-Premises Active Directory)

Acts as a bridge between AWS and an on-premises Active Directory.
Allows users to authenticate with their on-prem AD credentials without maintaining separate identities in AWS.
IAM Identity Center assigns AWS permissions based on on-prem AD groups.
Requires network connectivity (VPN or AWS Direct Connect) to communicate with on-prem AD.

How It Works:

AWS Directory Service is Set Up
- Organizations deploy AWS Managed Microsoft AD or AD Connector to link AWS with their Active Directory.
IAM Identity Center Integrates with the Directory
- IAM Identity Center synchronizes users and groups from the AWS Directory Service instance.
Administrators Assign Permissions
- Admins map AD groups or users to IAM Identity Center permission sets, which define AWS account and application access.
User Authentication
- Users log in via the IAM Identity Center User Portal using Active Directory credentials.
Access AWS Resources
- After authentication, users access AWS accounts, applications, and integrated services without needing separate IAM users or passwords.

AWS IAM Identity Center (SSO) Integration with IAM

In AWS IAM Identity Center (SSO), IAM Roles are automatically created and mapped to Permission Sets when you assign users or groups to an AWS account.

Process Overview

Create a Permission Set → Defines permissions using IAM Policies.
Assign a User/Group to an AWS Account → Assigns the Permission Set to the user/group for the specific account.
AWS IAM Identity Center Automatically Creates an IAM Role in the Account → The Permission Set maps to an IAM Role in the assigned AWS account.
User Assumes the IAM Role when Logging into AWS → They get the permissions defined in the Permission Set.

No need for IAM Users or IAM Groups—Identity Center manages user authentication and authorization at scale.

PreviousAWS Organization NextAWS Policies

Last updated 2 months ago

AWS IAM Identity Center (SSO) Integration with IAM

In AWS IAM Identity Center (SSO), IAM Roles are automatically created and mapped to Permission Sets when you assign users or groups to an AWS account.

Process Overview

Create a Permission Set → Defines permissions using IAM Policies.

Assign a User/Group to an AWS Account → Assigns the Permission Set to the user/group for the specific account.

AWS IAM Identity Center Automatically Creates an IAM Role in the Account → The Permission Set maps to an IAM Role in the assigned AWS account.

User Assumes the IAM Role when Logging into AWS → They get the permissions defined in the Permission Set.

No need for IAM Users or IAM Groups—Identity Center manages user authentication and authorization at scale.