AWS IAM Identity Center
AWS IAM Identity Center (formerly AWS Single Sign-On) lets you securely manage access to AWS services centrally.
Overview
Think of AWS IAM Identity Center as a secure front door to all your AWS resources. Instead of managing separate usernames and passwords for each AWS account or application, users get a single set of login credentials that work everywhere they need to go.
The service acts as a central hub where administrators can:
- Create and manage user accounts for their organization
- Control which AWS accounts and applications each user can access
- Set up single sign-on (SSO) for popular business applications like Salesforce or Office 365
- Enforce security policies like multi-factor authentication across all accounts
If you are new to AWS, you may mistakenly think IAM Identity Center is the way to manage access to your AWS accounts, confusingly, it is not, it is neither the only way or the default way. By default an AWS account will use the very similarly named AWS IAM (Identity and Access Management) so understanding these are different is very important as an AWS Administrator and before taking AWS Certifications.
For large organizations with multiple AWS accounts, IAM Identity Center dramatically simplifies access management and improves security by reducing the number of passwords users need to remember.
A guide is attached to more thoroughly explain the differences, and take you through the procedure to move from IAM to IAM Identity Center if you wish to do so.
Example uses
Multi-Account Access: A developer needs to work across development, staging, and production AWS accounts. Instead of managing separate credentials for each account, they log in once through IAM Identity Center and can switch between accounts easily.
Application Access: An organization uses various cloud applications like Slack, Dropbox, and Office 365. Users can access all these apps through a single portal with their IAM Identity Center credentials.
Temporary Access: A consultant needs temporary access to specific AWS resources. Administrators can grant time-limited access through IAM Identity Center without creating permanent credentials.
Team-Based Access: A company wants to give their marketing team access to specific AWS services like S3 for managing website content. They can create a group in IAM Identity Center, add marketing team members, and assign appropriate permissions.
Integration with other AWS services
IAM Identity Center works seamlessly with many AWS services:
- AWS Organizations: Automatically discovers and manages access to all your AWS accounts
- Amazon S3: Users can access S3 buckets across multiple accounts with appropriate permissions
- AWS Management Console: Provides a single login point for accessing multiple AWS account consoles
- AWS CLI: Developers can use their IAM Identity Center credentials to authenticate CLI commands
Similar services in other clouds
- Azure Active Directory: Microsoft's identity and access management service for Azure cloud
- Google Cloud Identity: Google's unified identity and access management platform
- Okta: A popular third-party identity management service that works across multiple cloud providers
Documents
Switching to/Enabling the AWS Identity Center
Advice and instruction on enabling the AWS Identity Center.