AWS Security Blog

Category: AWS IAM Identity Center

Main Image

How to implement trusted identity propagation for applications protected by Amazon Cognito

Amazon Web Services (AWS) recently released AWS IAM Identity Center trusted identity propagation to create identity-enhanced IAM role sessions when requesting access to AWS services as well as to trusted token issuers. These two features can help customers build custom applications on top of AWS, which requires fine-grained access to data analytics-focused AWS services such […]

Managing identity source transition for AWS IAM Identity Center

AWS IAM Identity Center manages user access to Amazon Web Services (AWS) resources, including both AWS accounts and applications. You can use IAM Identity Center to create and manage user identities within the Identity Center identity store or to connect seamlessly to other identity sources. Organizations might change the configuration of their identity source in […]

AWS IAM Identity Center

Access AWS services programmatically using trusted identity propagation

With the introduction of trusted identity propagation, applications can now propagate a user’s workforce identity from their identity provider (IdP) to applications running in Amazon Web Services (AWS) and to storage services backing those applications, such as Amazon Simple Storage Service (Amazon S3) or AWS Glue. Since access to applications and data can now be […]

AWS IAM Identity Center

How to use AWS managed applications with IAM Identity Center: Enable Amazon Q without migrating existing IAM federation flows

AWS IAM Identity Center is the preferred way to provide workforce access to Amazon Web Services (AWS) accounts, and enables you to provide workforce access to many AWS managed applications, such as Amazon Q. As we continue to release more AWS managed applications, customers have told us they want to onboard to IAM Identity Center […]

Conceptual model using a trusted token issuer and token exchange

Simplify workforce identity management using IAM Identity Center and trusted token issuers

December 12, 2023: We’ve updated this post to clarify that you can use both sts:audit_context and sts:identity_context can be used to create an identity-enhanced session. AWS Identity and Access Management (IAM) roles are a powerful way to manage permissions to resources in the Amazon Web Services (AWS) Cloud. IAM roles are useful when granting permissions […]

Use IAM Identity Center APIs to audit and manage application assignments

You can now use AWS IAM Identity Center application assignment APIs to programmatically manage and audit user and group access to AWS managed applications. Previously, you had to use the IAM Identity Center console to manually assign users and groups to an application. Now, you can automate this task so that you scale more effectively as […]

How to use multiple instances of AWS IAM Identity Center

February 29, 2024: This post has been updated to include the account instances opt-in feature supported for member accounts in AWS Organizations. November 28, 2023: This blog has been updated to include Identity Center instances deployment patterns. November 22, 2023: We updated the information about account instances of Identity Center availability. Recently, AWS launched a […]

Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket

Mar 25, 2024: We have fixed the JSON code examples which caused errors by replacing the curly quotes with straight quotes. November 14, 2023: We’ve updated this post to use IAM Identity Center and follow updated IAM best practices. In this post, we discuss the concept of folders in Amazon Simple Storage Service (Amazon S3) […]

Delegating permission set management and account assignment in AWS IAM Identity Center

January 31, 2024: Updated IAM policy for use case 3 to allow the actions sso:CreateAccountAssignment and sso:ProvisionPermissionSet for resources of type permissionSet In this blog post, we look at how you can use AWS IAM Identity Center (successor to AWS Single Sign-On) to delegate the management of permission sets and account assignments. Delegating the day-to-day […]

Solution architecture to automate the review and validation of permissions for users and groups in AWS IAM Identity Center

How to automate the review and validation of permissions for users and groups in AWS IAM Identity Center

AWS IAM Identity Center (successor to AWS Single Sign-On) is widely used by organizations to centrally manage federated access to their Amazon Web Services (AWS) environment. As organizations grow, it’s crucial that they maintain control of access to their environment and conduct regular reviews of existing granted permissions to maintain a good security posture. With […]