AWS IAM Identity Center FAQs
What is AWS IAM Identity Center?
IAM Identity Center is built on top of AWS Identity and Access Management (IAM) to simplify access management to multiple AWS accounts, AWS applications, and other SAML-enabled cloud applications. In IAM Identity Center, you create, or connect, your workforce users for use across AWS. You can choose to manage access just to your AWS accounts, just to your cloud applications, or to both. You can create users directly in IAM Identity Center, or you can bring them from your existing workforce directory. With IAM Identity Center, you get a unified administration experience to define, customize, and assign fine-grained access. Your workforce users get a user portal to access their assigned AWS accounts or cloud applications.
What are the benefits of IAM Identity Center?
You can use IAM Identity Center to quickly and easily assign and manage your employees’ access to multiple AWS accounts, SAML -enabled cloud applications (such as Salesforce, Microsoft 365, and Box), and custom-built in-house applications, all from a central place. Employees can be more productive by signing in with their existing credentials or credentials that you configure in IAM Identity Center. They can use a single personalized user portal. You'll get better visibility into cloud application use because you can monitor and audit sign-in activity centrally from AWS CloudTrail .
What problems does IAM Identity Center solve?
IAM Identity Center eliminates the administrative complexity of federating and managing permissions separately for each AWS account. It allows you to set up AWS applications from a single interface, and to assign access to your cloud applications from a single place.
IAM Identity Center also helps improve access visibility by integrating with AWS CloudTrail and providing a central place for you to audit single sign-on access to AWS accounts and SAML -enabled cloud applications, such as Microsoft 365, Salesforce, and Box.
Why should I use IAM Identity Center?
IAM Identity Center is our recommended front door into AWS. It should be your primary tool to manage the AWS access of your workforce users. It allows you to manage your identities in your preferred identity source, connect them once for use in AWS, allows you to define fine-grained permissions and apply them consistently across accounts. As the number of your accounts scales, IAM Identity Center gives you the option to use it as a single place to manage user access to all your cloud applications.
What can I do with IAM Identity Center?
You can use IAM Identity Center to quickly and easily assign your employees access to AWS accounts within AWS Organizations, business cloud applications (such as Salesforce, Microsoft 365, and Box), and custom applications that support Security Assertion Markup Language (SAML) 2.0. Employees can sign in with their existing corporate credentials or credentials they configure in IAM Identity Center to access their business applications from a single user portal. IAM Identity Center also allows you to audit users’ access to cloud services by using AWS CloudTrail.
Who should use IAM Identity Center?
IAM Identity Center is for administrators who manage multiple AWS accounts and business applications, want to centralize user access management to these cloud services, and want to provide employees a single location to access these accounts and applications without them having to remember yet another password.
How do I start using IAM Identity Center?
As a new IAM Identity Center customer, you:
Sign in to the AWS Management Console of the management account in your AWS account and navigate to the IAM Identity Center console.
Select the directory you use for storing the identities of your users and groups from the IAM Identity Center console. IAM Identity Center provides you a directory by default that you can use to manage users and groups in IAM Identity Center. You can also change directory to connect to a Microsoft AD directory by clicking through a list of Managed Microsoft AD and AD Connector instances that IAM Identity Center discovers in your account automatically. If you want to connect to a Microsoft AD directory, see Getting Started with AWS Directory Service .
Grant users single sign-on access to AWS accounts in your organization by selecting the AWS accounts from a list populated by IAM Identity Center, and then selecting users or groups from your directory and the permissions you want to grant them.
Give users access to business cloud applications by:
a. Selecting one of the applications from the list of pre-integrated applications supported in IAM Identity Center.
b. Configuring the application by following the configuration instructions.
c. Selecting the users or groups that should be able to access this application.
Give your users the IAM Identity Center sign-in web address that was generated when you configured the directory so that they can sign in to IAM Identity Center and access accounts and business applications.
How much does IAM Identity Center cost?
IAM Identity Center is offered at no extra charge.
In which regions is IAM Identity Center available?
See the AWS Region Table for IAM Identity Center availability by Region.
Identity sources and applications support
What identity sources can I use with IAM Identity Center?
With IAM Identity Center, you can create and manage user identities in IAM Identity Center’s identity store, or easily connect to your existing identity source including Microsoft Active Directory, Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), or another supported IdP . See the IAM Identity Center User Guide to learn more.
Can I connect more than one identity source to IAM Identity Center?
No. At any given time, you can have only one directory or one SAML 2.0 identity provider connected to IAM Identity Center. But, you can change the identity source that is connected to a different one.
What SAML 2.0 IdPs can I use with IAM Identity Center?
You can connect IAM Identity Center to most SAML 2.0 IdPs, such as Okta Universal Directory or Microsoft Entra ID (formerly Azure AD). See the IAM Identity Center User Guide to learn more.
Will enabling IAM Identity Center modify any of my existing IAM roles, users, or policies?
No, IAM Identity Center does not modify any existing IAM roles, users, or policies in your AWS accounts. IAM Identity Center creates new roles and policies specifically for use through IAM Identity Center.
How can I provision identities from my existing IdPs into IAM Identity Center?
Identities from your existing IdP must be provisioned into IAM Identity Center before you can assign permissions. You can synchronize user and group information from Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), OneLogin, and PingFederate automatically using the System for Cross-domain Identity Management (SCIM) standard. For other IdPs, you can provision users from your IdP using the IAM Identity Center console. See the IAM Identity Center User Guide to learn more.
Do I have to migrate to IAM Identity Center all at once or can I do so gradually?
After enabling IAM Identity Center any existing IAM roles or users you have will continue to function as-is. This means that you can migrate to IAM Identity Center in a phased approach without disrupting existing access to AWS.
How do I migrate existing roles to IAM Identity Center?
IAM Identity Center provisions new roles for use within your AWS accounts. You can attach the same policies you use with your existing IAM roles to the new roles used with IAM Identity Center.
Does IAM Identity Center create IAM users and groups in my AWS accounts?
IAM Identity Center does not create IAM users and groups. It has its own purpose-built identity store to hold user information. When using an external identity provider, Identity Center holds a synchronized copy of user attributes and group membership, but no authentication material like passwords or MFA devices. Your external identity provider remains the source of truth for user information and attributes.
Can I automate identity synchronization into IAM Identity Center?
Yes. If you use Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), OneLogin, or PingFederate, you can use SCIM to synchronize user and group information from your IdP to IAM Identity Center automatically. See the IAM Identity Center User Guide to learn more.
How do I connect IAM Identity Center to my Microsoft Active Directory?
You can connect IAM Identity Center to your on-premises Active Directory (AD) or to an AWS Managed Microsoft AD directory using AWS Directory Service. See the IAM Identity Center User Guide to learn more.
I manage my users and groups in Active Directory on-premises. How can I leverage these users and groups in IAM Identity Center?
You have two options for connecting Active Directory–hosted on-premises to IAM Identity Center: (1) use AD Connector, or (2) use an AWS Managed Microsoft AD trust relationship. AD Connector simply connects your existing on-premises Active Directory to AWS. AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. To connect an on-premises directory using AD Connector, see the AWS Directory Service Administration Guide . AWS Managed Microsoft AD makes it easy to set up and run Microsoft Active Directory in AWS. It can be used to set up a forest trust relationship between your on-premises directory and AWS Managed Microsoft AD. To set up a trust relationship, see the AWS Directory Service Administration Guide .
Can I use my Amazon Cognito User Pools as the identity source in IAM Identity Center?
Amazon Cognito is a service that helps you manage identities for your customer facing applications; it is not a supported identity source in IAM Identity Center. You can create and manage your workforce identities in IAM Identity Center or in your external identity source including Microsoft Active Directory , Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), or another supported IdP .
Does IAM Identity Center support the browser command line and mobile interfaces?
Yes, you can use IAM Identity Center to control access to the AWS Management Console and CLI v2. IAM Identity Center enables your users to access the CLI and AWS Management Console through a single sign-on experience. The AWS Mobile Console app also supports IAM Identity Center so you get a consistent sign-in experience across browser, mobile, and command line interfaces.
Which cloud applications can I connect to IAM Identity Center?
You can connect the following applications to IAM Identity Center:
IAM Identity Center-integrated applications: IAM Identity Center-integrated applications such as SageMaker Studio and IoT SiteWise use IAM Identity Center for authentication and work with the identities you have in IAM Identity Center. There is no need for additional configuration to synchronize identities into these applications or to set up federation to separately.
Pre-integrated SAML applications: IAM Identity Center comes pre-integrated with commonly used business applications. For a comprehensive list, see the IAM Identity Center console.
Custom SAML applications: IAM Identity Center supports applications that allow identity federation using SAML 2.0. You can enable IAM Identity Center to support these applications by using the custom application wizard.
Single sign-on access to AWS accounts
Which AWS accounts can I connect to IAM Identity Center?
How do I setup single sign-on to AWS accounts in an organizational unit (OU) within my organization?
You can pick accounts within the organization or filter accounts by OU.
What are the general use cases for trusted identity propagation?
The primary use of trusted identity propagation is to enable business intelligence (BI) applications to query AWS analytics services, such as Amazon Redshift or Amazon Quicksight, for data required by business users with a single user sign-in through the customer’s existing identity provider, while maintaining awareness of the user’s identity. The capability supports different types of commonly used BI applications and uses different mechanisms to propagate the user’s identity between services.
How do I control what permissions my users get when they use IAM Identity Center to access their accounts?
When granting access to your users, you can limit the users’ permissions by picking a permission set. Permission sets are a collection of permissions that you can create in IAM Identity Center, modelling them based on AWS managed policies for job functions or any AWS managed policies. AWS managed policies for job functions are designed to closely align to common job functions in the IT industry. If required, you can also fully customize the permission set to meet your security requirements. IAM Identity Center applies these permissions to the selected accounts automatically. As you change the permission sets, IAM Identity Center enables you to apply the changes to the relevant accounts easily. When your users access the accounts through the AWS access portal, these permissions restrict what they can do within those accounts. You can also grant multiple permission sets to your users. When they access the account through the user portal, they can pick which permission set they want to assume for that session.
How do I automate permissions management across multiple accounts?
How do I select which user attributes to use for ABAC?
To implement ABAC, you can select attributes from the IAM Identity Center’s identity store for IAM Identity Center users and users synchronized from Microsoft AD or external SAML 2.0 IdPs including Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), OneLogin, or PingFederate. When using an IdP as your identity source, you can optionally send the attributes as a part of a SAML 2.0 assertion.
For which AWS accounts can I get AWS CLI credentials?
You can get AWS CLI credentials for any AWS account and user permissions that your IAM Identity Center administrator has assigned to you. These CLI credentials can be used for programmatic access to the AWS account.
How long are the AWS CLI credentials from the AWS access portal valid?
AWS CLI Credentials fetched through IAM Identity Center are valid for 60 minutes. You can get a fresh set of credentials as often as needed.
Single sign-on access to business applications
How do I set up IAM Identity Center to business applications, such as Salesforce?
From the IAM Identity Center console, navigate to the applications pane, choose Configure new application, and choose an application from the list of cloud applications that are pre-integrated with IAM Identity Center. Follow the on-screen instructions to configure the application. Your application is now configured and you may assign access to it. Choose the groups or users that you want to provide with access to the application and Choose Assign Access to complete the process.
My company uses business applications that are not in IAM Identity Center's pre-integrated application list. Can I still use IAM Identity Center?
Yes. If your application supports SAML 2.0, you can configure your application as a custom SAML 2.0 application. From the IAM Identity Center console, navigate to the applications pane, choose Configure new application, and choose Custom SAML 2.0 application. Follow the instructions to configure the application. Your application is now configured and you may assign access to it. Choose the groups or users that you want to provide with access to the application, and choose Assign Access to complete the process.
My application supports OpenID Connect (OIDC) only. Can I use it with IAM Identity Center?
No. IAM Identity Center supports only SAML 2.0–based applications.
What is trusted identity propagation?
Trusted identity propagation is built on the OAuth 2.0 Authorization Framework , which allows applications to access data and other resources on behalf of a specific user, without sharing that user's credentials. This feature of IAM Identity Center simplifies data access management for users, auditing, and improves the sign-in experience for analytics users across multiple AWS analytics applications.
Does IAM Identity Center support single sign-on to native mobile and desktop applications?
No. IAM Identity Center supports single sign-on to business applications through web browsers only.
Why should I use trusted identity propagation?
Resource and database administrators can define access to their assets on a granular user and group membership level. Auditors can review user actions across interconnected business intelligence and data analytics applications. Users of business intelligence applications can authenticate once to access AWS data sources. Trusted identity propagation helps customers meet requirements for least-privilege access to data in analytics workflows that span multiple applications and AWS services, such as Amazon Redshift, Amazon S3, Amazon Quicksight, Amazon Athena, and AWS LakeFormation.
What data will IAM Identity Center store on my behalf?
IAM Identity Center will store data about which AWS accounts and cloud applications are assigned to which users and groups, as well as what permissions have been granted for accessing AWS accounts. IAM Identity Center will also create and manage IAM roles in individual AWS accounts for each permission set you grant access for your users.
What multi-factor authentication (MFA) capabilities can I use with IAM Identity Center?
With IAM Identity Center, you can enable standard-based strong authentication capabilities for all your users across all identity sources. If you use a supported SAML 2.0 IdP as your identity source, you can enable multi-factor authentication capabilities of your provider. When using IAM Identity Center or Active Directory as your identity source, IAM Identity Center supports the Web Authentication specification to help you secure user access to AWS accounts and business applications with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable one-time-passwords (TOTPs) using authenticator apps such as Google Authenticator or Twilio Authy.
You can also use your existing Remote Authentication Dial-In User Service (RADIUS) MFA configuration with IAM Identity Center and AWS Directory Services to authenticate your users as a secondary form of verification. To learn more about configuring MFA with IAM Identity Center, visit the IAM Identity Center User Guide .
Does IAM Identity Center support the Web Authentication specification?
Yes. For user identities in IAM Identity Center’s identity store and Active Directory, IAM Identity Center supports the Web Authentication (WebAuthn) specification to help you secure user access to AWS accounts and business applications with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable one-time-passwords (TOTPs) using authenticator apps such as Google Authenticator or Twilio Authy.
How do my employees get started using IAM Identity Center?
Employees can get started with IAM Identity Center by visiting the access portal that is generated when you configure your identity source in IAM Identity Center. If you manage your users in IAM Identity Center, your employees can use their email address and password they configured with IAM Identity Center to sign into the user portal. If you connect IAM Identity Center to a Microsoft Active Directory or a SAML 2.0 identity provider, your employees can sign in to user portal with their existing corporate credentials and then view the accounts and applications assigned to them. To access an account or application, employees choose the associated icon from the access portal.
Is there an API available for IAM Identity Center?
Yes. IAM Identity Center provides account assignment APIs to help you automate permissions management in multi-account environments, and retrieve the permissions programmatically for audit and governance purposes.