AWS Security Blog

Getting started with AWS IAM Identity Center delegated administration

September 12, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here.

Recently, AWS launched the ability to delegate administration of AWS IAM Identity Center (AWS IAM Identity Center) in your AWS Organizations organization to a member account (an account other than the management account). This post will show you a practical approach to using this new feature. For the documentation for this feature, see Delegated administration in the AWS IAM Identity Center User Guide.

With AWS Organizations, your enterprise organization can manage your accounts more securely and at scale. One of the benefits of Organizations is that it integrates with many other AWS services, so you can centrally manage accounts and how the services in those accounts can be used.

AWS IAM Identity Center is where you can create, or connect, your workforce identities in AWS just once, and then manage access centrally across your AWS organization. You can create user identities directly in AWS IAM Identity Center, or you can bring them from your Microsoft Active Directory or a standards-based identity provider, such as Okta Universal Directory or Azure AD. With AWS IAM Identity Center, you get a unified administration experience to define, customize, and assign fine-grained access.

By default, the management account in an AWS organization has the power and authority to manage member accounts in the organization. Because of these additional permissions, it is important to exercise least privilege and tightly control access to the management account. AWS recommends that enterprises create one or more accounts specifically designated for security of the organization, with proper controls and access management policies in place. AWS provides a method in which many services can be administered for the organization from a member account; this is usually referred to as a delegated administrator account. These accounts can reside in a security organizational unit (OU), where administrators can enforce organizational policies. Figure 1 is an example of a recommended set of OUs in Organizations.

Figure 1: Recommended AWS Organizations OUs

Figure 1: Recommended AWS Organizations OUs

Many AWS services support this delegated administrator model, including Amazon GuardDuty, AWS Security Hub, and Amazon Macie. For an up-to-date complete list, see AWS services that you can use with AWS Organizations. AWS IAM Identity Center is now the most recent addition to the list of services in which you can delegate administration of your users, groups, and permissions, including third-party applications, to a member account of your organization.

How to configure a delegated administrator account

In this scenario, your enterprise AnyCompany has an organization consisting of a management account, an account for managing security, as well as a few member accounts. You have enabled AWS IAM Identity Center in the organization, but you want to enable the security team to manage permissions for accounts and roles in the organization. AnyCompany doesn’t want you to give the security team access to the management account, and they also want to make sure the security team can’t delete the AWS IAM Identity Center configuration or manage access to that account, so you decide to delegate the administration of AWS IAM Identity Center to the security account.

Note: There are a few things to consider when making this change, which you should review before you enable delegated administration. These items are covered in the console during the process, and are described in the section Considerations when delegating AWS IAM Identity Center administration in this post.

To delegate AWS IAM Identity Center administration to a security account

  1. In the AWS Organizations console, log in to the management account with a user or role that has permission to use organizations:RegisterDelegatedAdministrator, as well as AWS IAM Identity Center management permissions.
  2. In the AWS IAM Identity Center console, navigate to the Region in which AWS IAM Identity Center is enabled.
  3. Choose Settings on the left navigation pane, and then choose the Management tab on the right side.
  4. Under Delegated administrator, choose Register account, as shown in Figure 2.
    Figure 2: The registered account button in AWS IAM Identity Center

    Figure 2: The Register account button in AWS IAM Identity Center

  5. Consider the implications of designating a delegated administrator account (as described in the section Considerations when delegating AWS IAM Identity Center administration). Select the account you want to be able to manage AWS IAM Identity Center, and then choose Register account, as shown in Figure 3.
    Figure 3: Choosing a delegated administrator account in AWS IAM Identity Center

    Figure 3: Choosing a delegated administrator account in AWS IAM Identity Center

You should see a success message to indicate that the AWS IAM Identity Center delegated administrator account is now setup.

To remove delegated AWS IAM Identity Center administration from an account

  1. In the AWS Organizations console, log in to the management account with a user or role that has permission to use organizations:DeregisterDelegatedAdministrator.
  2. In the AWS IAM Identity Center console, navigate to the Region in which AWS IAM Identity Center is enabled.
  3. Choose Settings on the left navigation pane, and then choose the Management tab on the right side.
  4. Under Delegated administrator, select Deregister account, as shown in Figure 4.
    Figure 4: The Deregister account button in AWS IAM Identity Center

    Figure 4: The Deregister account button in AWS IAM Identity Center

  5. Consider the implications of removing a delegated administrator account (as described in the section Considerations when delegating AWS IAM Identity Center administration), then enter the account name that is currently administering AWS IAM Identity Center, and choose Deregister account, as shown in Figure 5.
    Figure 5: Considerations of deregistering a delegated administrator in AWS IAM Identity Center

    Figure 5: Considerations of deregistering a delegated administrator in AWS IAM Identity Center

Considerations when delegating AWS IAM Identity Center administration

There are a few considerations you should keep in mind when you delegate AWS IAM Identity Center administration. The first consideration is that the delegated administrator account will not be able to perform the following actions:

  • Delete the AWS IAM Identity Center configuration.
  • Delegate (to other accounts) administration of AWS IAM Identity Center.
  • Manage user or group access to the management account.
  • Manage permission sets that are provisioned (have a user or group assigned) in the organization management account.

For examples of those last two actions, consider the following scenarios:

In the first scenario, you are managing AWS IAM Identity Center from the delegated administrator account. You would like to give your colleague Saanvi access to all the accounts in the organization, including the management account. This action would not be allowed, since the delegated administrator account cannot manage access to the management account. You would need to log in to the management account (with a user or role that has proper permissions) to provision that access.

In a second scenario, you would like to change the permissions Paulo has in the management account by modifying the policy attached to a ManagementAccountAdmin permission set, which Paulo currently has access to. In this scenario, you would also have to do this from inside the management account, since the delegated administrator account does not have permissions to modify the permission set, because it is provisioned to a user in the management account.

With those caveats in mind, users with proper access in the delegated administrator account will be able to control permissions and assignments for users and groups throughout the AWS organization. For more information about limiting that control, see Allow a user to administer AWS IAM Identity Center for specific accounts in the AWS IAM Identity Center User Guide.

Deregistering an AWS IAM Identity Center delegated administrator account will not affect any permissions or assignments in AWS IAM Identity Center, but it will remove the ability for users in the delegated account to manage AWS IAM Identity Center from that account.

Additional considerations if you use Microsoft Active Directory

There are additional considerations for you to keep in mind if you use Microsoft Active Directory (AD) as an identity provider, specifically if you use AWS IAM Identity Center configurable AD sync, and which AWS account the directory resides in. In order to use AWS IAM Identity Center delegated administration when the identity source is set to Active Directory, AWS IAM Identity Center configurable AD sync must be enabled for the directory. Your organization’s administrators must synchronize Active Directory users and groups you want to grant access to into an AWS IAM Identity Center identity store. When you enable AWS IAM Identity Center configurable AD sync, a new feature that launched in April, Active Directory administrators can choose which users and groups get synced into AWS IAM Identity Center, similar to how other external identity providers work today when using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. This way, AWS IAM Identity Center knows about users and groups even before they are granted access to specific accounts or roles, and AWS IAM Identity Center administrators don’t have to manually search for them.

Another thing to consider when delegating AWS IAM Identity Center administration when using AD as an identity source is where your directory resides, that is which AWS account owns the directory. If you decide to change the AWS IAM Identity Center identity source from any other source to Active Directory, or change it from Active Directory to any other source, then the directory must reside in (be owned by) the account that the change is being performed in. For example, if you are currently signed in to the management account, you can only change the identity source to or from directories that reside in (are owned by) the management account. For more information, see Manage your identity source in the AWS IAM Identity Center User Guide.

Best practices for managing AWS IAM Identity Center with delegated administration

AWS recommends the following best practices when using delegated administration for AWS IAM Identity Center:

  • Maintain separate permission sets for use in the organization management account (versus the rest of the accounts). This way, permissions can be kept separate and managed from within the management account without causing confusion among the delegated administrators.
  • When granting access to the organization management account, grant the access to groups (and permission sets) specifically for access in that account. This helps enable the principal of least privilege for this important account, and helps ensure that AWS IAM Identity Center delegated administrators are able to manage the rest of the organization as efficiently as possible (by reducing the number of users, groups, and permission sets that are off limits to them).
  • If you plan on using one of the AWS Directory Services for Microsoft Active Directory (AWS Managed Microsoft AD or AD Connector) as your AWS IAM Identity Center identity source, locate the directory and the AWS IAM Identity Center delegated administrator account in the same AWS account.

Conclusion

In this post, you learned about a helpful new feature of AWS IAM Identity Center, the ability to delegate administration of your users and permissions to a member account of your organization. AWS recommends as a best practice that the management account of an AWS organization be secured by a least privilege access model, in which as few people as possible have access to the account. You can enable delegated administration for supported AWS services, including AWS IAM Identity Center, as a useful tool to help your organization minimize access to the management account by moving that control into an AWS account designated specifically for security or identity services. We encourage you to consider AWS IAM Identity Center delegated administration for administrating access in AWS. To learn more about the new feature, see Delegated administration in the AWS IAM Identity Center User Guide.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS IAM forum or contact AWS Support.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Chris Mercer

Chris is a security specialist solutions architect. He helps AWS customers implement sophisticated, scalable, and secure solutions to business challenges. He has experience in penetration testing, security architecture, and running military IT systems and networks. Chris holds a Master’s Degree in Cybersecurity, several AWS certifications, OSCP, and CISSP. Outside of AWS, he is a professor, student pilot, and Cub Scout leader.