AWS IAM Identity Center FAQs

General

IAM Identity Center is built on top of AWS Identity and Access Management (IAM) to simplify access management to multiple AWS accounts, AWS applications, and other SAML-enabled cloud applications. In IAM Identity Center, you create, or connect, your workforce users for use across AWS. You can choose to manage access just to your AWS accounts, just to your cloud applications, or to both. You can create users directly in IAM Identity Center, or you can bring them from your existing workforce directory. With IAM Identity Center, you get a unified administration experience to define, customize, and assign fine-grained access. Your workforce users get a user portal to access their assigned AWS accounts or cloud applications.

You can use IAM Identity Center to quickly and easily assign and manage your employees’ access to multiple AWS accounts, SAML -enabled cloud applications (such as Salesforce, Microsoft 365, and Box), and custom-built in-house applications, all from a central place. Employees can be more productive by signing in with their existing credentials or credentials that you configure in IAM Identity Center. They can use a single personalized user portal. You'll get better visibility into cloud application use because you can monitor and audit sign-in activity centrally from AWS CloudTrail .

IAM Identity Center eliminates the administrative complexity of federating and managing permissions separately for each AWS account. It allows you to set up AWS applications from a single interface, and to assign access to your cloud applications from a single place.

IAM Identity Center also helps improve access visibility by integrating with AWS CloudTrail and providing a central place for you to audit single sign-on access to AWS accounts and SAML -enabled cloud applications, such as Microsoft 365, Salesforce, and Box.

IAM Identity Center is our recommended front door into AWS. It should be your primary tool to manage the AWS access of your workforce users. It allows you to manage your identities in your preferred identity source, connect them once for use in AWS, allows you to define fine-grained permissions and apply them consistently across accounts. As the number of your accounts scales, IAM Identity Center gives you the option to use it as a single place to manage user access to all your cloud applications.

You can use IAM Identity Center to quickly and easily assign your employees access to AWS accounts within AWS Organizations, business cloud applications (such as Salesforce, Microsoft 365, and Box), and custom applications that support Security Assertion Markup Language (SAML) 2.0. Employees can sign in with their existing corporate credentials or credentials they configure in IAM Identity Center to access their business applications from a single user portal. IAM Identity Center also allows you to audit users’ access to cloud services by using AWS CloudTrail.

IAM Identity Center is for administrators who manage multiple AWS accounts and business applications, want to centralize user access management to these cloud services, and want to provide employees a single location to access these accounts and applications without them having to remember yet another password.

As a new IAM Identity Center customer, you:

Sign in to the AWS Management Console of the management account in your AWS account and navigate to the IAM Identity Center console.

Select the directory you use for storing the identities of your users and groups from the IAM Identity Center console. IAM Identity Center provides you a directory by default that you can use to manage users and groups in IAM Identity Center. You can also change directory to connect to a Microsoft AD directory by clicking through a list of Managed Microsoft AD and AD Connector instances that IAM Identity Center discovers in your account automatically. If you want to connect to a Microsoft AD directory, see Getting Started with AWS Directory Service .

Grant users single sign-on access to AWS accounts in your organization by selecting the AWS accounts from a list populated by IAM Identity Center, and then selecting users or groups from your directory and the permissions you want to grant them.

Give users access to business cloud applications by:

a. Selecting one of the applications from the list of pre-integrated applications supported in IAM Identity Center.

b. Configuring the application by following the configuration instructions.

c. Selecting the users or groups that should be able to access this application.

Give your users the IAM Identity Center sign-in web address that was generated when you configured the directory so that they can sign in to IAM Identity Center and access accounts and business applications.

IAM Identity Center is offered at no extra charge.

See the AWS Region Table for IAM Identity Center availability by Region.

Identity sources and applications support

With IAM Identity Center, you can create and manage user identities in IAM Identity Center’s identity store, or easily connect to your existing identity source including Microsoft Active Directory, Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), or another supported IdP . See the IAM Identity Center User Guide to learn more.

No. At any given time, you can have only one directory or one SAML 2.0 identity provider connected to IAM Identity Center. But, you can change the identity source that is connected to a different one.

You can connect IAM Identity Center to most SAML 2.0 IdPs, such as Okta Universal Directory or Microsoft Entra ID (formerly Azure AD). See the IAM Identity Center User Guide to learn more.

No, IAM Identity Center does not modify any existing IAM roles, users, or policies in your AWS accounts. IAM Identity Center creates new roles and policies specifically for use through IAM Identity Center.

Identities from your existing IdP must be provisioned into IAM Identity Center before you can assign permissions. You can synchronize user and group information from Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), OneLogin, and PingFederate automatically using the System for Cross-domain Identity Management (SCIM) standard. For other IdPs, you can provision users from your IdP using the IAM Identity Center console. See the IAM Identity Center User Guide to learn more.

After enabling IAM Identity Center any existing IAM roles or users you have will continue to function as-is. This means that you can migrate to IAM Identity Center in a phased approach without disrupting existing access to AWS.

IAM Identity Center provisions new roles for use within your AWS accounts. You can attach the same policies you use with your existing IAM roles to the new roles used with IAM Identity Center.

IAM Identity Center does not create IAM users and groups. It has its own purpose-built identity store to hold user information. When using an external identity provider, Identity Center holds a synchronized copy of user attributes and group membership, but no authentication material like passwords or MFA devices. Your external identity provider remains the source of truth for user information and attributes.

Yes. If you use Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), OneLogin, or PingFederate, you can use SCIM to synchronize user and group information from your IdP to IAM Identity Center automatically. See the IAM Identity Center User Guide to learn more.

You can connect IAM Identity Center to your on-premises Active Directory (AD) or to an AWS Managed Microsoft AD directory using AWS Directory Service. See the IAM Identity Center User Guide to learn more.

You have two options for connecting Active Directory–hosted on-premises to IAM Identity Center: (1) use AD Connector, or (2) use an AWS Managed Microsoft AD trust relationship. AD Connector simply connects your existing on-premises Active Directory to AWS. AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. To connect an on-premises directory using AD Connector, see the AWS Directory Service Administration Guide . AWS Managed Microsoft AD makes it easy to set up and run Microsoft Active Directory in AWS. It can be used to set up a forest trust relationship between your on-premises directory and AWS Managed Microsoft AD. To set up a trust relationship, see the AWS Directory Service Administration Guide .

Amazon Cognito is a service that helps you manage identities for your customer facing applications; it is not a supported identity source in IAM Identity Center. You can create and manage your workforce identities in IAM Identity Center or in your external identity source including Microsoft Active Directory , Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), or another supported IdP .

Yes, you can use IAM Identity Center to control access to the AWS Management Console and CLI v2. IAM Identity Center enables your users to access the CLI and AWS Management Console through a single sign-on experience. The AWS Mobile Console app also supports IAM Identity Center so you get a consistent sign-in experience across browser, mobile, and command line interfaces.

You can connect the following applications to IAM Identity Center:

IAM Identity Center-integrated applications: IAM Identity Center-integrated applications such as SageMaker Studio and IoT SiteWise use IAM Identity Center for authentication and work with the identities you have in IAM Identity Center. There is no need for additional configuration to synchronize identities into these applications or to set up federation to separately.

Pre-integrated SAML applications: IAM Identity Center comes pre-integrated with commonly used business applications. For a comprehensive list, see the IAM Identity Center console.

Custom SAML applications: IAM Identity Center supports applications that allow identity federation using SAML 2.0. You can enable IAM Identity Center to support these applications by using the custom application wizard.

Single sign-on access to AWS accounts

You can add any AWS account managed using AWS Organizations to IAM Identity Center. You need to enable all features in your organizations to manage your accounts single sign-on.

You can pick accounts within the organization or filter accounts by OU.

The primary use of trusted identity propagation is to enable business intelligence (BI) applications to query AWS analytics services, such as Amazon Redshift or Amazon Quicksight, for data required by business users with a single user sign-in through the customer’s existing identity provider, while maintaining awareness of the user’s identity. The capability supports different types of commonly used BI applications and uses different mechanisms to propagate the user’s identity between services.

When granting access to your users, you can limit the users’ permissions by picking a permission set. Permission sets are a collection of permissions that you can create in IAM Identity Center, modelling them based on AWS managed policies for job functions or any AWS managed policies. AWS managed policies for job functions are designed to closely align to common job functions in the IT industry. If required, you can also fully customize the permission set to meet your security requirements. IAM Identity Center applies these permissions to the selected accounts automatically. As you change the permission sets, IAM Identity Center enables you to apply the changes to the relevant accounts easily. When your users access the accounts through the AWS access portal, these permissions restrict what they can do within those accounts. You can also grant multiple permission sets to your users. When they access the account through the user portal, they can pick which permission set they want to assume for that session.

IAM Identity Center provides APIs and AWS CloudFormation support to automate permissions management in multi-account environments, and retrieve the permissions programmatically for audit and governance purposes.

To implement ABAC, you can select attributes from the IAM Identity Center’s identity store for IAM Identity Center users and users synchronized from Microsoft AD or external SAML 2.0 IdPs including Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), OneLogin, or PingFederate. When using an IdP as your identity source, you can optionally send the attributes as a part of a SAML 2.0 assertion.

You can get AWS CLI credentials for any AWS account and user permissions that your IAM Identity Center administrator has assigned to you. These CLI credentials can be used for programmatic access to the AWS account.

AWS CLI Credentials fetched through IAM Identity Center are valid for 60 minutes. You can get a fresh set of credentials as often as needed.

Single sign-on access to business applications

From the IAM Identity Center console, navigate to the applications pane, choose Configure new application, and choose an application from the list of cloud applications that are pre-integrated with IAM Identity Center. Follow the on-screen instructions to configure the application. Your application is now configured and you may assign access to it. Choose the groups or users that you want to provide with access to the application and Choose Assign Access to complete the process.

Yes. If your application supports SAML 2.0, you can configure your application as a custom SAML 2.0 application. From the IAM Identity Center console, navigate to the applications pane, choose Configure new application, and choose Custom SAML 2.0 application. Follow the instructions to configure the application. Your application is now configured and you may assign access to it. Choose the groups or users that you want to provide with access to the application, and choose Assign Access to complete the process.

No. IAM Identity Center supports only SAML 2.0–based applications.

Trusted identity propagation is built on the OAuth 2.0 Authorization Framework , which allows applications to access data and other resources on behalf of a specific user, without sharing that user's credentials. This feature of IAM Identity Center simplifies data access management for users, auditing, and improves the sign-in experience for analytics users across multiple AWS analytics applications.

No. IAM Identity Center supports single sign-on to business applications through web browsers only.

Resource and database administrators can define access to their assets on a granular user and group membership level. Auditors can review user actions across interconnected business intelligence and data analytics applications. Users of business intelligence applications can authenticate once to access AWS data sources. Trusted identity propagation helps customers meet requirements for least-privilege access to data in analytics workflows that span multiple applications and AWS services, such as Amazon Redshift, Amazon S3, Amazon Quicksight, Amazon Athena, and AWS LakeFormation. 

Miscellaneous

IAM Identity Center will store data about which AWS accounts and cloud applications are assigned to which users and groups, as well as what permissions have been granted for accessing AWS accounts. IAM Identity Center will also create and manage IAM roles in individual AWS accounts for each permission set you grant access for your users.

With IAM Identity Center, you can enable standard-based strong authentication capabilities for all your users across all identity sources. If you use a supported SAML 2.0 IdP as your identity source, you can enable multi-factor authentication capabilities of your provider. When using IAM Identity Center or Active Directory as your identity source, IAM Identity Center supports the Web Authentication specification to help you secure user access to AWS accounts and business applications with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable one-time-passwords (TOTPs) using authenticator apps such as Google Authenticator or Twilio Authy.

You can also use your existing Remote Authentication Dial-In User Service (RADIUS) MFA configuration with IAM Identity Center and AWS Directory Services to authenticate your users as a secondary form of verification. To learn more about configuring MFA with IAM Identity Center, visit the IAM Identity Center User Guide .

Yes. For user identities in IAM Identity Center’s identity store and Active Directory, IAM Identity Center supports the Web Authentication (WebAuthn) specification to help you secure user access to AWS accounts and business applications with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable one-time-passwords (TOTPs) using authenticator apps such as Google Authenticator or Twilio Authy.

Employees can get started with IAM Identity Center by visiting the access portal that is generated when you configure your identity source in IAM Identity Center. If you manage your users in IAM Identity Center, your employees can use their email address and password they configured with IAM Identity Center to sign into the user portal. If you connect IAM Identity Center to a Microsoft Active Directory or a SAML 2.0 identity provider, your employees can sign in to user portal with their existing corporate credentials and then view the accounts and applications assigned to them. To access an account or application, employees choose the associated icon from the access portal.

Yes. IAM Identity Center provides account assignment APIs to help you automate permissions management in multi-account environments, and retrieve the permissions programmatically for audit and governance purposes.