AWS IAM Identity Center (Formerly AWS SSO): Complete Guide

AWS IAM Identity Center helps you centrally manage access to multiple AWS accounts and cloud applications using single sign-on (SSO). It simplifies identity management across AWS Organizations while improving security, visibility, and scalability.

This guide covers:

• What IAM Identity Center is
• How it works
• Initial configuration
• Permission sets and roles
• Integration with Service Control Policies (SCPs)
• Identity providers and best practices

🔍 What Is AWS IAM Identity Center?

IAM Identity Center is a centralized identity and access management service for AWS Organizations. It allows users to sign in once and securely access:

• Multiple AWS accounts
• AWS-managed applications
• Third-party SaaS applications

⭐ Key Features

• Centralized access across AWS Organizations
• Built-in directory or external identity provider support
• Account-level permission assignments
• Support for SAML 2.0–based IdPs
• Short-lived credentials for improved security

---

🧩 Architecture Overview

IAM Identity Center sits between your identity source and AWS accounts:

• Users authenticate with an IdP
• Permission sets define allowed actions
• Temporary IAM roles are created automatically
• Access is granted without long-lived credentials

---

🏢 Using Service Control Policies (SCPs) with IAM Identity Center

Service Control Policies define the maximum permissions an AWS account can have. SCPs do not grant permissions — they limit what IAM roles and permission sets can do.

🔐 Example: Restrict AWS Regions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUnapprovedRegions",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "us-east-1",
            "us-west-2"
          ]
        }
      }
    }
  ]
}

💡 Even admins using IAM Identity Center cannot bypass SCP restrictions.

---

⚙️ Initial Setup of IAM Identity Center

Step-by-Step

1. Open IAM Identity Center in the AWS Console
2. Enable it for your AWS Organization
3. Choose an identity source:

• AWS-managed directory
• External identity provider
  1. Create or sync users and groups
  2. Assign users or groups to AWS accounts using permission sets

---

🔗 Supported Identity Providers

IAM Identity Center supports many enterprise identity providers, including:

• AWS IAM Identity Center directory
• Microsoft Entra ID (Azure AD)
• Okta
• OneLogin
• Google Workspace (SAML)
• Any SAML 2.0–compliant IdP

This enables seamless integration with existing corporate identity systems.

---

🧾 Permission Sets Explained

Permission sets are reusable access templates that define what users can do in an AWS account. Internally, they create IAM roles automatically.

Example: Admin Permission Set (YAML)

Name: AdminAccess
ManagedPolicies:
  - arn:aws:iam::aws:policy/AdministratorAccess
SessionDuration: PT1H

📌 Permission sets can include:

• AWS-managed policies
• Customer-managed policies
• Inline policies
• Session duration controls

---

👥 Managing Access with Groups

Group-based access simplifies large-scale management.

Benefits

• Assign permissions once to a group
• Automatically applies to all group members
• Reduces operational overhead

Limitations

• No nested groups
• Group sync depends on IdP capabilities

Common group examples:

• DevOps-Team
• Security-Analysts
• Finance-Admins

---

🔄 Service Roles and Automation

AWS services such as Lambda, CloudFormation, and EC2 use service-linked roles to interact with AWS APIs securely.

IAM Identity Center works alongside these roles by:

• Limiting who can deploy or modify services
• Ensuring automation follows least-privilege rules

---

🕐 Temporary and Cross-Account Access

IAM Identity Center uses temporary credentials via role assumption, eliminating static access keys.

Cross-Account Trust Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AccountA>:role/SSOUserRole"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This enables secure access between accounts without credential sharing.

---

✅ Best Practices

• Use SCPs to enforce guardrails
• Assign permissions to groups, not users
• Keep session durations short
• Use least-privilege permission sets
• Integrate with an external IdP for lifecycle management

---

🧠 Summary

AWS IAM Identity Center provides:

• Centralized identity and access management
• Secure, temporary credentials
• Scalable permissions across AWS Organizations
• Seamless SSO for AWS and third-party apps

When combined with SCPs and strong governance, it forms the backbone of a secure enterprise AWS environment.

---

📚 References

• IAM Identity Center Documentation
• AWS Organizations and Service Control Policies (SCPs)
• Permission Set Configuration Examples (AWS IAM Identity Center)

---