AWS IAM Identity Center: Basic to Advanced
The objective is to talk a little about the basic and advanced functions that AWS Identity Center has, in addition to use cases and references
Published Feb 10, 2025
IAM Identity Center is a managedAWS service that enables you to:
- Single Sign-On (SSO) : Users log in through a single portal and have access to multiple accounts and applications (AWS and SaaS).
- Centralized Identity Management : Creation and management of users and groups in an internal directory or with integration with an external identity provider (IdP), such as Azure AD, Okta, etc.
- Permission Assignment : Associates permission profiles (IAM Roles and policies) with users or groups, controlling exactly what each person can do in each AWS account.
- IAM (Identity and Access Management) is the core service for managing policies, roles, users, and groups in your AWS account.
- IAM Identity Center expands on this functionality by offering SSO across multiple AWS accounts and applications, with a simplified authentication experience.
- It also allows federation configurations with external IdPs and use of standards such as SAML 2.0 and SCIM (for automated user and group provisioning).
- Multi-account environments : Many companies use AWS Organizations to manage multiple accounts. IAM Identity Center allows you to centrally manage who accesses each account and with what permissions.
- Integration with Corporate Directories : Companies that already have a user directory (e.g. Active Directory, Okta, Azure AD) can synchronize identities and groups to grant or revoke access centrally.
- Simplified Access to SaaS Applications : In addition to AWS accounts, IAM Identity Center can provide access to third-party services (Salesforce, Office 365, etc.) using SAML or OpenID Connect (OIDC).
- Go to the AWS Management Console .
- Go to IAM Identity Center (it may be listed as “AWS Single Sign-On” in some older regions).
- If this is your first time, click Enable IAM Identity Center .
- Choose directory mode:
- IAM Identity Center directory (default) – manages users/groups within the service itself.
- External Identity Provider – Integrates with an existing IdP via SAML 2.0 or via AWS Directory Service (for on-premises Active Directory, for example).
- Users : Enter name, email, MFA configuration (if desired), etc.
- Groups : Define groups like “DevOps”, “Finance”, “Security” and add users.
- Manual Provisioning : If you don't have an external IdP, you can create users directly in IAM Identity Center.
- Vá em AWS Accounts no IAM Identity Center.
- Select the account you want to configure.
- Clique em Assign Users or Groups.
- Select the user or group and choose a role (or create a new one) to determine permissions.
- Example: “PowerUserAccess” for DevOps teams; “ReadOnlyAccess” for auditing, etc.
- Once configured, each user uses an SSO Portal (for example,
https://<yourcompany>.awsapps.com/start) to log in. - In this portal, the user sees the AWS accounts and available applications. With one click, the user can access the consoles without having to re-enter credentials or keys.
- Automated Provisioning (SCIM): When a new employee joins the organization (created in the IdP), it is automatically propagated to the IAM Identity Center, avoiding manual rework.
- Single Sign-On with Central MFA : Strong authentication occurs at the IdP (e.g., Azure AD with MFA). Users do not need to have separate passwords for IAM Identity Center.
- Immediate Revocation : If the user is removed from the IdP (e.g., termination), their AWS access is also revoked.
- SAML 2.0 : Most IdPs like Okta, Ping, Azure AD, ADFS support SAML.
- SCIM : For automatic provisioning of users and groups.
- Azure AD : Native integration allows you to configure single sign-on and provisioning without additional scripts, following official AWS and Microsoft tutorials.
- Okta : Similar to Azure AD, with official guides for SAML + SCIM.
- In AWS IAM Identity Center, choose “External identity provider” and select SAML 2.0.
- In Azure AD, configure a SAML enterprise application pointing to the IAM Identity Center endpoint.
- Export metadata and import into IAM Identity Center.
- Enable SCIM for automatic provisioning by copying the provisioning token from IAM Identity Center to Azure AD.
- Test with a test user in Azure AD, and verify that it appears in the IAM Identity Center.
- Permission Sets : These are collections of IAM policies that define permissions. You associate them with users/groups for certain accounts.
- Ex.: “DevOpsProdPermissionSet” with the ability to create and manage resources, but without the ability to delete logs.
- Advanced Policies : CombineAWS managed policies withcustom policies for extra granularity (e.g., restricting access to specific buckets in S3).
- MFA at the External IdP : If you are using Okta or Azure AD, the IdP's MFA solution manages authenticity.
- Internal MFA : If you are using the internal IAM Identity Center directory, you can configure MFA based on authentication apps (Google Authenticator, Authy, etc.).
- Adaptive/Contextual MFA : Some IdPs support adaptive MFA — prompting for MFA only if the user is outside the corporate network or in suspicious locations.
- AWS CloudTrail : Records events related to IAM Identity Center, such as permission set creation, group assignment, login attempts, etc.
- AWS CloudWatch Metrics/Logs : Can be used to monitor activity and create alarms, for example, if login failure occurs repeatedly.
- IdP Logs : In SAML integrations, part of the auditing also occurs at the IdP, recording who accessed which applications.
- Temporary Credentials : When a user accesses an account via IAM Identity Center, IAM roles with temporary credentials (STS) are used.
- Session Policies : It is possible to limit the session duration, forcing re-authentication after a period.
- Access Keys : IAM Identity Center can also provide programmatic (CLI) access by generating temporary credentials for users, ensuring that long-term credentials are not required.
- If your organization uses a SCIM 2.0- compatible IdP, you can automate:
- User Creation : Whenever a user is created in the IdP, it is entered into the IAM Identity Center.
- Group Assignment : If the user is added to a “DevOps” group in the IdP, he or she automatically gains corresponding access in AWS.
- Removal : If you leave the company or group, access is revoked.
- Least Privilege : Create specific permission sets for each job function, avoiding granting “AdministratorAccess” indiscriminately.
- Environment Separation : Use different permission sets for development, staging, and production, ensuring that unrestricted access does not leak into production.
- Force MFA : If your IdP is not using MFA, enable MFA at least in the IAM Identity Center for sensitive accounts.
- Routine Access Policy : Periodically review who has access to which accounts/permission sets and remove obsolete privileges.
- Provisioning Automation : Whenever possible, use SCIM to synchronize users, reducing manual errors.
- Multi-account governance : If you are using AWS Organizations, enable delegation so that IAM Identity Center manages all member accounts.
AWS IAM Identity Center is a key component for enterprises looking to unify authentication and authorization across multiple AWS accounts and often dozens of SaaS applications. It simplifies user login flows, reduces credential management complexity, and strengthens security through MFA policies and federation with identity providers.
As your environment grows, advanced capabilities—such as SCIM for automatic provisioning, custom permission sets, integration with corporate directories, and detailed logging—become critical to maintaining user productivity and compliance with security standards. By adopting the above best practices, you can ensure a robust and scalable deployment that is prepared to meet your organization’s long-term governance and access control needs.