DEV Community

Cover image for AWS IAM Identity Center (Formerly AWS SSO): Complete Guide
AWS Community Builders profile image Isaac Oppong-Amoah
Isaac Oppong-Amoah for AWS Community Builders

Posted on

AWS IAM Identity Center (Formerly AWS SSO): Complete Guide

#aws #cloud #security #tutorial

AWS IAM Identity Center helps you centrally manage access to multiple AWS accounts and cloud applications using single sign-on (SSO). It simplifies identity management across AWS Organizations while improving security, visibility, and scalability.

This guide covers:

  • What IAM Identity Center is
  • How it works
  • Initial configuration
  • Permission sets and roles
  • Integration with Service Control Policies (SCPs)
  • Identity providers and best practices

🔍 What Is AWS IAM Identity Center?

IAM Identity Center is a centralized identity and access management service for AWS Organizations. It allows users to sign in once and securely access:

  • Multiple AWS accounts
  • AWS-managed applications
  • Third-party SaaS applications

⭐ Key Features

  • Centralized access across AWS Organizations
  • Built-in directory or external identity provider support
  • Account-level permission assignments
  • Support for SAML 2.0–based IdPs
  • Short-lived credentials for improved security

🧩 Architecture Overview

IAM Identity Center sits between your identity source and AWS accounts:

  • Users authenticate with an IdP
  • Permission sets define allowed actions
  • Temporary IAM roles are created automatically
  • Access is granted without long-lived credentials

IAM Identity Center Architecture

🏢 Using Service Control Policies (SCPs) with IAM Identity Center

Service Control Policies define the maximum permissions an AWS account can have. SCPs do not grant permissions — they limit what IAM roles and permission sets can do.

🔐 Example: Restrict AWS Regions 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUnapprovedRegions",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "us-east-1",
            "us-west-2"
          ]
        }
      }
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

💡 Even admins using IAM Identity Center cannot bypass SCP restrictions.

⚙️ Initial Setup of IAM Identity Center

Step-by-Step

  1. Open IAM Identity Center in the AWS Console
  2. Enable it for your AWS Organization
  3. Choose an identity source:
  • AWS-managed directory
  • External identity provider
    1. Create or sync users and groups
    2. Assign users or groups to AWS accounts using permission sets

Setup UI

🔗 Supported Identity Providers

IAM Identity Center supports many enterprise identity providers, including:

  • AWS IAM Identity Center directory
  • Microsoft Entra ID (Azure AD)
  • Okta
  • OneLogin
  • Google Workspace (SAML)
  • Any SAML 2.0–compliant IdP

This enables seamless integration with existing corporate identity systems.

🧾 Permission Sets Explained

Permission sets are reusable access templates that define what users can do in an AWS account. Internally, they create IAM roles automatically.

Example: Admin Permission Set (YAML) 

Name: AdminAccess
ManagedPolicies:
  - arn:aws:iam::aws:policy/AdministratorAccess
SessionDuration: PT1H
Enter fullscreen mode Exit fullscreen mode

📌 Permission sets can include:

  • AWS-managed policies
  • Customer-managed policies
  • Inline policies
  • Session duration controls

👥 Managing Access with Groups

Group-based access simplifies large-scale management.

Benefits

  • Assign permissions once to a group
  • Automatically applies to all group members
  • Reduces operational overhead

Limitations

  • No nested groups
  • Group sync depends on IdP capabilities

Common group examples:

  • DevOps-Team
  • Security-Analysts
  • Finance-Admins

🔄 Service Roles and Automation

AWS services such as Lambda, CloudFormation, and EC2 use service-linked roles to interact with AWS APIs securely.

IAM Identity Center works alongside these roles by:

  • Limiting who can deploy or modify services
  • Ensuring automation follows least-privilege rules

🕐 Temporary and Cross-Account Access

IAM Identity Center uses temporary credentials via role assumption, eliminating static access keys.

Cross-Account Trust Example 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AccountA>:role/SSOUserRole"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

This enables secure access between accounts without credential sharing.

✅ Best Practices

  • Use SCPs to enforce guardrails
  • Assign permissions to groups, not users
  • Keep session durations short
  • Use least-privilege permission sets
  • Integrate with an external IdP for lifecycle management

🧠 Summary

AWS IAM Identity Center provides:

  • Centralized identity and access management
  • Secure, temporary credentials
  • Scalable permissions across AWS Organizations
  • Seamless SSO for AWS and third-party apps

When combined with SCPs and strong governance, it forms the backbone of a secure enterprise AWS environment.

📚 References

Top comments (0)