Skip to main content

Amazon IAM Identity Center

Amazon IAM Identity Center FAQs

Page topics

General

Open all

IAM Identity Center is built on top of Amazon Identity and Access Management (IAM) to simplify access management to multiple Amazon Web Services accounts, Amazon Web Services applications, and other SAML-enabled cloud applications. In IAM Identity Center, you create, or connect, your workforce users for use across Amazon Web Services. You can choose to manage access just to your Amazon Web Services accounts, just to your cloud applications, or to both. You can create users directly in IAM Identity Center, or you can bring them from your existing workforce directory. With IAM Identity Center, you get a unified administration experience to define, customize, and assign fine-grained access. Your workforce users get a user portal to access their assigned Amazon Web Services accounts or cloud applications.

You can use IAM Identity Center to quickly and easily assign and manage your employees’ access to multiple Amazon Web Services accounts, SAML -enabled cloud applications (such as Salesforce, Microsoft 365, and Box), and custom-built in-house applications, all from a central place. Employees can be more productive by signing in with their existing credentials or credentials that you configure in IAM Identity Center. They can use a single personalized user portal. You'll get better visibility into cloud application use because you can monitor and audit sign-in activity centrally from Amazon CloudTrail .

IAM Identity Center eliminates the administrative complexity of federating and managing permissions separately for each Amazon Web Services account. It allows you to set up Amazon Web Services applications from a single interface, and to assign access to your cloud applications from a single place. IAM Identity Center also helps improve access visibility by integrating with Amazon CloudTrail and providing a central place for you to audit single sign-on access to Amazon Web Services accounts and SAML -enabled cloud applications, such as Microsoft 365, Salesforce, and Box.

IAM Identity Center is our recommended front door into Amazon Web Services. It should be your primary tool to manage the access of your workforce users. It allows you to manage your identities in your preferred identity source, connect them once for use in Amazon Web Services, allows you to define fine-grained permissions and apply them consistently across accounts. As the number of your accounts scales, IAM Identity Center gives you the option to use it as a single place to manage user access to all your cloud applications.

You can use IAM Identity Center to quickly and easily assign your employees access to Amazon Web Services accounts within Amazon Organizations, business cloud applications (such as Salesforce, Microsoft 365, and Box), and custom applications that support Security Assertion Markup Language (SAML) 2.0. Employees can sign in with their existing corporate credentials or credentials they configure in IAM Identity Center to access their business applications from a single user portal. IAM Identity Center also allows you to audit users’ access to cloud services by using Amazon CloudTrail.

IAM Identity Center is for administrators who manage multiple Amazon Web Services accounts and business applications, want to centralize user access management to these cloud services, and want to provide employees a single location to access these accounts and applications without them having to remember yet another password.

As a new IAM Identity Center customer, you:
  1. Sign in to the Amazon Web Services Management Console of the management account in your Amazon Web Services account and navigate to the IAM Identity Center console.
  2. Select the directory you use for storing the identities of your users and groups from the IAM Identity Center console. IAM Identity Center provides you a directory by default that you can use to manage users and groups in IAM Identity Center. You can also change directory to connect to a Microsoft AD directory by clicking through a list of Managed Microsoft AD and AD Connector instances that IAM Identity Center discovers in your account automatically. If you want to connect to a Microsoft AD directory, see Setting up Amazon Directory Service .
  3. Grant users single sign-on access to Amazon Web Services accounts in your organization by selecting the Amazon Web Services accounts from a list populated by IAM Identity Center, and then selecting users or groups from your directory and the permissions you want to grant them.
  4. Give users access to business cloud applications by:
    a. Selecting one of the applications from the list of pre-integrated applications supported in IAM Identity Center.
    b. Configuring the application by following the configuration instructions.
    c. Selecting the users or groups that should be able to access this application.
  5. Give your users the IAM Identity Center sign-in web address that was generated when you configured the directory so that they can sign in to IAM Identity Center and access accounts and business applications.

IAM Identity Center is offered at no extra charge.

IAM Identity Center is available in the Amazon Web Services China (Beijing) region, operated by Sinnet, and Amazon Web Services China (Ningxia) region, operated by NWCD.

Identity sources and applications support

Open all

With IAM Identity Center, you can create and manage user identities in IAM Identity Center’s identity store, or easily connect to your existing identity source including Microsoft Active Directory, Okta Universal Directory, Azure Active Directory (Azure AD), or another supported IdP *. See the IAM Identity Center User Guide to learn more.

No. At any given time, you can have only one directory or one SAML 2.0 identity provider connected to IAM Identity Center. But, you can change the identity source that is connected to a different one.

You can connect IAM Identity Center to most SAML 2.0 IdPs, such as Okta Universal Directory or Azure Active Directory*. See the IAM Identity Center User Guide to learn more.

Identities from your existing IdP must be provisioned into IAM Identity Center before you can assign permissions. You can synchronize user and group information from Okta Universal Directory, Azure AD, OneLogin, and PingFederate* automatically using the System for Cross-domain Identity Management (SCIM) standard. For other IdPs, you can provision users from your IdP using the IAM Identity Center console. See the IAM Identity Center User Guide to learn more.

Yes. If you use Okta Universal Directory, Azure AD, OneLogin, or PingFederate*, you can use SCIM to synchronize user and group information from your IdP to IAM Identity Center automatically. See the IAM Identity Center User Guide to learn more.

You can connect IAM Identity Center to your on-premises Active Directory (AD) or to an Amazon Managed Microsoft AD directory using Amazon Directory Service. See the IAM Identity Center User Guide to learn more.

You have two options for connecting Active Directory–hosted on-premises to IAM Identity Center: (1) use AD Connector, or (2) use an Amazon Managed Microsoft AD trust relationship. AD Connector simply connects your existing on-premises Active Directory to Amazon Web Services. AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. To connect an on-premises directory using AD Connector, see the Amazon Directory Service Administration Guide . Amazon Managed Microsoft AD makes it easy to set up and run Microsoft Active Directory in Amazon Web Services. It can be used to set up a forest trust relationship between your on-premises directory and Amazon Managed Microsoft AD. To set up a trust relationship, see the Amazon Directory Service Administration Guide .

Yes, you can use IAM Identity Center to control access to the Amazon Web Services Management Console and CLI v2. IAM Identity Center enables your users to access the CLI and Amazon Web Services Management Console through a single sign-on experience. 

You can connect the following applications to IAM Identity Center:
  1. IAM Identity Center-integrated applications: IAM Identity Center-integrated applications use IAM Identity Center for authentication and work with the identities you have in IAM Identity Center. There is no need for additional configuration to synchronize identities into these applications or to set up federation to separately.
  2. Pre-integrated SAML applications: IAM Identity Center comes pre-integrated with commonly used business applications. For a comprehensive list, see the IAM Identity Center console.
  3. Custom SAML applications: IAM Identity Center supports applications that allow identity federation using SAML 2.0. You can enable IAM Identity Center to support these applications by using the custom application wizard.

Single sign-on access to Amazon Web Services accounts

Open all

You can add any Amazon Web Services account managed using Amazon Organizations to IAM Identity Center. You need to enable all features in your organizations to manage your accounts single sign-on.

You can pick accounts within the organization or filter accounts by OU.

When granting access to your users, you can limit the users’ permissions by picking a permission set. Permission sets are a collection of permissions that you can create in IAM Identity Center, modeling them based on Amazon Web Services managed policies for job functions or any Amazon Web Services managed policies. Amazon Web Services managed policies for job functions are designed to closely align to common job functions in the IT industry. If required, you can also fully customize the permission set to meet your security requirements. IAM Identity Center applies these permissions to the selected accounts automatically. As you change the permission sets, IAM Identity Center enables you to apply the changes to the relevant accounts easily. When your users access the accounts through the access portal, these permissions restrict what they can do within those accounts. You can also grant multiple permission sets to your users. When they access the account through the user portal, they can pick which permission set they want to assume for that session.

IAM Identity Center provides APIs and Amazon CloudFormation support to automate permissions management in multi-account environments, and retrieve the permissions programmatically for audit and governance purposes.

To implement ABAC, you can select attributes from the IAM Identity Center’s identity store for IAM Identity Center users and users synchronized from Microsoft AD or external SAML 2.0 IdPs including Okta Universal Directory, Azure AD, OneLogin, or PingFederate*. When using an IdP as your identity source, you can optionally send the attributes as a part of a SAML 2.0 assertion.

You can get Amazon Web Services CLI credentials for any Amazon Web Services account and user permissions that your IAM Identity Center administrator has assigned to you. These CLI credentials can be used for programmatic access to the Amazon Web Services account.

Amazon Web Services CLI Credentials fetched through IAM Identity Center are valid for 60 minutes. You can get a fresh set of credentials as often as needed.

Single sign-on access to business applications

Open all

From the IAM Identity Center console, navigate to the applications pane, choose Configure new application, and choose an application from the list of cloud applications that are pre-integrated with IAM Identity Center. Follow the on-screen instructions to configure the application. Your application is now configured and you may assign access to it. Choose the groups or users that you want to provide with access to the application and Choose Assign Access to complete the process.

Yes. If your application supports SAML 2.0, you can configure your application as a custom SAML 2.0 application. From the IAM Identity Center console, navigate to the applications pane, choose Configure new application, and choose Custom SAML 2.0 application. Follow the instructions to configure the application. Your application is now configured and you may assign access to it. Choose the groups or users that you want to provide with access to the application, and choose Assign Access to complete the process.

No. IAM Identity Center supports only SAML 2.0–based applications.

No. IAM Identity Center supports single sign-on to business applications through web browsers only.

Miscellaneous

Open all

IAM Identity Center stores your user and group attributes, the metadata about which Amazon Web Services accounts and cloud applications are assigned to which users and groups, and what permissions have been granted for accessing Amazon Web Services accounts. IAM Identity Center also creates and manages IAM roles in individual Amazon Web Services accounts for each permission set you grant access for your users.

IAM Identity Center integrates with Amazon Key Management Service (KMS) to encrypt your data at rest. By default, IAM Identity Center encrypts your data with Amazon-owned KMS keys. If you want to have full control and visibility over your encryption key management and use, you can provide your own customer-managed KMS keys to encrypt your identity data such as user and group attributes. IAM Identity Center also signs your data at rest to protect it from tampering.

IAM Identity Center encrypts your data in transit using TLS 1.2 and TLS 1.3.

With IAM Identity Center, you can enable standard-based strong authentication capabilities for all your users across all identity sources. If you use a supported SAML 2.0 IdP as your identity source, you can enable multi-factor authentication capabilities of your provider. When using IAM Identity Center or Active Directory as your identity source, IAM Identity Center supports the Web Authentication specification to help you secure user access to Amazon Web Services accounts and business applications with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable one-time-passwords (TOTPs) using authenticator apps such as Twilio Authy*.

You can also use your existing Remote Authentication Dial-In User Service (RADIUS) MFA configuration with IAM Identity Center and Amazon Directory Service to authenticate your users as a secondary form of verification. To learn more about configuring MFA with IAM Identity Center, visit the IAM Identity Center User Guide.

Yes. For user identities in IAM Identity Center’s identity store and Active Directory, IAM Identity Center supports the Web Authentication (WebAuthn) specification to help you secure user access to Amazon Web Services accounts and business applications with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable one-time-passwords (TOTPs) using authenticator apps such as Twilio Authy*.

*The application and identity providers referenced here are third parties. Their instances may be located outside of China.  Customers should verify the location of the instances with the third-party providers directly, and customers should confirm whether any cross-border transfers of data comply with their obligations under applicable laws.  If customers use the services offered by these third parties, customers may experience higher latency due to reasons beyond the control of Amazon Web Services (e.g., if the third party’s servers are outside of China), and customers should work with the third-party provider directly to address latency. 

Employees can get started with IAM Identity Center by visiting the access portal that is generated when you configure your identity source in IAM Identity Center. If you manage your users in IAM Identity Center, your employees can use their email address and password they configured with IAM Identity Center to sign into the user portal. If you connect IAM Identity Center to a Microsoft Active Directory or a SAML 2.0 identity provider, your employees can sign in to user portal with their existing corporate credentials and then view the accounts and applications assigned to them. To access an account or application, employees choose the associated icon from the access portal.

Yes. IAM Identity Center provides account assignment APIs to help you automate permissions management in multi-account environments, and retrieve the permissions programmatically for audit and governance purposes.

Notes

*The application and identity providers referenced here are third parties. Their instances may be located outside of China.  Customers should verify the location of the instances with the third-party providers directly, and customers should confirm whether any cross-border transfers of data comply with their obligations under applicable laws.  If customers use the services offered by these third parties, customers may experience higher latency due to reasons beyond the control of Amazon Web Services (e.g., if the third party’s servers are outside of China), and customers should work with the third-party provider directly to address latency.