Amazon IAM Identity Center Features

Amazon IAM Identity Center makes it easy to centrally manage access to multiple Amazon Web Services accounts and business applications. It provides your workforce with single sign-on access to all assigned accounts and applications from one place. With IAM Identity Center, you can easily manage centralized access and user permissions to all your accounts in Amazon Organizations. IAM Identity Center configures and maintains all the necessary permissions for your accounts automatically, without requiring any additional setup in the individual accounts. You can assign user permissions based on common job functions and customize these permissions to meet your specific security requirements. IAM Identity Center also includes built-in integrations to Amazon Web Services applications, and many business applications, such as Salesforce, Box, and Microsoft 365.

You can create and manage user identities in IAM Identity Center’s identity store, or easily connect to your existing identity source, including Microsoft Active Directory, Okta, Ping Identity, JumpCloud, and Azure Active Directory (Azure AD). IAM Identity Center allows you to select user attributes, such as cost center, title, or locale, from your identity source, and then use them for attribute-based access control (ABAC) in Amazon Web Services.

It is easy to get started with IAM Identity Center. With just a few clicks in the IAM Identity Center management console you can connect to your existing identity source. From there, you can configure permissions that grant your users access to their assigned accounts in Amazon Organizations and hundreds of pre-configured cloud applications, all from a single user portal.

IAM Identity Center provides you an identity store by default that you can use to create users and organize them in groups within IAM Identity Center. You can create users in IAM Identity Center by configuring their email address and name. When you create a user, by default IAM Identity Center sends an email to the user so that your users can set their own password. Within minutes, you can grant your users and groups permissions to Amazon Web Services resources in all your Amazon Web Services accounts as well as many business applications. Your users sign in to a user portal with credentials they configured in IAM Identity Center to access all of their assigned accounts and applications in a single place.

You can connect IAM Identity Center to Okta Universal Directory, Azure AD, or another supported identity provider (IdP) via Security Assertion Markup Language (SAML) 2.0 so your users can sign in with their existing credentials. And, IAM Identity Center also supports System for Cross-domain Identity Management (SCIM) for automation of user provisioning. You can manage your users in your IdP, get them into Amazon Web Services quickly, and centrally manage their access to all Amazon Web Services accounts and business applications. IAM Identity Center also allows you to select multiple user attributes, such as cost center, title, or locale, from your Okta Universal Directory, and then use them for ABAC to simplify and centralize your access administration.

With IAM Identity Center, you can manage single sign-on access to accounts and applications using your existing corporate identities from Microsoft Active Directory Domain Services (AD DS). IAM Identity Center connects to AD DS through Amazon Directory Service and enables you to grant users access to accounts and applications simply by adding the users to the appropriate AD groups. For example, you can create a group for a team of developers working on an application and grant the group access to the Amazon Web Services accounts for the application. When new developers join the team and you add them to the AD group, they are granted access to all the Amazon Web Services accounts for the application automatically. IAM Identity Center also allows you to select multiple user attributes, such as cost center, title, or locale, from your AD, and then use them for ABAC to simplify and centralize your access administration.

IAM Identity Center allows you to enforce MFA for all your users, including the requirement for the users to set up MFA devices during sign-in. With IAM Identity Center, you can use standards-based strong authentication capabilities for all your users across all your identity sources. If you use a supported SAML 2.0 IdP as your identity source, you can enable multi-factor authentication (MFA) capabilities of your provider. When using Active Directory or IAM Identity Center as your identity source, IAM Identity Center supports the Web Authentication specification to help you secure user access to Amazon Web Services accounts and business. applications using with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable time-based one-time-passwords (TOTPs) using authenticator apps such as Twilio Authy*.

IAM Identity Center builds on Amazon Identity and Access Management (IAM) roles and policies to help you manage access centrally across all Amazon Web Services accounts in your Amazon Organizations. IAM Identity Center uses permission sets, which are collections of one or more IAM policies. You then assign permission set(s) to define the access for your users/groups. Based on those assignments, the service creates an IAM Identity Center-controlled IAM role, and attaches the policies specified in the permission set to those roles within each assigned account. No additional configuration is required in the individual accounts.  

IAM Identity Center offers temporary elevated access through a range of partner integration options. We have validated that CyberArk Secure Cloud Access, Ermetic, and Okta Access Requests help address a range of temporary elevated access scenarios, including sensitive operations demanding full auditability, multi-cloud environments with complex entitlements and audit needs, and organizations using multiple identity sources and application integrations. Workforce users who do not have standing permissions to perform sensitive operations, such as changing configuration on a high-value resource in a production environment, can request access, receive approval, and perform the operation during a specified time. And, auditors can view a log of actions and approvals in the partner solution.

Inside the IAM Identity Center console, use application assignments to provide single sign-on access to many SAML 2.0 business applications, including Salesforce, Box, and Microsoft 365. You can easily configure single sign-on access to these applications by following step by step instructions inside IAM Identity Center. It will guide you through entering the required URLs, certificates, and metadata. For a full list of business applications pre-integrated with IAM Identity Center, see IAM Identity Center cloud applications.

IAM Identity Center makes it easy for you to create and use fine-grained permissions for your workforce based on user attributes defined in your IAM Identity Center identity store. IAM Identity Center allows you to select multiple attributes, such as cost center, title, or locale, and then use them for attribute-based access control (ABAC) to simplify and centralize your access administration. You can define permissions once for your entire Amazon Organizations, and then grant, revoke, or modify access by simply changing the attributes in the identity source.

Learn more about ABAC »

IAM Identity Center supports centralized administration and API access from an Amazon Organizations delegated administrator account for all member accounts in your organization. This means you can designate an account in your organization that can be used to centrally administer all member accounts. With delegated administration, you can adhere to recommended practices by reducing the need to use your management account.

IAM Identity Center supports security standards and compliance requirements, including support for Payment Card Industry - Data Security Standard (PCI DSS), International Organization for Standardization (ISO), System and Organization Controls (SOC) 1, 2, and 3.

IAM Identity Center requires integration with Amazon Organizations, enabling you to select one or more accounts from your organization and grant users access to these accounts. With just a few clicks, you can begin using IAM Identity Center and grant your workforce access to all of the Amazon Web Services accounts being used for an application or by a team.

You can create single sign-on integrations to SAML 2.0-enabled applications using the IAM Identity Center application assignments configuration wizard. The application assignments configuration wizard helps you select and format the information to send applications to enable single sign-on access. For example, you can create a SAML attribute for username and specify the format for the attribute based on a user’s email address from their AD profile.

All administrative and multi-account access activity is recorded in Amazon CloudTrail, giving you the visibility to audit IAM Identity Center activity centrally. Through CloudTrail, you can view activity such as sign in attempts, application assignments, and directory integration changes. For instance, you can see the applications that a user accessed over a given period or when a user was given access to a specific application.

*The application and identity providers referenced here are third parties. Their instances may be located outside of China.  Customers should verify the location of the instances with the third-party providers directly, and customers should confirm whether any cross-border transfers of data comply with their obligations under applicable laws.  If customers use the services offered by these third parties, customers may experience higher latency due to reasons beyond the control of Amazon Web Services (e.g., if the third party’s servers are outside of China), and customers should work with the third-party provider directly to address latency.