Understanding AWS IAM Identity Center (Successor to AWS SSO)

Published January 29, 2024 · by Eric Wilson · in aws

A comprehensive guide to AWS IAM Identity Center, the service formerly known as AWS SSO. Learn how it simplifies multi-account access and centralizes user management.

Managing users and permissions across multiple AWS accounts can quickly become complex and error-prone. In the past, developers might have had separate IAM users in each account, leading to a nightmare of credential management. The solution to this is AWS IAM Identity Center, the service that evolved from what was formerly known as AWS Single Sign-On (SSO).

IAM Identity Center provides a single place to create or connect your workforce identities and manage their access centrally across all your AWS accounts and applications.

Why Do You Need IAM Identity Center?

Imagine your organization has separate AWS accounts for development, staging, and production. Without a centralized system:

  • Each developer needs a separate IAM user in every account they need to access.
  • When a developer leaves the company, you have to remember to deprovision their user in every single account.
  • Enforcing consistent security policies (like MFA) across all users and accounts is difficult.

IAM Identity Center solves these problems by decoupling your users from the roles they assume in each account.

Core Concepts

  1. Identity Source: This is where your users and groups are defined. IAM Identity Center can connect to an external identity provider (IdP) like Okta, Azure AD (now Microsoft Entra ID), or Google Workspace. Alternatively, you can create and manage users and groups directly within IAM Identity Center itself.

  2. AWS Accounts: You connect all the AWS accounts in your organization to your central IAM Identity Center instance.

  3. Permission Sets: A permission set is a template for creating an IAM role. It's a collection of IAM policies (either AWS managed or customer managed) that defines a specific level of access (e.g., "ReadOnlyAccess", "PowerUserAccess", "BillingAdmin").

  4. Assignments: This is where you tie everything together. You create an assignment that says, "Grant this user or group access to this permission set in this AWS account."

How It Works: The Login Flow

  1. A user navigates to a unique AWS access portal URL.
  2. They authenticate using the configured identity source (e.g., by entering their Okta credentials).
  3. Once authenticated, the portal displays a list of all the AWS accounts and roles (permission sets) they have been granted access to.
  4. The user clicks on a specific role in a specific account (e.g., "PowerUser" in the "Development" account).
  5. IAM Identity Center dynamically generates temporary credentials, and the user is redirected to the AWS Management Console for that account, logged in with that role. No long-lived IAM user keys are involved.

This process provides a seamless and secure single sign-on experience.

Key Benefits

  • Centralized Management: Manage all user access to all your AWS accounts from a single place. Onboarding and offboarding a user becomes a single action in your identity source.
  • Improved Security: By using temporary credentials and integrating with your corporate IdP, you eliminate the need for long-lived IAM user access keys, which is a major security best practice.
  • Simplified Access: Users get a friendly portal to access all their assigned roles without juggling multiple sets of credentials or login links.
  • Consistent Permissions: Permission sets ensure that a role like "ReadOnlyAccess" has the exact same permissions in every account where it's assigned, reducing configuration drift.

Getting Started

Setting up IAM Identity Center is straightforward, especially if you use AWS Organizations:

  1. Navigate to the IAM Identity Center console in your AWS management account.
  2. Choose your identity source. Start with the built-in identity center if you don't have an external IdP.
  3. Create a few users and groups.
  4. Create a permission set. A good starting point is the AWS-managed ViewOnlyAccess policy.
  5. Go to the "AWS accounts" section and assign your group to the permission set you just created for one of your accounts.
  6. Your users can now log in via the provided portal URL and assume the ViewOnlyAccess role.

Conclusion

AWS IAM Identity Center is no longer just a convenience; it's the standard, recommended way to manage human access to AWS environments. By centralizing user identities and leveraging temporary, role-based credentials, it provides a secure, scalable, and user-friendly foundation for your entire AWS organization.

Back to All Blogs