luizmachado.dev

PT EN

AWS IAM Identity Center: From Basics to Advanced

1. AWS IAM Identity Center Overview

1.1 What Is It?

IAM Identity Center is a managed service from AWS that enables:

  • Single Sign-On (SSO): Users log in through a single portal and gain access to multiple accounts and applications (AWS and SaaS).
  • Centralized Identity Management: Creation and management of users and groups in an internal directory or with integration to an external identity provider (IdP), such as Azure AD, Okta, etc.
  • Permission Assignment: Associates permission profiles (IAM Roles and policies) to users or groups, controlling exactly what each person can do in each AWS account.

1.2 Differentiation from Other IAM Services

  • IAM (Identity and Access Management) is the base service for managing policies, roles, users, and groups in an AWS account.
  • IAM Identity Center expands this functionality by offering SSO across multiple AWS accounts and applications, with a simplified authentication experience.
  • It also allows federation configurations with external IdPs and the use of standards such as SAML 2.0 and SCIM (for automated provisioning of users and groups).

1.3 Use Cases

  • Multi-Account Environments: Many companies use AWS Organizations to manage multiple accounts. IAM Identity Center allows centralized management of who accesses each account and with which permissions.
  • Corporate Directory Integration: Companies that already have a user directory (e.g., Active Directory, Okta, Azure AD) can synchronize identities and groups to grant or revoke access centrally.
  • Simplified Access to SaaS Applications: Beyond AWS accounts, IAM Identity Center can provide access to third-party services (Salesforce, Office 365, etc.) using SAML or OpenID Connect (OIDC).

---

2. Basic Configuration

2.1 Enabling IAM Identity Center

  1. Access the AWS Management Console.
  2. Go to IAM Identity Center (it may be listed as "AWS Single Sign-On" in some older regions).
  3. If it's your first time, click Enable IAM Identity Center.
  4. Choose the directory mode:

- IAM Identity Center directory (default) – manages users/groups within the service itself.

- External identity provider – integrates with an existing IdP via SAML 2.0 or via AWS Directory Service (for on-premises Active Directory, for example).

2.2 Creating Users and Groups (Internal Mode)

  • Users: enter name, email, MFA configuration (if desired), etc.
  • Groups: define groups such as "DevOps", "Finance", "Security" and add users.
  • Manual Provisioning: if you don't have an external IdP, you can create users directly in IAM Identity Center.

2.3 Assigning Access to AWS Accounts

  1. Go to AWS Accounts in IAM Identity Center.
  2. Select the account you want to configure.
  3. Click Assign Users or Groups.
  4. Select the user or group and choose a role (or create a new one) to determine the permissions.

- Example: "PowerUserAccess" for DevOps teams; "ReadOnlyAccess" for auditing, etc.

2.4 Access Portal

  • After configuration, each user uses an SSO Portal (for example, https://.awsapps.com/start) to log in.
  • In this portal, the user sees the available AWS accounts and applications. With a single click, they access the consoles without needing to re-enter credentials or keys.

---

3. Identity Provider (IdP) Integration

3.1 Benefits

  • Automated Provisioning (SCIM): when a new employee joins the organization (created in the IdP), they are automatically propagated to IAM Identity Center, avoiding manual rework.
  • Single Sign-On with Central MFA: Strong authentication occurs at the IdP (for example, Azure AD with MFA). Users don't need separate passwords for IAM Identity Center.
  • Immediate Revocation: If the user is removed from the IdP (e.g., termination), their AWS access is also revoked.

3.2 Integration Methods

  1. SAML 2.0: Most IdPs, such as Okta, Ping, Azure AD, and ADFS, support SAML.
  2. SCIM: For automatic provisioning of users and groups.
  3. Azure AD: Native integration allows configuring single sign-on and provisioning without additional scripts, following official AWS and Microsoft tutorials.
  4. Okta: Similar to Azure AD, with official guides for SAML + SCIM.

3.3 Simplified Step-by-Step (Azure AD Example)

  1. In AWS IAM Identity Center, choose "External identity provider" and select SAML 2.0.
  2. In Azure AD, configure a SAML enterprise application pointing to the IAM Identity Center endpoint.
  3. Export the metadata and import it into IAM Identity Center.
  4. Enable SCIM for automatic provisioning by copying the provisioning token from IAM Identity Center to Azure AD.
  5. Test with a test user in Azure AD and verify that they appear in IAM Identity Center.

---

4. Advanced Features

4.1 Permission Assignment Customization

  • Permission Sets: These are collections of IAM policies that define permissions. You associate them with users/groups for specific accounts.

- E.g., "DevOpsProdPermissionSet" with the ability to create and manage resources, but without the power to delete logs.

  • Advanced Policies: Combine AWS managed policies with custom policies for extra granularity (e.g., restricting access to specific S3 buckets).

4.2 Enhanced MFA Configuration

  • MFA on External IdP: If using Okta or Azure AD, the IdP's MFA solution manages authentication.
  • Internal MFA: If using the IAM Identity Center internal directory, you can configure MFA based on authenticator apps (Google Authenticator, Authy, etc.).
  • Adaptive/Contextual MFA: Some IdPs support adaptive MFA — requesting MFA only if the user is outside the corporate network or in suspicious locations.

4.3 Auditing and Logs

  • AWS CloudTrail: Records events related to IAM Identity Center, such as permission set creation, group assignment, login attempts, etc.
  • AWS CloudWatch Metrics/Logs: Can be used to monitor activities and create alarms, for example, if repeated login failures occur.
  • IdP Logs: In SAML integrations, part of the auditing also occurs at the IdP, recording who accessed which applications.

4.4 Credential Rotation and Management

  • Temporary Credentials: When a user accesses an account via IAM Identity Center, IAM roles with temporary credentials (STS) are used.
  • Session Policies: It's possible to limit session duration, forcing re-authentication after a period.
  • Access Keys: IAM Identity Center can also provide programmatic access (CLI) by generating temporary credentials for users, ensuring that long-lived credentials are not needed.

4.5 Provisioning and Deprovisioning (SCIM)

  • If your organization uses an IdP compatible with SCIM 2.0, you can automate:

- User Creation: Whenever a user is created in the IdP, they are added to IAM Identity Center.

- Group Assignment: If the user is added to a "DevOps" group in the IdP, they automatically gain corresponding access in AWS.

- Removal: If they leave the company or the group, access is revoked.

---

5. Best Practices

  1. Least Privilege: Create specific permission sets for each job function, avoiding granting "AdministratorAccess" indiscriminately.
  2. Environment Separation: Use different permission sets for development, staging, and production, ensuring that unrestricted access doesn't leak into production.
  3. Enforce MFA: If the IdP is not using MFA, enable MFA at least in IAM Identity Center for sensitive accounts.
  4. Access Review Policy: Periodically review who has access to which accounts/permission sets and remove obsolete privileges.
  5. Provisioning Automation: Whenever possible, use SCIM to synchronize users, reducing manual errors.
  6. Multi-Account Governance: If using AWS Organizations, enable delegation so that IAM Identity Center manages all member accounts.

---

6. Conclusion

AWS IAM Identity Center is a key component for companies that want to unify authentication and authorization across multiple AWS accounts and, often, dozens of SaaS applications. It simplifies the user login flow, reduces the complexity of credential management, and at the same time strengthens security through MFA policies and federation with identity providers.

As the environment expands, advanced features — such as SCIM for automatic provisioning, custom permission sets, corporate directory integration, and detailed logs — become essential for maintaining user productivity and compliance with security standards. By adopting the best practices mentioned, you ensure a robust and scalable deployment, prepared to meet your organization's governance and access control needs in the long term.

---

Additional Resources

awsiamssoidentity-centerazure-adoktasaml