AWS - IAM

Configure AWS IAM at Scale

Demo IAM Identity Center

In this guide, you’ll learn how to enable and use AWS IAM Identity Center to centrally manage user and group access across multiple AWS accounts and cloud applications.

Prerequisites

  • An AWS Organizations management account
  • Permissions to manage IAM Identity Center and AWS Organizations

Note

IAM Identity Center can only be enabled from your organization’s management account. Member accounts cannot enable or configure it.

Enabling IAM Identity Center

  1. Sign in to the AWS Management Console with your management account.

  2. In the top search bar, type IAM Identity Center and select it:

    The image shows the AWS Console Home with a search for "IAM Identity Center," displaying services like IAM Identity Center, IAM, Cloud9, and Amazon CodeWhisperer.

  3. Click Enable.

  4. Choose your identity source:

    • Connect an existing directory (AWS Managed Microsoft AD, AD Connector, or external IdP)
    • Use the built-in Identity Center directory
  5. After activation, create users and groups (if using the built-in directory), then assign permission sets to your AWS accounts or cloud applications.

IAM vs. IAM Identity Center

When you go to the IAM console and click Create user, selecting Provide console access will direct you to specify an Identity Center user:

The image shows a webpage from the AWS Management Console, specifically the "Specify user details" section for creating a new user in IAM. It includes fields for entering a username and options for providing console access.

Use the following table to decide between IAM users and IAM Identity Center:

CapabilityIAM UserIAM Identity Center
Console access across accountsManual per accountCentralized via permission sets
Programmatic access (access keys)YesNo (create separate IAM users)
Service-specific credentialsYesNo
External identity federationLimitedBuilt-in SAML and OIDC support
Multi-account role assignmentsManualAutomated through a single portal

Warning

Reserve IAM users for programmatic or service-specific credentials. For scalable, centralized console access across multiple accounts, adopt IAM Identity Center.

References

Watch Video

Watch video content

Previous
IAM Identity Center