IAM Identity Centre Summary
- Managed service for single sign on for both AWS accounts and applications
- Easily connected to external identity providers such as Microsoft Entra Id
- Centrally manage user access in a multi-account environment
- Provides a user portal where user can connect to applications or to specific accounts with the authorised roles
My Experience of IAM Identity Centre
I recently configured AWS IAM Identity Centre in a multi-cloud setup for a large UK client. Groups and users were managed in Microsoft Entra ID which was synced with the on-premise MS Active Directory. I set up SCIM to automatically provision the Azure groups and their members onto AWS. Each group was associated with a permission set which was a collection of AWS managed policies which permitted access to services and resources to the specified accounts. In each account we had System Administrator, ReadOnly and SecurityAudit roles. In the Managment Account we had the Billing managed policy. In the Network account for shared network services such as transit gateways, and ingress, egress and inspection VPCs we had the NetworkManagerFullAccess policy
One limitation was the lack of the ability to assign a permission set to mulitple accounts. Each time a new account was added then the System Administrator, ReadOnly and SecurityAudit permission sets had to be set up for that account. This is something we will need to automate in the future.
IAM Identity Centre Benefits
- manages all users and groups across all accounts in one place
- can delegate user authentication to an external provider
- makes multi-cloud single sign on easy
- automatic provisioning means less maintenance
IAM Identity Centre Features
- Automated user and group permissioning using SCIM (System for Cross-domain Identity Management)
- Multi-account permisison sets
- Application permissioning for AWS managed apps such as Amazon Q Developer, Amazon Q Business, Sagemaker Studio, Athena, QuickSight, Redshift, Managed Grafana, Kendra, EMR Studio, etc
Identity Centre Works Well With
- Microsoft Entra ID
- Okta Universal Directory
- Any SAML 2.0 identity provider
IAM Identity Centre Pricing
There is no charge for this service.