Enterprise Cloud Consultancy in The UK and Europe
Contact Me

AWS IAM Identity Centre

AWS
Updated : 03-Jul-2024
The AWS preferred solution for workforce identiy and access management

IAM Identity Centre Summary

  • Managed service for single sign on for both AWS accounts and applications
  • Easily connected to external identity providers such as Microsoft Entra Id
  • Centrally manage user access in a multi-account environment
  • Provides a user portal where user can connect to applications or to specific accounts with the authorised roles

My Experience of IAM Identity Centre

I recently configured AWS IAM Identity Centre in a multi-cloud setup for a large UK client. Groups and users were managed in Microsoft Entra ID which was synced with the on-premise MS Active Directory. I set up SCIM to automatically provision the Azure groups and their members onto AWS. Each group was associated with a permission set which was a collection of AWS managed policies which permitted access to services and resources to the specified accounts. In each account we had System Administrator, ReadOnly and SecurityAudit roles. In the Managment Account we had the Billing managed policy. In the Network account for shared network services such as transit gateways, and ingress, egress and inspection VPCs we had the NetworkManagerFullAccess policy

One limitation was the lack of the ability to assign a permission set to mulitple accounts. Each time a new account was added then the System Administrator, ReadOnly and SecurityAudit permission sets had to be set up for that account. This is something we will need to automate in the future.

IAM Identity Centre Benefits

  • manages all users and groups across all accounts in one place
  • can delegate user authentication to an external provider
  • makes multi-cloud single sign on easy
  • automatic provisioning means less maintenance

IAM Identity Centre Features

  • Automated user and group permissioning using SCIM (System for Cross-domain Identity Management)
  • Multi-account permisison sets
  • Application permissioning for AWS managed apps such as Amazon Q Developer, Amazon Q Business, Sagemaker Studio, Athena, QuickSight, Redshift, Managed Grafana, Kendra, EMR Studio, etc

Identity Centre Works Well With

  • Microsoft Entra ID
  • Okta Universal Directory
  • Any SAML 2.0 identity provider

IAM Identity Centre Pricing

There is no charge for this service.

Russell Jamieson