🤓 Recently, I got several questions about when to use the IAM Identity Center, which features it has, and what the difference is between usage in small and large companies. Let’s explore these aspects in detail.
General concepts
What is the IAM Identity Center? Formerly called AWS Single Sign-On, it is a cloud-based identity and access management service that allows control permissions to AWS accounts and third-party applications. It supports user authentication through either the AWS Identity Center directory or an external IdP.
What is IdP? IdP stands for Identity Provider, it is responsible for user authentication. In Identity Center, external IdP include Okta Universal Directory, Azure Active Directory (AD), etc.
What are the benefits of Identity Center? You can manage access in one place, which makes it easier to add and delete users and permissions for them. You can add applications such as Quicksight, SageMaker Studio, Slack, Zoom, Jenkins and many others. Users can access multiple AWS accounts and applications with a single set of credentials.
Things to remember:
Trusted identity propagation doesn't require you to set up multi-account permissions (permission sets). You can enable the IAM Identity Center and use it for trusted identity propagation only.
If you are switching from an AWS IdP to an external IdP, the new IdP needs to send the correct assertions, which must match the user names and groups in the IAM Identity Center.
There are some limitations in Identity Center usage with AWS Lake Formation.
Small companies
It doesn’t matter if you use one or many AWS accounts curated by AWS Organizations, you can use Identity Center. In case you have one account — you can create an account instance; with multiple accounts — a traditional organization instance.
Small organizations could benefit from choosing the AWS Identity Center directory as IdP for the AWS Identity Center due to the absence of additional charges and ease of maintenance.
Also, you can start with AWS predefined permission policies such as AdministratorAccess or job function policies such as DataScientist or DatabaseAdministrator.
Large companies
For the large companies with many AWS accounts managed by AWS Organizations, it’s common practice to use the Identity Center. It makes access for users unified, hence, simplifying access to AWS accounts and applications.
There are several features that can be useful for them though:
Multiple instances of IAM Identity Center. When you have hundreds of AWS accounts, you may want to set up a separate SSO mechanism for the particular branch of the organization, as you want them to manage permissions and users for their accounts. With a such decentralized approach, it takes less time for the team members to have changes applied to their permissions.
Delegated administration. You can create a separate account for managing users permissions instead of the management account. It would help limit access to the management account.
Temporary elevated access options. Sometimes, you need someone from your team to apply some sensitive actions, such as changing the configuration for production service as quickly as possible. In this case, the standard CI/CD process with all the approvals can take more time than the business would allow. Identity Center offers temporary elevated access through a range of partner integration options.
Thank you for reading, let’s chat 💬
💬 Do you use the IAM Identity Center in your company?
💬 Do you want to hear more about use cases for each of the features?
💬 Any other features that can be especially useful for small or large companies?
I love hearing from readers 🫶🏻 Please feel free to drop comments, questions, and opinions below👇🏻
