Understanding AWS IAM Identity Center: A Beginner's Guide

☕ It was another busy morning...

Arjun, the newly minted Cloud Engineer, was sipping his chai and thinking about the growing number of AWS accounts his company had.

One account for Dev. One for Prod. Another for Finance.

And logging into each of them?
A total nightmare.

His boss walked in and said,

“Arjun, I want one login for everything — AWS accounts, EC2, Salesforce — you name it.”

That’s when Arjun discovered…

🚪 IAM Identity Center (Formerly AWS SSO)

AWS IAM Identity Center is a cloud-based identity and access management service that streamlines access to multiple AWS accounts and cloud apps.

Think of IAM Identity Center as the front door to everything:

🧑‍💻 Multiple AWS accounts
💼 Business apps (like Salesforce, Microsoft 365)
💻 EC2 Windows Instances
🧩 Even custom SAML 2.0 apps

With just one login, users can access all these resources — securely and easily.

🤔 But Wait… What is SSO?

SSO = Single Sign-On.

It means:

"Log in once, access everything."

Instead of remembering and typing passwords for each AWS account or app, users sign in once using IAM Identity Center — and get instant access to whatever they’re allowed to use.

Think of it like:

Logging in to your Google account
And being able to open Gmail, YouTube, Docs, Drive — without logging in again

That’s SSO in action — and IAM Identity Center brings this to AWS and your business apps.

🔁 What About Permissions?

Just like IAM uses policies,
IAM Identity Center uses “Permission Sets.” A permission set is a collection of IAM policies (inline or managed) that define what actions a user or group can perform in one or more AWS accounts.

These are reusable access blueprints that you apply to users or groups. Think of Identity Center as bundle of permissions ready to be applied to multiple people and multiple accounts — cleanly and consistently.

🧩 How Permission Sets Work — Step-by-Step

Let’s go step-by-step on how access is granted:

Create a Permission Set
→ Define the access level (e.g., Admin, ReadOnly, Custom) using IAM policies.
Assign It to a Group or User
→ Example: Assign the AdminAccess permission set to the Developers group.
Link It to Specific AWS Accounts
→ You can assign the same permission set to Dev, Prod, or multiple accounts.
Behind the Scenes:
IAM Identity Center automatically creates IAM roles in the target AWS accounts.
When the user logs in, they assume the corresponding role temporarily using STS (Security Token Service).

Example:

Arjun wants Alice and Bob to:

✅ Get Admin access in the Dev account
🔍 Get Read-only access in the Prod account

So he:

Creates two permission sets
- Dev-Admin
- Prod-ReadOnly
Assigns these sets to the “Developers” and “Prod” group
Puts Alice and Bob in that group

Done. 🧼 Clean, scalable access control.

✅ Result:
When Alice logs in through IAM Identity Center, she clicks on the Dev account and gets admin access.
Clicks on Prod → gets read-only access.

🔎 Where Are User Accounts Stored?

You have 2 options to store users when using IAM Identity Center:

Identity Source	Use Case	Example
🌐 Built-in IAM Identity Center Directory	For small to mid-sized orgs or simple use cases	Users are created directly inside IAM Identity Center
🏢 External Identity Provider (IdP)	For enterprises with centralized identity control	Use Microsoft Active Directory (AD), Okta, OneLogin, Ping Identity, etc.

🌐 Business Applications Supported by IAM Identity Center

If you choose AWS IAM Identity Center as your SSO (Single Sign-On) provider, you can access external services like:

Application Type	Examples	Supported?
🧑‍💼 Productivity	Microsoft 365 (Outlook, Teams, etc.)	✅ Yes
📊 CRM	Salesforce, HubSpot	✅ Yes
📦 File Storage	Box, Dropbox	✅ Yes
🧾 Accounting & ERP	Workday, NetSuite	✅ Yes
🛡️ Security Tools	CrowdStrike, Zscaler	✅ Yes
👨‍💻 Developer Tools	GitHub, Atlassian, Jenkins	✅ Yes
🧠 Learning Platforms	Coursera, Skilljar	✅ Yes
🌐 Custom Apps	Any app that supports SAML 2.0	✅ Yes

🔧 How It Works:

AWS IAM Identity Center supports SAML 2.0, a standard that most enterprise tools (including M365, Salesforce, etc.) support for authentication.

You configure IAM Identity Center as the Identity Provider (IdP).
The external app (like Salesforce or M365) becomes the Service Provider (SP).
Once connected, your users:
- Log in once using IAM Identity Center
- Can launch any connected app directly from the IAM Identity Center user portal

📌 Real-World Flow:

User logs in to your custom IAM Identity Center login page.
They see a dashboard like:
- [ AWS Account Access ]
- [ Salesforce CRM ]
- [ Microsoft 365 ]
- [ Box ]
They click "Salesforce" and are logged in instantly — no password needed again.

✅ Benefits:

Central login for AWS and 3rd-party apps.
No need to manage separate passwords.
Access control via permission sets & group memberships.
Audit and logging support through AWS CloudTrail.

📘 Common Questions

❓ Can IAM Identity Center manage access to M365 and Salesforce?

Yes! If they support SAML 2.0 (they do), you can integrate them easily.

❓ Do I need IAM roles for individual users?

No, if you're using IAM Identity Center. IAM Identity Center creates temporary roles on demand when users access AWS accounts via permission sets.

❓ Can I use Azure AD or Okta instead of the built-in directory?

Yes. You can configure IAM Identity Center to connect to those as identity providers using SAML.