Common scenarios - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Common scenarios

Note

We recommend that you require your human users to use temporary credentials when accessing Amazon. Have you considered using Amazon IAM Identity Center? You can use IAM Identity Center to centrally manage access to multiple Amazon Web Services accounts and provide users with MFA-protected, single sign-on access to all their assigned accounts from one place. With IAM Identity Center, you can create and manage user identities in IAM Identity Center or easily connect to your existing SAML 2.0 compatible identity provider. For more information, see What is IAM Identity Center? in the Amazon IAM Identity Center User Guide.

You can use an external identity provider (IdP) to manage user identities outside of Amazon. and the external IdP. An external IdP can provide identity information to Amazon using either OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). OIDC is commonly used when an application that does not run on Amazon needs access to Amazon resources.

When you want to configure federation with an external IdP, you create an IAM identity provider to inform Amazon about the external IdP and its configuration. This establishes trust between your Amazon Web Services account and the external IdP. The following topics provide common scenarios to use IAM identity providers.