Account instances of IAM Identity Center
With an account instance of IAM Identity Center, you can deploy supported Amazon managed applications and OIDC-based customer managed applications. Account instances support isolated deployments of applications in a single Amazon Web Services account, leveraging IAM Identity Center workforce identity and access portal features.
Account instances are bound to a single Amazon Web Services account and are used only to manage user and group access for supported applications in the same account and Amazon Web Services Region. You are limited to one account instance per Amazon Web Services account. You can create an account instance from either of the following:
-
A member account in Amazon Organizations.
A standalone Amazon Web Services account that is not managed by Amazon Organizations.
Availability constraints for member accounts
You can deploy an account instance in a member account of an organization if the following are true:
You didn’t have an instance of IAM Identity Center deployed to your organization before November 15, 2023.
You have an instance of IAM Identity Center already deployed to your organization before November 15, 2023, and your administrator has enabled member accounts to create account instances of IAM Identity Center.
Your administrator hasn’t created a Service Control Policy that prevents member accounts from creating account instances.
You don't already have an instance of IAM Identity Center in this same account regardless of Amazon Web Services Region.
You are working in an Amazon Web Services Region where IAM Identity Center isn’t available. For information about Regions, see Amazon IAM Identity Center Region availability.
Topics
When to use account instances
In most cases, an organization instance is recommended. Account instances should be used only if one of the following scenarios applies:
You want to run a temporary trial of a supported Amazon managed application to determine if the application suits your business needs.
You don’t have plans to adopt IAM Identity Center across your organization, but you want to support one or more Amazon managed applications.
You have an organization instance of IAM Identity Center, but you want to deploy a supported Amazon managed application to an isolated set of users that are distinct from users in your organization instance.
Important
If you plan to use IAM Identity Center to support applications in multiple accounts, create an organization instance and don't use account instances.
Account instance considerations
An account instance is designed for specialized use cases, offering a subset of features available to an organization instance. Consider the following before creating an account instance:
Account instances don't support permission sets and therefore don't support access to Amazon Web Services accounts.
You can’t convert an account instance into an organization instance.
You can’t merge an account instance into an organization instance.
Only select Amazon managed applications support account instances.
Use account instances for isolated users that will use applications in a single account only and for the lifetime of the applications used.
Applications that are attached to an account instance must remain attached to the account instance until you delete the application and its resources.
An account instance must remain in the Amazon Web Services account where it's created.
Amazon managed applications that support account instances
See Amazon managed applications to learn which Amazon managed applications support account instances of IAM Identity Center. Verify the availability of account instance creation with your Amazon managed application.