Enable IAM Identity Center - Amazon IAM Identity Center
To enable an instance of IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable IAM Identity Center

When you enable IAM Identity Center you choose an Amazon IAM Identity Center instance type to enable. An instance of a service is a single deployment of a service within your Amazon environment. There are two types of instances available for IAM Identity Center: organization instances and account instances. The instance types available for you to enable depend upon the account type you are signed into.

The following list identifies the type of IAM Identity Center instances you can enable for each type of Amazon Web Services account:

  • Your Amazon Organizations management account (recommended) – Required to create an organization instance of IAM Identity Center. Use an organization instance for multi-account permissions and application assignments across the organization.

  • Your Amazon Organizations member account – Use to create an account instance of IAM Identity Center to enable application assignments within that member account. One or more accounts with a member level instance can exist in an organization.

  • A standalone Amazon Web Services account – Use to create an organization instance or account instance of IAM Identity Center. The standalone Amazon Web Services account isn't managed by Amazon Organizations. Only one instance of IAM Identity Center be associated with a standalone Amazon Web Services account and you can use the instance for application assignments within that standalone Amazon Web Services account.

Important

The organization management account can control whether organization member accounts can create account instances of IAM Identity Center by using a Service Control Policy.

For a comparison of the different capabilities provided by the different instance types, see Organization and account instances of IAM Identity Center.

Before enabling IAM Identity Center, we recommend you review the prerequisites IAM Identity Center prerequisites and considerations.

To enable an instance of IAM Identity Center

Choose the tab for the type of IAM Identity Center instance you want to enable, either an organization or account instance:

Organization (recommended)

  1. Do one of the following to sign in to the Amazon Web Services Management Console.

    • New to Amazon (root user) – Sign in as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password.

    • Already using Amazon with a standalone Amazon Web Services account (IAM credentials) – Sign in using your IAM credentials with administrative permissions.

    • Already using Amazon Organizations (IAM credentials) – Sign in using your management account credentials.

  2. Open the IAM Identity Center console.

  3. Under Enable IAM Identity Center, choose Enable.

  4. On the Enable IAM Identity Center with Amazon Organizations page, review the information and then select Enable to complete the process.

    Note

    Amazon Organizations can have IAM Identity Center enabled only in a single Amazon Region. After enabling IAM Identity Center, if you need to change the Region that IAM Identity Center is enabled in, you must delete the current instance and create an instance in the other Region.

After enabling your organization instance we recommend that you do the following steps to finish setting up your environment:

Account

  1. Do one of the following to sign in to the Amazon Web Services Management Console.

    • New to Amazon (root user) – Sign in as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password.

    • Already using Amazon (IAM credentials) – Sign in using your IAM credentials with administrative permissions.

    • Already using Amazon Organizations (IAM credentials) – Sign in using your member account administrative credentials.

  2. Open the IAM Identity Center console.

  3. If you are new to Amazon or have a standalone Amazon Web Services account, under Enable IAM Identity Center, choose Enable.

    You see the Enable IAM Identity Center with Amazon Organizations page. We recommend this option, but it is not required.

    Select the link enable an account instance of IAM Identity Center.

  4. If you are an administrator of an Amazon Organizations member account, under Enable an account instance of IAM Identity Center, select Enable an account instance.

  5. On the Enable an account instance of IAM Identity Center page, review the information and optionally add tags that you want to associate with this account instance. Then select Enable to complete the process.

    Note

    If your Amazon account is a member of an organization, there might be restrictions on your ability to enable an account instance of IAM Identity Center.

    • If your organization enabled IAM Identity Center before November 15, 2023 the ability for member accounts to create account instances is disabled by default and must be enabled by the management account of the organization.

    • If your organization enabled IAM Identity Center after November 15, 2023 the ability for member account to create account instances is enabled by default. However, service control policies can be used to prevent the creation of account instances of IAM Identity Center within an organization.

    For more information, see Permit account instance creation in member accounts and Use Service Control Policies to control account instance creation.