Enabling Amazon IAM Identity Center - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling Amazon IAM Identity Center

Complete the following steps to sign in to the Amazon Web Services Management Console and enable an organization instance of IAM Identity Center.

  1. Do either of the following to sign in to the Amazon Web Services Management Console.

    • New to Amazon (root user) – Sign in as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password.

    • Already using Amazon (IAM credentials) – Sign in using your IAM credentials with administrative permissions.

  2. Open the IAM Identity Center console.

  3. Under Enable IAM Identity Center, choose Enable with Amazon Organizations.

  4. Optional Add tags that you want to associate with this organization instance.

  5. Optional Configure delegated administration.

    Note

    If you are using a multi-account environment, we recommend that you configure delegated administration. With delegated administration, you can limit the number of people who require access to the management account in Amazon Organizations. For more information, see Delegated administration.

Important

The ability to create account instances of IAM Identity Center is enabled by default. Account instances of IAM Identity Center include a subset of features available to an organization instance. You can control whether users can access this feature by using a Service Control Policy.

Do you need to update firewalls and gateways?

If you filter access to specific Amazon domains or URL endpoints by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), you must add the following domains or URL endpoints to your web-content filtering solution allowlists. Doing so enables you to access your Amazon Web Services access portal.

  • [Directory ID or alias].awsapps.com

  • *.aws.dev

  • *.awsstatic.com

  • *.console.aws.a2z.com

  • oidc.[Region].amazonaws.com

  • *.sso.amazonaws.com

  • *.sso.[Region].amazonaws.com

  • *.sso-portal.[Region].amazonaws.com

  • [Region].signin.aws

  • [Region].signin.aws.amazon.com

  • signin.aws.amazon.com

  • *.cloudfront.net

  • opfcaptcha-prod.s3.amazonaws.com

Considerations for allowlisting domains and URL endpoints

Understand the impact of allowlisting domains beyond Amazon Web Services access portal.

  • To access Amazon Web Services accounts, the Amazon Web Services Management Console, and the IAM Identity Center console from your Amazon Web Services access portal, you must allowlist additional domains. Refer to Troubleshooting in the Amazon Web Services Management Console Getting Started Guide for a list of Amazon Web Services Management Console domains.

  • To access Amazon managed applications from your Amazon Web Services access portal, you must allowlist their respective domains. Refer to the respective service documentation for guidance.

  • These allowlists cover Amazon services. If you use external software, such as external IdPs (for example, Okta and Microsoft Entra ID), you'll need to include their domains in your allowlists.

You are now ready to configure IAM Identity Center. When you enable IAM Identity Center it's automatically configured with an Identity Center directory as your default identity source, which is the fastest way to get started using IAM Identity Center. For instructions, see Configure user access with the default IAM Identity Center directory.

If you want to learn more about how IAM Identity Center works with Organizations, identity sources, and IAM roles, see the following topics.