IAM Identity Center and Amazon Organizations - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM Identity Center and Amazon Organizations

Amazon Organizations is recommended, but not required, for use with IAM Identity Center. If you haven't set up an organization, you don't have to. When you enable IAM Identity Center, you will choose whether to enable the service with Amazon Organizations. When you set up an organization, the Amazon Web Services account that sets up the organization becomes the management account of the organization. The root user of the Amazon Web Services account is now the owner of the organizational management account. Any additional Amazon Web Services accounts you invite to your organization are member accounts. The management account creates the organizations resources, organizational units, and policies that manage the member accounts. Permissions are delegated to member accounts by the management account.

Note

We recommend that you enable IAM Identity Center with Amazon Organizations, which creates an organization instance of IAM Identity Center. An organization instance is our recommended best practice because it supports all features of IAM Identity Center and provides central management capabilities. For more information, see Organization instances of IAM Identity Center.

If you've already set up Amazon Organizations and are going to add IAM Identity Center to your organization, make sure that all Amazon Organizations features are enabled. When you create an organization, enabling all features is the default. For more information, see Enabling all features in your organization in the Amazon Organizations User Guide.

To enable an organization instance of IAM Identity Center, you must sign in to the Amazon Web Services Management Console by signing in to your Amazon Organizations management account as a user that has administrative credentials or as the root user (not recommended unless no other administrative users exist). For more information, see Creating and managing an Amazon Organization in the Amazon Organizations User Guide.

When signed in with administrative credentials from an Amazon Organizations member account, you can enable an account instance of IAM Identity Center. Account instances have limited capabilities and are bound to a single Amazon account.