Organization and account instances of IAM Identity Center - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Organization and account instances of IAM Identity Center

An instance is a single deployment of IAM Identity Center. There are two types of instances available for IAM Identity Center: organization instances and account instances.

  • Organization instance

    An instance of IAM Identity Center that you enable in the Amazon Organizations management account. Organization instances support all features of IAM Identity Center. We recommend that you deploy an organization instance rather than account instances to minimize the number of management points.

  • Account instance

    An instance of IAM Identity Center that is bound to a single Amazon Web Services account, and that is visible only within the Amazon Web Services account and Amazon Region in which it is enabled. You can enable an account instance from either of the following:

    • An Amazon Web Services account that is not managed by Amazon Organizations

    • A member account in Amazon Organizations

Use the following table to compare the capabilities provided by the instance type:

Amazon Web Services account types that can enable IAM Identity Center

To enable IAM Identity Center, sign in to the Amazon Web Services Management Console by using one of the following credentials, depending on the instance type you want to create:

  • Your Amazon Organizations management account (recommended) – Required to create an organization instance of IAM Identity Center. Use an organization instance for multi-account permissions and application assignments across the organization.

  • Your Amazon Organizations member account – Use to create an account instance of IAM Identity Center to enable application assignments within that member account. One or more accounts with a member level instance can exist in an organization.

  • A standalone Amazon Web Services account – Use to create an organization instance or account instance of IAM Identity Center. The standalone Amazon Web Services account isn't managed by Amazon Organizations. Only one instance of IAM Identity Center be associated with a standalone Amazon Web Services account and you can use the instance for application assignments within that standalone Amazon Web Services account.

Capability Instance in the Amazon Organizations management account (recommended) Instance in a member account Instance in a standalone Amazon Web Services account
Manage users Yes Yes Yes
Amazon Web Services access portal for single-sign on access to your Amazon managed applications Yes Yes Yes
OAuth 2.0 (OIDC) customer managed applications Yes Yes Yes
Multi-account permissions Yes No No
Amazon Web Services access portal for single-sign on access to your Amazon Web Services accounts Yes No No
SAML 2.0 customer managed applications Yes No No
Delegated administrator can manage instance Yes No No

For more information about Amazon managed applications and IAM Identity Center, see Amazon managed applications that you can use with IAM Identity Center.

Topics