Manage organization and account instances of IAM Identity Center - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Manage organization and account instances of IAM Identity Center

An instance is a single deployment of IAM Identity Center. There are two types of instances available for IAM Identity Center: organization instances and account instances.

Amazon Web Services account types that can enable IAM Identity Center

To enable IAM Identity Center, sign in to the Amazon Web Services Management Console by using one of the following credentials, depending on the instance type you want to create:

  • Your Amazon Organizations management account (recommended) – Required to create an organization instance of IAM Identity Center. Use an organization instance for multi-account permissions and application assignments across the organization.

  • Your Amazon Organizations member account – Use to create an account instance of IAM Identity Center to enable application assignments within that member account. One or more accounts with a member level instance can exist in an organization.

  • A standalone Amazon Web Services account – Use to create an organization instance or account instance of IAM Identity Center. The standalone Amazon Web Services account isn't managed by Amazon Organizations. Only one instance of IAM Identity Center can be associated with a standalone Amazon Web Services account and you can use the instance for application assignments within that standalone Amazon Web Services account.

Capability Instance in the Amazon Organizations management account (recommended) Instance in a member account Instance in a standalone Amazon Web Services account
Manage users Yes Yes Yes
Amazon Web Services access portal for single-sign on access to your Amazon managed applications Yes Yes Yes
OAuth 2.0 (OIDC) customer managed applications Yes Yes Yes
Multi-account permissions Yes No No
Amazon Web Services access portal for single-sign on access to your Amazon Web Services accounts Yes No No
SAML 2.0 customer managed applications Yes No No
Delegated administrator can manage instance Yes No No