Manage organization and account instances of IAM Identity Center
An instance is a single deployment of IAM Identity Center. There are two types of instances available for IAM Identity Center: organization instances and account instances.
Amazon Web Services account types that can enable IAM Identity Center
To enable IAM Identity Center, sign in to the Amazon Web Services Management Console by using one of the following credentials, depending on the instance type you want to create:
Your Amazon Organizations management account (recommended) – Required to create an organization instance of IAM Identity Center. Use an organization instance for multi-account permissions and application assignments across the organization.
Your Amazon Organizations member account – Use to create an account instance of IAM Identity Center to enable application assignments within that member account. One or more accounts with a member level instance can exist in an organization.
A standalone Amazon Web Services account – Use to create an organization instance or account instance of IAM Identity Center. The standalone Amazon Web Services account isn't managed by Amazon Organizations. Only one instance of IAM Identity Center can be associated with a standalone Amazon Web Services account and you can use the instance for application assignments within that standalone Amazon Web Services account.
| Capability | Instance in the Amazon Organizations management account (recommended) | Instance in a member account | Instance in a standalone Amazon Web Services account |
|---|---|---|---|
| Manage users |
|
|
|
| Amazon Web Services access portal for single-sign on access to your Amazon managed applications |
|
|
|
| OAuth 2.0 (OIDC) customer managed applications |
|
|
|
| Multi-account permissions |
|
|
|
| Amazon Web Services access portal for single-sign on access to your Amazon Web Services accounts |
|
|
|
| SAML 2.0 customer managed applications |
|
|
|
| Delegated administrator can manage instance |
|
|
|