Manage access to Amazon Web Services accounts - Amazon IAM Identity Center
Amazon Web Services account types Assigning Amazon Web Services account access End-user experienceEnforcing and limiting access
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Manage access to Amazon Web Services accounts

Amazon IAM Identity Center is integrated with Amazon Organizations, which enables you to centrally manage permissions across multiple Amazon Web Services accounts without configuring each of your accounts manually. You can define permissions and assign these permissions to workforce users to control their access to specific Amazon Web Services accounts.

Amazon Web Services account types

There are two types of Amazon Web Services accounts in Amazon Organizations:

  • Management account - The Amazon Web Services account that is used to create the organization.

  • Member accounts - The rest of the Amazon Web Services accounts that belong to an organization.

For more information about Amazon Web Services account types, see Amazon Organizations Terminology and Concepts in the Amazon Organizations User Guide.

You can also choose to register a member account as a delegated administrator for IAM Identity Center. Users in this account can perform most IAM Identity Center administrative tasks. For more information, see Delegated administration.

For each task and account type, the following table indicates whether the IAM Identity Center administrative task can be performed by users in the account.

IAM Identity Center administrative tasks Member account Delegated administrator account Management account
Read users or groups (reading the group itself and the group's membership) Yes Yes Yes
Add, edit, or delete users or groups No Yes Yes
Enable or disable user access No Yes Yes
Enable, disable, or manage incoming attributes No Yes Yes
Change or manage identity sources No Yes Yes
Create, edit, or delete applications No Yes Yes
Configure MFA No Yes Yes
Manage permission sets not provisioned in the management account No Yes Yes
Manage permission sets provisioned in the management account No No Yes
Enable IAM Identity Center No No Yes
Delete IAM Identity Center configuration No No Yes
Enable or disable user access in the management account No No Yes
Register or deregister a member account as a delegated administrator No No Yes

Assigning Amazon Web Services account access

You can use permission sets to simplify how you assign users and groups in your organization access to Amazon Web Services accounts. Permission sets are stored in IAM Identity Center and define the level of access that users and groups have to an Amazon Web Services account. You can create a single permission set and assign it to multiple Amazon Web Services accounts within your organization. You can also assign multiple permission sets to the same user.

For more information about permission sets, see Create, manage, and delete permission sets.

Note

You can also assign your users single sign-on access to applications. For information, see Manage access to applications.

End-user experience

The Amazon Web Services access portal provides IAM Identity Center users with single sign-on access to all their assigned Amazon Web Services accounts and applications through a web portal. The Amazon Web Services access portal is different from the Amazon Web Services Management Console, which is a collection of service consoles for managing Amazon resources.

When you create a permission set, the name that you specify for the permission set appears in the Amazon Web Services access portal as an available role. Users sign in to the Amazon Web Services access portal, choose an Amazon Web Services account, and then choose the role. After they choose the role, they can access Amazon services by using the Amazon Web Services Management Console or retrieve temporary credentials to access Amazon services programmatically.

To open the Amazon Web Services Management Console or retrieve temporary credentials to access Amazon programmatically, users complete the following steps:

  1. Users open a browser window and use the sign-in URL that you provide to navigate to the Amazon Web Services access portal.

  2. Using their directory credentials, they sign in to the Amazon Web Services access portal.

  3. After authentication, on the Amazon Web Services access portal page, they choose the Accounts tab to display the list of Amazon Web Services accounts to which they have access.

  4. Users then choose the Amazon Web Services account that they want to use.

  5. Below the name of the Amazon Web Services account, any permission sets to which users are assigned appear as available roles. For example, if you assigned user john_stiles to the PowerUser permission set, the role displays in the Amazon Web Services access portal as PowerUser/john_stiles. Users who are assigned multiple permission sets choose which role to use. Users can choose their role to access the Amazon Web Services Management Console.

  6. In addition to the role, Amazon Web Services access portal users can retrieve temporary credentials for command line or programmatic access by choosing Access keys.

For step-by-step guidance that you can provide to your workforce users, see Using the Amazon Web Services access portal and Getting IAM Identity Center user credentials for the Amazon CLI or Amazon SDKs.

Enforcing and limiting access

When you enable IAM Identity Center, IAM Identity Center creates a service-linked role. You can also use service control policies (SCPs).

Delegating and enforcing access

A service-linked role is a type of IAM role that is linked directly to an Amazon service. After you enable IAM Identity Center, IAM Identity Center can create a service-linked role in each Amazon Web Services account in your organization. This role provides predefined permissions that allow IAM Identity Center to delegate and enforce which users have single sign-on access to specific Amazon Web Services accounts in your organization in Amazon Organizations. You need to assign one or more users with access to an account, to use this role. For more information, see Service-linked roles and Using service-linked roles for IAM Identity Center.

Limiting access to the identity store from member accounts

For the identity store service used by IAM Identity Center, users who have access to a member account can use API actions that require Read permissions. Member accounts have access to Read actions on both the sso-directory and identitystore namespaces. For more information, see Actions, resources, and condition keys for Amazon IAM Identity Center directory and Actions, resources, and condition keys for Amazon Identity Store in the Service Authorization Reference.

To prevent users in member accounts from using API operations in the identity store, you can attach a service control policy (SCP). An SCP is a type of organization policy that you can use to manage permissions in your organization. The following example SCP prevents users in member accounts from accessing any API operation in the identity store.

        {
            "Sid": "ExplicitlyBlockIdentityStoreAccess",
            "Effect": "Deny",
            "Action": "identitystore:*", "sso-directory:*"],
            "Resource": "*"
        }
Note

Limiting member accounts' access might impair functionality in IAM Identity Center enabled applications.

For more information, see Service control policies (SCPs) in the Amazon Organizations User Guide.