Organization instances of IAM Identity Center - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Organization instances of IAM Identity Center

When you enable IAM Identity Center in conjunction with Amazon Organizations, you're creating an organization instance of IAM Identity Center. Your organization instance must be enabled in your management account and you can centrally manage the access of users and groups with a single organization instance. You can have only one organization instance for each management account in Amazon Organizations.

If you enabled IAM Identity Center prior to November 15, 2023, you have an organization instance of IAM Identity Center.

When to use an organization instance

An organization instance is the primary method of enabling IAM Identity Center and in most cases, an organization instance is recommended. Organization instances offer the following benefits:

  • Support for all features of IAM Identity Center – Including managing permissions for multiple Amazon Web Services accounts in your organization and assigning access to customer managed applications.

  • Reduce the number of management points – An organization instance has a single management point, the management account. We recommend that you enable an organization instance, rather than an account instance, to reduce the number of management points.

  • Control creation of account instances – You can control whether account instances can be created by member accounts in your organization as long as you haven't deployed an instance of IAM Identity Center to your organization in an opt-in Region (Amazon Web Services Region that is disabled by default).