Prerequisites and considerations - Amazon IAM Identity Center
PrerequisitesAdditional considerations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Prerequisites and considerations

Before you set up trusted identity propagation, review the following prerequisites and considerations.

Prerequisites

To use trusted identity propagation, ensure that your environment meets the following prerequisites.

  • IAM Identity Center deployment with users and groups provisioned

    To use trusted identity propagation, you must enable IAM Identity Center and provision users and groups. For information, see Get started with common tasks in IAM Identity Center.

    Organization instance recommended – We recommend that you use an organization instance of IAM Identity Center that you enable in the management account of Amazon Organizations. If you plan to use trusted identity propagation to enable users to access Amazon services and related resources in different Amazon Web Services accounts within the same organization, you can delegate administration of your instance of IAM Identity Center to a member account.

    If you plan to use a single account instance of IAM Identity Center, all Amazonservices and resources that you want users to access through trusted identity propagation must reside in the same standalone Amazon Web Services account, or in the same member account in the organization where you enabled IAM Identity Center. For more information, see Account instances of IAM Identity Center.

  • For Amazon managed applications; connection to IAM Identity Center

    To use trusted identity propagation, Amazon managed applications must integrate with IAM Identity Center.

Additional considerations

Keep in mind the following additional considerations for using trusted identity propagation.

  • Don't modify the Require assignments setting for Amazon managed applications

    Amazon managed applications have a default setting configuration that determines whether assignments are required for users and groups. We recommend that you do not modify this setting. Even if you have configured fine-grained permissions that allow user access to specific resources, modifying the Require assignments setting might result in unexpected behavior, including disrupted user access to these resources.

  • Multi-account permissions (permission sets) not required

    Trusted identity propagation doesn't require you to set up multi-account permissions (permission sets). You can enable IAM Identity Center and use it for trusted identity propagation only.