What is IAM Identity Center? - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is IAM Identity Center?

Amazon IAM Identity Center is the Amazon solution for connecting your workforce users to Amazon managed applications such as Amazon Q Developer and Amazon QuickSight, and other Amazon resources. You can connect your existing identity provider and synchronize users and groups from your directory, or create and manage your users directly in IAM Identity Center. You can then use IAM Identity Center for either or both of the following:

  • User access to applications

  • User access to Amazon Web Services accounts

Already using IAM for access to Amazon Web Services accounts?

You don’t need to make any changes to your current Amazon Web Services account workflows to use IAM Identity Center for access to Amazon managed applications. If you’re using federation with IAM or IAM users for Amazon Web Services account access, your users can continue to access Amazon Web Services accounts in the same way they always have, and you can continue to use your existing workflows to manage that access.

Why use IAM Identity Center?

IAM Identity Center streamlines and simplifies workforce user access to applications or Amazon Web Services accounts, or both, through the following key capabilities.

Integration with Amazon managed applications

Amazon managed applications such as Amazon Q Developer and Amazon Redshift integrate with IAM Identity Center. IAM Identity Center provides Amazon managed applications with a common view of users and groups.

Trusted identity propagation across applications

With trusted identity propagation, Amazon managed applications such as Amazon QuickSight can securely share a user’s identity with other Amazon managed applications such as Amazon Redshift and authorize access to Amazon resources based on the user’s identity. You can more easily audit user activity because CloudTrail events are logged based on the user and the actions the user initiated. This makes it easier to understand who accessed what. For information about supported use cases, including end-to-end configuration guidance, see Trusted identity propagation use cases.

One place to assign permissions to multiple Amazon Web Services accounts

With multi-account permissions, IAM Identity Center provides a single place for you to assign permissions to groups of users in multiple Amazon Web Services accounts. You can create permissions based on common job functions or define custom permissions that meet your security needs. You can then assign those permissions to workforce users to control their access to specific Amazon Web Services accounts.

This optional feature is available only for organization instances of IAM Identity Center.

One point of federation to simplify user access to Amazon

By providing one point of federation, IAM Identity Center reduces the administrative effort required to use multiple Amazon managed applications and Amazon Web Services accounts. With IAM Identity Center, you only federate once, and you have only one certificate to manage when using a SAML 2.0 identity provider. IAM Identity Center provides Amazon managed applications with a common view of users and groups for trusted identity propagation use cases, or when users share access to Amazon resources with other people.

For information about how to configure commonly used identity providers to work with IAM Identity Center, see IAM Identity Center identity source tutorials. If you don’t have an existing identity provider, you can create and manage users directly in IAM Identity Center.

Two modes of deployment

IAM Identity Center supports two types of instances: organization instances and account instances. An organization instance is the best practice. It's the only instance that enables you to manage access to Amazon Web Services accounts and it's recommended for all production use of applications. An organization instance is deployed in the Amazon Organizations management account and gives you a single point from which to manage user access across Amazon.

Account instances are bound to the Amazon Web Services account in which they are enabled. Use account instances of IAM Identity Center only to support isolated deployments of select Amazon managed applications. For more information, see Organization and account instances of IAM Identity Center.

User-friendly web portal access for your users

The Amazon Web Services access portal is a user-friendly web portal that provides your users with seamless access to all their assigned applications, Amazon Web Services accounts, or both.