What is IAM Identity Center? - Amazon IAM Identity Center
IAM Identity Center capabilities
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is IAM Identity Center?

Amazon IAM Identity Center is the recommended Amazon Web Service for managing human user access to Amazon resources. It is a single place where you can assign your workforce users, also known as workforce identities, consistent access to multiple Amazon Web Services accounts and applications. IAM Identity Center is offered at no additional charge.

With IAM Identity Center, you can create or connect workforce users and centrally manage their access across all their Amazon Web Services accounts and applications. You can use multi-account permissions to assign your workforce users access to Amazon Web Services accounts. You can use application assignments to assign your users access to Amazon managed and customer managed applications.

IAM Identity Center capabilities

IAM Identity Center includes the following core capabilities and features:

Manage workforce identities

Human users who build or operate workloads in Amazon are also known as workforce users, or workforce identities. Workforce users are employees or contractors who you allow to access Amazon Web Services accounts in your organization and internal business applications. These individuals might be developers who build your internal and customer-facing systems, or users of internal database systems and applications. You can create workforce users and groups in IAM Identity Center, or connect and synchronize to an existing set of users and groups in your own identity source for use across all your Amazon Web Services accounts and applications. For more information, see Manage your identity source.

Manage instances of IAM Identity Center

IAM Identity Center supports two types of instances: organization instances and account instances. An organization instance is the best practice. It's the only instance that enables you to manage access to Amazon Web Services accounts and it's recommended for all production use of applications. An organization instance is deployed in the Amazon Organizations management account and gives you a single point from which to manage user access across the Amazon environment.

Account instances are bound to the Amazon Web Services account in which they are enabled. Use account instances of IAM Identity Center only to support isolated deployments of select Amazon managed applications. For more information, see Manage organization and account instances of IAM Identity Center.

Manage access to multiple Amazon Web Services accounts

With multi-account permissions, you can plan for and centrally implement permissions across multiple Amazon Web Services accounts at one time without needing to configure each of your accounts manually. You can create permissions based on common job functions or define custom permissions that meet your security needs. You can then assign those permissions to workforce users to control their access over specific accounts.

This optional feature is available only for organization instances. If you're using per-account IAM role management in your environment, both systems can coexist. If you want to try multi-account permissions, you can start by implementing this system on a limited basis and migrate more of your environment to use this system over time.

Manage access to applications

IAM Identity Center enables you to simplify application access management. With IAM Identity Center, you can grant your workforce users in IAM Identity Center single sign-on access to applications.

Amazon managed applications

Amazon provides applications such as Amazon Redshift, Amazon Managed Grafana, and Amazon Monitron, that integrate with IAM Identity Center. These applications can use IAM Identity Center for authentication, directory services, and trusted identity propagation. Your users benefit from a consistent single sign-on experience, and because the applications share a common view of users, groups, and group membership, users also have a consistent experience when sharing application resources with others. You can configure Amazon managed applications to work with IAM Identity Center directly from within the relevant application consoles or through the APIs.

Customer managed applications

You can grant your workforce users in IAM Identity Center single sign-on access to applications that support identity federation with SAML 2.0. Many commonly used SAML 2.0 applications, such as Salesforce and Microsoft 365, work with IAM Identity Center and are available in the application catalog in the IAM Identity Center console. This is an optional feature that can be helpful if you use such applications and you create your users and groups in IAM Identity Center, or you use Microsoft Active Directory Domain Service as your identity source.

Trusted identity propagation across applications

Trusted identity propagation provides a streamlined single sign-on experience for users of query tools and business intelligence (BI) applications who require access to data in Amazon services. Data access management is based on a user's identity, so administrators can grant access based on users' existing user and group memberships. User access to Amazon services and other events is recorded in service-specific logs and in CloudTrail events, so that auditors know what actions the users took and which resources the users accessed.

Amazon Web Services access portal access for your users

The Amazon Web Services access portal is a simple web portal that provides your users with seamless access to all their assigned Amazon Web Services accounts and applications.