AWS IAM Identity Center¶

What Is This Service?¶

Managed AWS workforce identity and access management service that provides centralized Single Sign-On (SSO) and multi-account access across AWS accounts and business applications.

Mental model:

AWS IAM Identity Center = Authenticate → Assign → Federate → Authorize → Audit

Primary purpose:

Provide centralized workforce identity for:

AWS account access
AWS Organizations
cloud applications
custom SAML applications
external identity providers

Historical naming:

AWS Single Sign-On (AWS SSO)
↓
AWS IAM Identity Center

Exam questions may still use either name.

Why It Matters for Security¶

Managing users independently inside every AWS account creates:

credential sprawl
inconsistent permissions
poor offboarding
audit gaps

IAM Identity Center exists to:

centralize authentication
eliminate long-lived IAM users
enforce federation
simplify account access

Security outcomes:

centralized workforce identity
least privilege
reduced credential exposure
improved governance

MOST TESTED:

IAM Identity Center manages human access.

IAM roles manage workload access.

Architecture Example¶

Centralized Workforce Access Across AWS Organizations¶

flowchart TD

subgraph Identity
IdP[External IdP<br/>Azure AD / Okta / Entra ID]
Directory[Identity Center Directory]
end

subgraph IdentityCenter[IAM Identity Center]
Users[Users]
Groups[Groups]
PermissionSets[Permission Sets]
end

subgraph Organization[AWS Organizations]

Mgmt[Management Account]

AccountA[Dev Account]

AccountB[Prod Account]

AccountC[Security Account]

end

subgraph Access

Roles[IAM Roles]

Console[AWS Console]

CLI[CLI / SDK]

end

IdP --> IdentityCenter

Directory --> IdentityCenter

Users --> PermissionSets

Groups --> PermissionSets

PermissionSets --> Roles

Roles --> Mgmt
Roles --> AccountA
Roles --> AccountB
Roles --> AccountC

Console --> IdentityCenter
CLI --> IdentityCenter

Architecture goals:

centralized authentication
account federation
role-based authorization

Workflow(s)¶

Workforce Authentication Flow¶

sequenceDiagram

participant User
participant IdentityCenter
participant IdP
participant AWS

User->>IdentityCenter: Sign in

IdentityCenter->>IdP: Authenticate

IdP->>IdentityCenter: Assertion

IdentityCenter->>AWS: Assume role

AWS->>User: Temporary access

Permission Set Provisioning¶

sequenceDiagram

participant Admin
participant IdentityCenter
participant IAM
participant Account

Admin->>IdentityCenter: Create Permission Set

IdentityCenter->>IAM: Provision IAM Role

IAM->>Account: Create role

Account->>IdentityCenter: Ready

CLI Authentication Flow¶

sequenceDiagram

participant User
participant AWSCLI
participant IdentityCenter
participant Account

User->>AWSCLI: aws sso login

AWSCLI->>IdentityCenter: Authenticate

IdentityCenter->>Account: Assume role

Account->>AWSCLI: Temporary credentials

Core Concepts¶

Identity Source¶

MOST TESTED

Identity Center supports:

internal directory
external identity provider

Supported protocols:

SAML 2.0
SCIM

Examples:

Microsoft Entra ID

Okta

Ping

Google Workspace

Purpose:

Centralize workforce identity.

Permission Sets¶

MOST TESTED

Permission Sets define:

Permissions
+
Session configuration
+
Assignments

When assigned:

Permission Set
↓
IAM Role
↓
Target Account

Characteristics:

reusable
centrally managed
provisioned automatically

Exam trap:

Permission Sets are not IAM policies.

They generate IAM roles.

Assignments¶

Assignment model:

User/Group
↓
Permission Set
↓
AWS Account

Purpose:

Map identities to accounts.

Identity Store¶

Built-in identity directory.

Stores:

users
groups

Supports:

lifecycle management

Exam trap:

Identity Center directory ≠ IAM.

Account Access Portal¶

Provides:

AWS Console access
application access

Purpose:

Single sign-on experience.

Important Integrations¶

Service	Purpose
AWS Organizations	Multi-account access
IAM	Role provisioning
STS	Temporary credentials
CloudTrail	Auditing
Control Tower	Landing zone identity
IAM Identity Provider	Federation
Organizations Delegated Admin	Governance
AWS CLI	SSO access
SCIM	User provisioning
Active Directory	Workforce identity
Security Hub	Audit context

Security Features¶

Temporary Credentials¶

MOST TESTED

Authentication flow:

User
↓
Identity Center
↓
STS
↓
Temporary credentials

Benefits:

no static credentials
reduced exposure

Centralized Authorization¶

Access controlled through:

groups
permission sets
assignments

Benefits:

simplified governance
consistent access

MFA Integration¶

Supports:

MFA
external MFA

Benefits:

stronger authentication

Exam trap:

MFA enforcement commonly occurs at IdP.

SCIM Provisioning¶

HIGH VALUE

Supports:

automatic user creation
deprovisioning
synchronization

Examples:

Okta
↓
SCIM
↓
Identity Center

Benefits:

automated lifecycle

Advanced Security and Operational Concepts¶

Control Plane vs Data Plane¶

Control Plane:

permission sets
assignments
provisioning
federation

Data Plane:

user sign-in
token exchange
role assumption

Exam trap:

Identity Center does not authenticate API calls directly.

STS credentials do.

Organizations Integration¶

MOST TESTED

flowchart LR

Organizations

Organizations --> IdentityCenter

IdentityCenter --> PermissionSet

PermissionSet --> Accounts

Benefits:

centralized account access
automatic provisioning

Delegated Administration¶

Best practice:

Dedicated identity account.

Benefits:

separation of duties
reduced management account usage

Identity Center vs IAM Users¶

MASSIVE EXAM TRAP

Capability	Identity Center	IAM Users
Workforce access	Yes	Limited
Multi-account	Excellent	Manual
Federation	Yes	Limited
Long-lived credentials	No	Yes

Rule:

Humans → Identity Center

Workloads → IAM Roles

Identity Center vs IAM Roles¶

Capability	Identity Center	IAM Roles
Human access	Yes
Workload access	No	Yes
SSO	Yes	No

Rule:

Identity Center provisions IAM roles.

Identity Center vs STS¶

Capability	Identity Center	STS
Workforce login	Yes
Temporary credentials	Uses STS	Yes
Federation	Yes	Partial

Rule:

Identity Center orchestrates.

STS issues credentials.

Federation Model¶

MOST TESTED

User
↓
IdP
↓
Identity Center
↓
STS
↓
IAM Role
↓
AWS Account

Exam trap:

Identity Center does not replace IAM.

CLI and SDK Authentication¶

HIGH VALUE

Flow:

aws sso login
↓
Browser authentication
↓
Cached tokens
↓
Temporary credentials

Benefits:

no access keys

Regional Behavior¶

Identity Center is regionally configured.

Implications:

choose home Region carefully
authentication architecture centralized

Exam trap:

Configuration Region does not restrict account access.

Session Duration¶

Permission Sets control:

session length

Examples:

1 hour

12 hours

Tradeoff:

Longer sessions reduce friction.

Shorter sessions improve security.

Cost Model¶

Identity Center:

No additional charge

Possible costs:

external IdP
supporting services

Exam trap:

Identity Center itself is not billed.

Comparisons¶

Service	Primary Role
IAM Identity Center	Workforce identity
IAM	AWS authorization
STS	Temporary credentials
Cognito	Customer identity
Organizations	Account governance

Common Exam Traps¶

Identity Center was formerly AWS SSO.
Identity Center manages workforce access.
Permission Sets create IAM roles.
Identity Center uses STS.
Prefer groups over direct assignments.
Identity Center is not Cognito.
CLI supports aws sso login.
MFA often enforced by IdP.
SCIM automates provisioning.
Identity Center does not replace IAM.
Temporary credentials preferred.
Organizations enables centralized access.
Delegated admin is recommended.
Humans use Identity Center.
Workloads use IAM roles.

5-Second Recall¶

Formerly AWS SSO
Human access only
Permission Sets → IAM Roles
Uses STS
Organizations integration
SAML + SCIM
No long-lived credentials
Groups scale access

Quick Revision Notes¶

Centralize workforce identity
Federate to AWS accounts
Assign groups to permission sets
Use STS temporary credentials
Automate provisioning with SCIM
Prefer delegated administration
Use CLI SSO login
Identity Center ≠ Cognito
Identity Center ≠ IAM roles
Humans authenticate, roles authorize