AWSGlossary

AWS IAM Identity Center (SSO): What It Is and When to Use It

Definition

AWS IAM Identity Center is a cloud-based single sign-on (SSO) service that simplifies managing user access to multiple AWS accounts and business applications. It acts as a central hub to connect your workforce identities from various sources to your AWS environment, providing users with a unified access portal and temporary, secure credentials instead of long-lived access keys.

How It Works

IAM Identity Center is the recommended best practice for managing human access to AWS, especially in multi-account environments. It integrates deeply with AWS Organizations, allowing you to manage access centrally from your organization's management account.

Here is the typical architecture and user flow:

  1. Configure an Identity Source: You first connect IAM Identity Center to your source of users and groups. You have three options:

    • IAM Identity Center Directory: Create and manage users and groups directly within the service.
    • Active Directory: Connect to an AWS Managed Microsoft AD or a self-managed Active Directory via the AWS Directory Service.
    • External Identity Provider (IdP): Federate with a third-party IdP like Okta, Microsoft Entra ID (formerly Azure AD), or Google Workspace using standards like Security Assertion Markup Language (SAML) 2.0 and System for Cross-domain Identity Management (SCIM) for automatic provisioning.

  2. Create Permission Sets: A permission set is a template for permissions. It's a collection of AWS managed policies and custom inline policies that define a specific level of access (e.g., 'ReadOnly', 'NetworkAdmin', 'S3PowerUser'). These permission sets are stored centrally in IAM Identity Center.

  3. Assign Access: You assign users or groups from your identity source to specific permission sets on one or more AWS accounts within your organization. When you make an assignment, IAM Identity Center automatically creates a corresponding IAM role (e.g., AWSReservedSSO_ReadOnly_...) in each target account and attaches the policies defined in the permission set.

  4. User Sign-In Flow: A user initiates access by navigating to the unique AWS access portal URL (e.g., d-12345.awsapps.com/start).

    • They are redirected to authenticate with the configured identity source (e.g., by entering their Okta password and MFA code).
    • Upon successful authentication, the IdP sends a SAML assertion back to IAM Identity Center.
    • The AWS access portal displays a list of the AWS accounts and permission sets (roles) the user is authorized to access.
    • The user selects an account and role, which provides them with temporary, short-lived credentials to access the AWS Management Console or the AWS Command Line Interface (CLI).

This process eliminates the need for individual, long-lived IAM users in each AWS account, significantly improving the security posture.

Key Features and Limits

  • Centralized Multi-Account Access: Manage access for your entire AWS Organization from a single place.
  • Identity Provider Integration: Supports its own directory, Microsoft AD, and external IdPs via SAML 2.0 and SCIM.
  • Permission Sets: Define role-based permissions once and apply them across many accounts.
  • Short-Lived Credentials: Automatically provides temporary credentials for both console and programmatic access, enhancing security.
  • AWS Access Portal: A user-friendly web portal for users to access their assigned AWS accounts and integrated cloud applications.
  • AWS CLI Integration: The AWS CLI (v2) has native integration via the aws configure sso command, which automates the process of retrieving and refreshing temporary credentials.
  • Application Integration: Provides SSO access to SAML-enabled cloud applications like Salesforce, Microsoft 365, and AWS managed applications like Amazon SageMaker Studio and Amazon Q.
  • Delegated Administration: You can delegate IAM Identity Center administration to a member account in your organization, reducing the need to access the management account.

Service Quotas (as of 2026):

  • Permission Sets per Instance: 3,500 (Can be increased)
  • Managed Policies per Permission Set: 20 (This is an underlying IAM role limit, which can be increased to 25 per role in each account)
  • Inline Policy per Permission Set: 1
  • Assignments (User/Group to Permission Set): No hard limit, but performance may degrade with tens of thousands of assignments.

Common Use Cases

  • Managing Human Access in a Multi-Account Environment: This is the primary use case. It is the standard, recommended way for employees, developers, and administrators to access AWS accounts governed by AWS Organizations.
  • Federating from a Corporate Directory: For organizations that already use a central IdP like Okta or Entra ID, IAM Identity Center acts as the bridge to grant those corporate identities access to AWS resources without duplicating user management.
  • Eliminating Long-Lived Access Keys for Developers: Provides developers with a secure way to get temporary, automatically-refreshed credentials for working with the AWS CLI and SDKs, adhering to security best practices.
  • Centralized Auditing: By centralizing sign-on, all access events can be logged in AWS CloudTrail from a single source, simplifying auditing and compliance.
  • SSO for Business Applications: Use the same identity source and user portal to provide SSO access to third-party SaaS applications, not just AWS accounts.

Pricing Model

AWS IAM Identity Center is offered at no additional charge. You only pay for the underlying AWS services that your users access while using the temporary credentials provided by the service.

Pros and Cons

Pros:

  • Enhanced Security: Drastically reduces risk by eliminating static, long-lived IAM user access keys for human users.
  • Centralized Management and Auditing: Simplifies administration and improves visibility across an entire AWS Organization.
  • Improved User Experience: Users have one set of credentials and a single portal to access all their assigned accounts and applications.
  • Scalability: Built to handle complex, large-scale multi-account environments.
  • No Cost: The service itself is free to use.

Cons:

  • Requires AWS Organizations: The multi-account management features, which are its primary strength, require you to have an AWS Organization set up.
  • Initial Setup Complexity: Configuration with an external IdP, including attribute mapping for ABAC (Attribute-Based Access Control), can be complex for first-time users.
  • Regional Service: IAM Identity Center is configured in a specific AWS Region. While you can assign access to accounts in any region, the primary configuration is regional.

Comparison with Alternatives

  • IAM Users: This is the legacy approach. IAM Users are created per-account, have long-lived credentials (password and access keys), and require manual credential rotation. IAM Identity Center is superior for human users as it centralizes identity and uses short-lived credentials. IAM Users are now primarily recommended for programmatic access by workloads or service accounts where temporary credentials are not feasible.
  • Manual IAM Federation (SAML/OIDC Roles): This involves manually setting up an IdP in IAM, creating trust policies, and creating IAM roles in every single AWS account. IAM Identity Center automates this entire workflow. It uses the same underlying mechanism but abstracts away the complexity of creating and managing thousands of individual IAM roles and trust policies, making it a much more scalable and less error-prone solution.

Exam Relevance

AWS IAM Identity Center is a critical topic on several AWS certification exams, as it represents the modern best practice for identity and access management.

  • AWS Certified Solutions Architect - Associate (SAA-C03): Expect questions on its purpose, its relationship with AWS Organizations, and the difference between it and standalone IAM users.
  • AWS Certified Security - Specialty (SCS-C02): Deep knowledge is required. Understand the federation process, permission sets, auditing with CloudTrail, and its role in a least-privilege security strategy.
  • AWS Certified Solutions Architect - Professional (SAP-C02): Questions will focus on complex multi-account strategies, integration with external IdPs, and designing scalable and secure access patterns for large enterprises.

Examinees should know that IAM Identity Center is the recommended service for managing human user access and should be chosen over creating individual IAM users in multi-account scenarios.

Frequently Asked Questions

Q: What is the difference between AWS IAM and AWS IAM Identity Center?

A: AWS IAM is the underlying service within a single AWS account that manages users, groups, roles, and policies. AWS IAM Identity Center is a higher-level service built on top of IAM that centralizes access management across multiple AWS accounts and applications. It uses IAM roles in each account to grant access but centralizes the user identity and permission assignment logic.

Q: Can I use IAM Identity Center without AWS Organizations?

A: While the primary and recommended setup (an "organization instance") requires AWS Organizations to manage access across multiple accounts, you can enable a limited "account instance" of IAM Identity Center. This single-account version is primarily used for providing SSO access to AWS managed applications like Amazon Q or for testing purposes, not for multi-account access management.

Q: How does IAM Identity Center provide credentials for the AWS CLI?

A: The AWS CLI (version 2 and later) has built-in support for IAM Identity Center. You run aws configure sso, which prompts you for your AWS access portal URL. This opens a browser window for you to authenticate with your identity provider. Once authenticated, the CLI securely receives a token and uses it to automatically fetch and refresh short-term IAM credentials in the background, which are then used for your CLI commands.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/24/2026 / Updated: 5/24/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

Resource-Based vs Identity-Based Policies: How to Use Them

Understand AWS IAM identity-based vs resource-based policies. Learn what they are, how they differ, and when to use each for effective AWS security. See examples.

IAM Permissions Boundary: Control Max Permissions

An IAM Permissions Boundary sets the maximum permissions an IAM policy can grant. Learn how it prevents privilege escalation and when to use it.

IAM Access Analyzer: How It Works & When to Use It

IAM Access Analyzer formally verifies policies to identify and remediate unintended resource access. Learn how it monitors S3 buckets, IAM roles, and KMS keys for external sharing.

AWS CloudHSM: Secure Key Management in the Cloud

AWS CloudHSM offers dedicated HSMs for secure key generation and storage, meeting FIPS 140-2 Level 3 compliance. Learn how it works and when to use it.

AWS Certificate Manager (ACM): Simplify SSL/TLS Certificates

AWS Certificate Manager (ACM) simplifies SSL/TLS certificate management for your AWS apps. Automate provisioning, renewal, and deployment. Learn how it works.

View all Security terms →