AWS managed applications - AWS IAM Identity Center

AWS managed applications

AWS managed applications integrate with IAM Identity Center and can use it for authentication and directory services.

The integration of AWS managed applications with IAM Identity Center gives you an easier path to assign user access, without the need to set up separate federation or user and group synchronization for each application. You can connect the identity source that you want to use for authentication once, and you receive a single view of user and group assignments. Administrators of the applications that enable trusted identity propagation are able to define and audit access to their application resources based on a user or the user's group membership, without the need to map them to IAM roles.

AWS managed applications provide an administrative user interface that you can use to manage access to application resources. For example, QuickSight administrators can assign users to access dashboards based on their group membership. Most AWS managed applications also provide an AWS Management Console experience that enables you to assign users to the application. The console experience for these applications might integrate both functions, to combine user assignment capabilities with the ability to manage access to application resources.

AWS managed applications integrated with IAM Identity Center include:

AWS managed applications that integrate with IAM Identity Center
AWS managed application Integrated with organization instance of IAM Identity Center Integrated with account instances of IAM Identity Center Enables trusted identity propagation through IAM Identity Center
Amazon Athena SQL Yes Yes Yes
Amazon CodeCatalyst Yes Yes No
Amazon EMR notebooks Yes No No
Amazon EMR on Amazon EC2 Yes Yes Yes
Amazon EMR Studio Yes Yes Yes
Amazon Kendra Yes No No
Amazon Managed Grafana Yes No No
Amazon Monitron Yes No No
Amazon Nimble Studio Yes No No
Amazon Pinpoint Yes No No
Amazon Q Business Yes Yes No
Amazon Q Developer Yes Yes * No
Amazon QuickSight Yes Yes Yes
Amazon Redshift Yes Yes Yes
Amazon S3 Access Grants Yes Yes Yes
Amazon SageMaker Studio Yes No No
Amazon WorkSpaces Web Yes No No
AWS CLI Yes No No
AWS Deadline Cloud Yes Yes No
AWS IoT Events Yes No No
AWS IoT Fleet Hub Yes No No
AWS IoT SiteWise Yes No No
AWS Lake Formation Yes Yes Yes
AWS Supply Chain Yes No No
AWS Systems Manager Yes No No
AWS Verified Access Yes No No

* Account instances of IAM Identity Center are supported unless your users require access to the full set of Amazon Q Developer features on AWS websites. For more information, see Setting up Amazon Q Developer in the Amazon Q Developer User Guide.

Controlling access

Access to AWS managed applications is controlled in two ways:

  • Initial entry to the application – IAM Identity Center manages this through assignments to the application. By default, assignments are required for AWS managed applications.

  • Access to application resources – The application manages this through independent resource assignments that it controls.

Coordinating administrative tasks

If you're an application administrator, you can choose whether to require assignments to an application. If assignments are required, when users sign in to the AWS access portal, only users who are assigned to the application directly or through a group assignment can view the application tile. Alternatively, if assignments aren't required, you can allow all IAM Identity Center users to enter the application. In this case, the application manages access to resources and the application tile is visible to all users who visit the AWS access portal.

If you’re an IAM Identity Center administrator, you can use the IAM Identity Center console to remove assignments to AWS managed applications. Before you remove assignments, we recommend that you coordinate with the application administrator. You should also coordinate with the application administrator if you plan to modify the setting that determines whether assignments required, or automate application assignments.

Configuring IAM Identity Center to share identity information

IAM Identity Center provides an identity store that contains user and group attributes, excluding sign-in credentials. You can use either of the following methods to keep the users and groups in your IAM Identity Center identity store updated:

  • Use the IAM Identity Center identity store as your main identity source. If you choose this method, you manage your users, their sign-in credentials, and groups from within the IAM Identity Center console or AWS Command Line Interface (AWS CLI). For more information, see Manage identities in IAM Identity Center.

  • Set up provisioning (synchronization) of users and groups coming from either of the following identity sources to your IAM Identity Center identity store:

    If you choose this provisioning method, you continue managing your users and groups from within your identity source, and those changes are synchronized to the IAM Identity Center identity store.

Whichever identity source you choose, IAM Identity Center can share the user and group information with AWS managed applications. That way, you can connect an identity source to IAM Identity Center once and then share identity information with multiple applications in the AWS Cloud. This eliminates the need to independently set up federation and identity provisioning with each application. This sharing feature also makes it easy to give your users access to many applications in different AWS accounts.

Considerations for sharing identity information in AWS accounts

IAM Identity Center supports most commonly used attributes across applications. These attributes include first and last name, phone number, email address, address, and preferred language. Carefully consider which applications and which accounts can use this personally identifiable information.

You can control access to this information in either of the following ways. You can choose to enable access in only the AWS Organizations management account or in all accounts in AWS Organizations. Or, you can use service control policies (SCPs) to control which applications can access the information in which accounts in AWS Organizations. For example, if you enable access in the AWS Organizations management account only, then applications in member accounts have no access to the information. However, if you enable access in all accounts, you can use SCPs to disallow access by all applications except those you want to permit.

Enabling identity-aware console sessions

An identity-aware session for the console enhances a user's AWS console session by providing some additional user context to personalize that user's experience. This capability is currently supported for Amazon Q Developer Pro users of Amazon Q on AWS apps and websites.

You can enable identity-aware console sessions without making any changes to existing access patterns or federation into the AWS console. If your users sign in to the AWS console with IAM (for example, if they sign in as IAM users or through federated access with IAM), they can continue using these methods. If your users sign in to the AWS access portal, they can continue using their IAM Identity Center user credentials.

Prerequisites and considerations

Before you enable identity-aware console sessions, review the following prerequisites and considerations:

  • If your users access Amazon Q on AWS apps and websites through an Amazon Q Developer Pro subscription, you must enable identity-aware console sessions.

    Note

    Amazon Q Developer users can access Amazon Q without identity-aware sessions, but they won't have access to their Amazon Q Developer Pro subscriptions.

  • Identity-aware console sessions require an organization instance of IAM Identity Center.

  • Integration with Amazon Q isn't supported if you enable IAM Identity Center in an opt-in AWS Region.

  • After you enable identity-aware console sessions, you can't disable this capability.

  • To enable identity-aware console sessions, you must have the following permissions:

    • sso:CreateApplication

    • sso:GetSharedSsoConfiguration

    • sso:ListApplications

    • sso:PutApplicationAssignmentConfiguration

    • sso:PutApplicationAuthenticationMethod

    • sso:PutApplicationGrant

    • sso:PutApplicationAccessScope

    • signin:CreateTrustedIdentityPropagationApplicationForConsole

    • signin:ListTrustedIdentityPropagationApplicationForConsole

  • To enable your users to use identity-aware console sessions, you must grant them the sts:setContext permission in an identity-based policy. For information, see Granting users permissions to use identity-aware console sessions.

How to enable identity-aware-console sessions

You can enable identity-aware console sessions in the Amazon Q console or in the IAM Identity Center console.

Enable identity-aware console sessions in the Amazon Q console

Before you enable identity-aware console sessions, you must have an organization instance of IAM Identity Center with an identity source connected. If you've already configured IAM Identity Center, skip to step 3.

  1. Open the IAM Identity Center console. Choose Enable, and create an organization instance of IAM Identity Center. For information, see Enabling AWS IAM Identity Center.

  2. Connect your identity source to IAM Identity Center and provision users into IAM Identity Center. You can connect your existing identity source to IAM Identity Center or use the Identity Center directory if you're not already using another identity source. For more information, see Getting started tutorials.

  3. After you finish setting up IAM Identity Center, open the Amazon Q console and follow the steps in Subscriptions in the Amazon Q Developer User Guide. Make sure to enable identity-aware console sessions.

    Note

    If you don't have sufficient permissions to enable identity-aware console sessions, you might need to ask an IAM Identity Center administrator to perform this task for you in the IAM Identity Center console. For more information, see the next procedure.

Enable identity-aware console sessions in the IAM Identity Center console

If you're an IAM Identity Center administrator, you might be asked by another administrator to enable identity-aware console sessions in the IAM Identity Center console.

  1. Open the IAM Identity Center console.

  2. In the navigation pane, choose Settings.

  3. Under Enable identity-aware sessions, choose Enable.

  4. In the second message, choose Enable.

  5. After you finish enabling identity-aware console sessions, a confirmation message appears at the top of the Settings page.

  6. In the Details section, the status for Identity-aware sessions is Enabled.

How identity-aware console sessions work

IAM Identity Center enhances a user's current console session to include the active IAM Identity Center user's ID and the IAM Identity Center session ID.

Identity-aware console sessions include the following three values:

  • Identity store user ID (identitystore:UserId) - This value is used to uniquely identify a user in the identity source that is connected to IAM Identity Center.

  • Identity store directory ARN (identitystore:IdentityStoreArn) - This value is the ARN of the identity store that is connected to IAM Identity Center, and where you can look up attributes for identitystore:UserId.

  • IAM Identity Center session ID - This value indicates whether the user's IAM Identity Center session is still valid.

The values are the same, but obtained in different ways and added at different points of the process, depending on how the user signs in:

  • IAM Identity Center (AWS access portal): In this case, the user's identity store user ID and ARN values are already provided in the active IAM Identity Center session. IAM Identity Center enhances the current session by adding only the session ID.

  • Other sign-in methods: If the user signs in to AWS as an IAM user, with an IAM role, or as a federated user with IAM, none of these values are provided. IAM Identity Center enhances the current session by adding the identity store user ID, identity store directory ARN, and the session ID.

Constraining the use of AWS managed applications

When you enable IAM Identity Center for the first time, AWS allows the use of AWS managed applications automatically in all accounts in AWS Organizations. To constrain applications, you must implement SCPs. You can use SCPs to block access to the IAM Identity Center user and group information and to prevent the application from being started, except in designated accounts.

Viewing and updating details about an AWS managed application

After you connect an AWS managed application to IAM Identity Center by using the console or APIs for the application, the application is registered with IAM Identity Center. After an application is registered with IAM Identity Center, you can view and update detailed information about the application in the IAM Identity Center console.

To view information about an AWS managed application in the IAM Identity Center console
  1. Open the IAM Identity Center console.

  2. Choose Applications.

  3. Choose the AWS managed tab.

  4. Choose the link for the managed application you'd like to open and view.

  5. Information about the application includes whether user and group assignments are required, and if applicable, assigned users and groups and trusted applications for identity propagation. For information about trusted identity propagation, see Trusted identity propagation across applications.

To update information about an AWS managed application in the IAM Identity Center console
  1. Open the IAM Identity Center console.

  2. Choose Applications.

  3. Choose the AWS managed tab.

  4. Choose the link for the managed application you'd like to open and update.

  5. Choose Action and then choose Edit Details.

  6. You can change the application's display name, description, as well as the user and group assignment method.

    1. To change the display name, enter the desired name in the Display name field and choose Save changes.

    2. To change the description, enter the desired description in the Description field and choose Save changes.

    3. To change the user and group assignment method, make the desired change and choose Save changes. For more information, see Users, groups, and provisioning.

Disabling an AWS managed application

To prevent users from authenticating to an AWS managed application, you can disable the application in the IAM Identity Center console.

Warning

Disabling an application deletes all user permissions to this application, disconnects the application from IAM Identity Center, and renders the application inaccessible. If you’re an IAM Identity Center administrator, we recommend that you coordinate with the application administrator before performing this task.

To disable an AWS managed application
  1. Open the IAM Identity Center console.

  2. Choose Applications.

  3. On the Applications page, under AWS managed applications, choose the application that you want to disable.

  4. With the application selected, choose Actions, and then choose Disable.

  5. In the Suspend application dialog box, choose Suspend.

  6. In the AWS managed applications list, the application status appears as Inactive.