AWS account access
AWS IAM Identity Center is integrated with AWS Organizations, which enables you to centrally manage permissions across multiple AWS accounts without configuring each of your accounts manually. You can define permissions and assign these permissions to workforce users to control their access to specific AWS accounts using an organization instance of IAM Identity Center. Account instances of IAM Identity Center don't support account access.
AWS account types
There are two types of AWS accounts in AWS Organizations:
-
Management account - The AWS account that is used to create the organization.
-
Member accounts - The rest of the AWS accounts that belong to an organization.
For more information about AWS account types, see AWS Organizations Terminology and Concepts in the AWS Organizations User Guide.
You can also choose to register a member account as a delegated administrator for IAM Identity Center. Users in this account can perform most IAM Identity Center administrative tasks. For more information, see Delegated administration.
For each task and account type, the following table indicates whether the IAM Identity Center administrative task can be performed by users in the account.
IAM Identity Center administrative tasks | Member account | Delegated administrator account | Management account |
---|---|---|---|
Read users or groups (reading the group itself and the group's membership) | |||
Add, edit, or delete users or groups | |||
Enable or disable user access | |||
Enable, disable, or manage incoming attributes | |||
Change or manage identity sources | |||
Create, edit, or delete customer managed applications | |||
Create, edit, or delete AWS managed applications | |||
Configure MFA | |||
Manage permission sets not provisioned in the management account | |||
Manage permission sets provisioned in the management account | |||
Enable IAM Identity Center | |||
Delete IAM Identity Center configuration | |||
Enable or disable user access in the management account | |||
Register or deregister a member account as a delegated administrator |
Assigning AWS account access
You can use permission sets to simplify how you assign users and groups in your organization access to AWS accounts. Permission sets are stored in IAM Identity Center and define the level of access that users and groups have to an AWS account. You can create a single permission set and assign it to multiple AWS accounts within your organization. You can also assign multiple permission sets to the same user.
For more information about permission sets, see Create, manage, and delete permission sets.
Note
You can also assign your users single sign-on access to applications. For information, see Application access.
End-user experience
The AWS access portal provides IAM Identity Center users with single sign-on access to all their assigned AWS accounts and applications through a web portal. The AWS access portal is different from the AWS Management Console, which is a collection of service consoles for managing AWS resources.
When you create a permission set, the name that you specify for the permission set appears in the AWS access portal as an available role. Users sign in to the AWS access portal, choose an AWS account, and then choose the role. After they choose the role, they can access AWS services by using the AWS Management Console or retrieve temporary credentials to access AWS services programmatically.
To open the AWS Management Console or retrieve temporary credentials to access AWS programmatically, users complete the following steps:
-
Users open a browser window and use the sign-in URL that you provide to navigate to the AWS access portal.
-
Using their directory credentials, they sign in to the AWS access portal.
-
After authentication, on the AWS access portal page, they choose the Accounts tab to display the list of AWS accounts to which they have access.
-
Users then choose the AWS account that they want to use.
-
Below the name of the AWS account, any permission sets to which users are assigned appear as available roles. For example, if you assigned user
john_stiles
to thePowerUser
permission set, the role displays in the AWS access portal asPowerUser/john_stiles
. Users who are assigned multiple permission sets choose which role to use. Users can choose their role to access the AWS Management Console. -
In addition to the role, AWS access portal users can retrieve temporary credentials for command line or programmatic access by choosing Access keys.
For step-by-step guidance that you can provide to your workforce users, see Using the AWS access portal and Getting IAM Identity Center user credentials for the AWS CLI or AWS SDKs.
Enforcing and limiting access
When you enable IAM Identity Center, IAM Identity Center creates a service-linked role. You can also use service control policies (SCPs).
Delegating and enforcing access
A service-linked role is a type of IAM role that is linked directly to an AWS service. After you enable IAM Identity Center, IAM Identity Center can create a service-linked role in each AWS account in your organization. This role provides predefined permissions that allow IAM Identity Center to delegate and enforce which users have single sign-on access to specific AWS accounts in your organization in AWS Organizations. You need to assign one or more users with access to an account, to use this role. For more information, see Understanding service-linked roles in IAM Identity Center and Using service-linked roles for IAM Identity Center.
Limiting access to the identity store from member accounts
For the identity store service used by IAM Identity Center, users who have access to a member account can use API actions that require Read permissions. Member accounts have access to Read actions on both the sso-directory and identitystore namespaces. For more information, see Actions, resources, and condition keys for AWS IAM Identity Center directory and Actions, resources, and condition keys for AWS Identity Store in the Service Authorization Reference.
To prevent users in member accounts from using API operations in the identity store, you can attach a service control policy (SCP). An SCP is a type of organization policy that you can use to manage permissions in your organization. The following example SCP prevents users in member accounts from accessing any API operation in the identity store.
{ "Sid": "ExplicitlyBlockIdentityStoreAccess", "Effect": "Deny", "Action": "identitystore:*", "sso-directory:*"], "Resource": "*" }
Note
Limiting member accounts' access might impair functionality in IAM Identity Center enabled applications.
For more information, see Service control policies (SCPs) in the AWS Organizations User Guide.