IAM Identity Center AD sync - AWS IAM Identity Center

IAM Identity Center AD sync

With IAM Identity Center AD sync, you use IAM Identity Center to assign users and groups in Active Directory access to AWS accounts and to AWS managed applications or customer managed applications. All identities with assignments are automatically synced into IAM Identity Center.

How IAM Identity Center AD sync works

IAM Identity Center refreshes the AD-based identity data in the identity store using the following process.

Creation

When you assign users or groups to AWS accounts or applications by using the AWS console or the assignment API calls, information about the users, groups, and membership is periodically synchronized into the IAM Identity Center identity store. Users or groups that are added to IAM Identity Center assignments usually appear in the AWS identity store within two hours. Depending on the amount of data being synchronized, this process might take longer. Only users and groups that are directly assigned access, or are members of a group that is assigned access, are synchronized.

Groups that are members of other groups (called nested groups) are also written to the identity store. When you make assignments to a group in Active Directory that contains nested groups, the way in which the assignments are applied depends on whether you use AD sync or configurable AD sync.

  • AD sync – When you make assignments to a group in Active Directory that contains nested groups, only the direct members of the group can access the account. For example, if you assign access to Group A, and Group B is a member of Group A, only the direct members of Group A can access the account. No members of Group B inherit the access.

  • Configurable AD sync – Using configurable AD sync to make assignments to a group in Active Directory that contains nested groups might increase the scope of users who have access to AWS accounts or to applications. In this case, the assignment applies to all users, including those in nested groups. For example, if you assign access to Group A, and Group B is a member of Group A, members of Group B also inherit this access.

If a user accesses IAM Identity Center before their user object has been synchronized for the first time, that user’s identity store object is created on demand using just-in-time (JIT) provisioning. Users created by JIT provisioning are not synchronized unless they have directly assigned or group-based IAM Identity Center entitlements. Group memberships for JIT-provisioned users are unavailable until after synchronization.

For instructions on how to assign users access to AWS accounts, see Single sign-on access to AWS accounts.

Update

The identity data in the IAM Identity Center identity store stays fresh by periodically reading data from the source directory in Active Directory. Identity data that is changed in Active Directory will usually appear in the AWS identity store within four hours. Depending on the amount of data being synchronized, this process might take longer.

User and group objects and their memberships are created or updated in IAM Identity Center to map to the corresponding objects in the source directory in Active Directory. For user attributes, only the subset of attributes listed in the Manage attributes for access control section of the IAM Identity Center console is updated in IAM Identity Center. In addition, user attributes are updated with each user authentication event.

Deletion

Users and groups are deleted from the IAM Identity Center identity store when the corresponding user or group objects are deleted from the source directory in Active Directory.