Security

Single Sign-On with AWS IAM Identity Center - Multi-Account Access Management

Achieve single sign-on for multi-account environments and control access levels to each account with permission sets. Covers external IdP integration and ABAC usage.

約 3 分で読めます

Overview of IAM Identity Center

IAM Identity Center (formerly AWS SSO) is a service that centralizes single sign-on and access management for multi-account environments. Users log in to the AWS access portal and access their assigned AWS accounts and applications with a single click. This eliminates the need to create IAM users in each individual account.

Permission Sets and IdP Integration

Permission sets are collections of IAM policies that can include AWS managed policies such as AdministratorAccess and ReadOnlyAccess, as well as custom policies. When you assign a permission set to a user/group and account combination, the corresponding IAM role is automatically created when that user accesses the account. For external IdP integration, authentication is delegated via SAML 2.0, and SCIM handles automatic provisioning of users and groups. When you add a user in Okta, it is automatically reflected in IAM Identity Center.

ABAC and Session Management

IAM Identity Center supports attribute-based access control (ABAC), dynamically granting access permissions based on user attributes (department, job title, project). SAML attributes passed from the IdP are mapped to IAM session tags, and access is controlled by matching them against resource tags. Session duration can be configured per application, with short sessions (1 hour) for high-security environments and longer sessions (12 hours) for development environments. The AWS access portal provides one-click access to the management console or CLI, making it easy to switch between accounts. To deepen your practical knowledge of SSO authentication, specialized books on Amazon can be helpful.

IAM Identity Center Pricing

IAM Identity Center is free to use. There are no additional charges for the number of users, groups, or SSO sessions. Integration with external IdPs (Okta, Azure AD, Google Workspace) via SAML/SCIM is also free. Costs depend on the usage fees of the AWS accounts and applications managed by Identity Center. Enable IAM Identity Center across all Organizations accounts and retire direct IAM user creation to simultaneously improve security and operational efficiency.

Summary

IAM Identity Center is a free service that centralizes SSO and access management for multi-account environments. Define access permissions by combining AWS managed policies and custom policies in permission sets, and achieve centralized user management through SAML/SCIM integration with external IdPs. Use ABAC for dynamic permission assignment based on user attributes, and switch between accounts with a single click from the AWS access portal.

Related Services

AWS IAM Identity CenterA service that provides single sign-on to multiple AWS accounts and SaaS applicationsAWS OrganizationsA service for centrally managing multiple AWS accountsAmazon CognitoA service that provides authentication, authorization, and user management for web and mobile applications

Related Articles

Multi-Account Management with AWS Organizations - OU Design and Governance with SCPsEstablish governance for multi-account environments through OU hierarchy design and SCP-based access control. Also covers cost management with consolidated billing.Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsAutomatically build a best-practice multi-account environment and maintain continuous compliance with over 400 guardrails. Learn extension techniques using Account Factory and Customizations for Control Tower.Getting Started with Full-Stack Web App Development on AWS Amplify - Git-Connected Deploys and Backend SetupSet up automatic per-branch deployment environments with GitHub integration, and define authentication, APIs, and storage in TypeScript using Backend Gen 2. Also supports Next.js SSR.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

SSO and Identity Management - Centralized Authentication with AWS IAM Identity CenterLearn how to implement single sign-on and multi-account access management with AWS IAM Identity Center (formerly AWS SSO). Covers external IdP integration, permission set design, and how it differs from Cognito.AWS IAMAn authentication and authorization service for securely controlling access to AWS resources, providing fine-grained access management through users, groups, roles, and policiesDesigning Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.