Security

SSO and Identity Management - Centralized Authentication with AWS IAM Identity Center

Learn how to implement single sign-on and multi-account access management with AWS IAM Identity Center (formerly AWS SSO). Covers external IdP integration, permission set design, and how it differs from Cognito.

約 6 分で読めます

Authentication Challenges in Multi-Account Environments and IAM Identity Center

AWS best practices recommend a multi-account strategy that isolates workloads into separate AWS accounts. However, as the number of accounts grows, the approach of creating and managing IAM users in each account becomes unsustainable. Password management, MFA configuration, and account deletion for departing employees all scale linearly with the number of accounts. AWS IAM Identity Center (renamed from AWS SSO in 2022) is a managed SSO service that solves this challenge. From a single user portal, users can access all assigned AWS accounts via single sign-on. There is no need to create IAM users in each account, and temporary credentials are automatically issued, eliminating the risk of long-term access key leaks. IAM Identity Center integrates natively with AWS Organizations, so new accounts are automatically included in access management.

External IdP Integration and Identity Source Selection

IAM Identity Center supports three identity sources. The first is the Identity Center directory (built-in), suitable for small organizations or test environments. The second is Active Directory (via AWS Managed Microsoft AD or AD Connector), allowing you to use your on-premises AD as-is. The SCIM (System for Cross-domain Identity Management) protocol automatically synchronizes user and group information from external IdPs to IAM Identity Center. Disabling a user on the IdP side immediately revokes their AWS access. ```bash # SSO login configuration for AWS CLI v2 # Add the following to ~/.aws/config [profile dev-admin] sso_session = my-sso sso_account_id = 123456789012 sso_role_name = AdministratorAccess region = ap-northeast-1 [sso-session my-sso] sso_start_url = https://my-org.awsapps.com/start sso_region = ap-northeast-1 sso_registration_scopes = sso:account:access # Execute login aws sso login --profile dev-admin ``` The CLI v2 sso login command launches a browser-based authentication flow, and after authentication, temporary credentials are automatically cached.

Permission Sets and Access Assignments

A permission set is a template of IAM policies that are granted when accessing an AWS account. You can use AWS managed policies (AdministratorAccess, ReadOnlyAccess, PowerUserAccess, etc.) directly or define custom policies. Inline policies and permissions boundaries are also configurable, enabling fine-grained control aligned with the principle of least privilege. Session duration can be set from 1 to 12 hours, with a default of 1 hour. Access assignments are defined as a combination of three elements: permission set, AWS account, and user or group. For example, you can assign the development team group PowerUserAccess to the dev account and ReadOnlyAccess to the prod account. Group-based assignments mean that adding or removing members from a group automatically reflects the appropriate permissions. To learn the fundamentals and advanced topics of single sign-on, books on Amazon offer a systematic approach.

Choosing Between Cognito and Application Integration

IAM Identity Center and Cognito are both authentication services, but they target different user populations. IAM Identity Center is an authentication platform for employees and developers accessing the AWS Management Console and CLI. Cognito is an authentication and authorization service for end users (customers) of web and mobile applications, providing sign-up, sign-in, social login, and token management. In addition to AWS account access management, IAM Identity Center provides SSO to SAML 2.0-compatible third-party applications (Salesforce, Slack, GitHub, etc.). The user portal displays a list of assigned AWS accounts and applications, accessible with a single click. CloudTrail integration automatically records audit logs of who accessed which account and when. IAM Identity Center itself is free to use and is provided as a feature of AWS Organizations.

IAM Identity Center Pricing

IAM Identity Center is completely free. There are no limits on the number of users, permission sets, or AWS accounts (within service quotas), and no additional charges for SSO setup and operation. SAML/SCIM integration with external IdPs (Okta, Azure AD) is also free. There is no reason to hesitate adopting it as an access management platform for multi-account environments due to cost concerns.

Summary - Guidelines for Using IAM Identity Center

AWS IAM Identity Center is a service that centralizes authentication and access management in multi-account environments. SAML/SCIM integration with external IdPs leverages your existing identity infrastructure, and permission set templates streamline access management. Automatic issuance of temporary credentials eliminates the risk of long-term access keys, and CLI v2 integration preserves the developer experience. For organizations adopting a multi-account strategy, deploying IAM Identity Center early is recommended. It is free to use and integrates seamlessly with Organizations, keeping the barrier to adoption low.

Related Services

AWS IAM Identity CenterA service that provides single sign-on to multiple AWS accounts and SaaS applicationsAWS OrganizationsA service for centrally managing multiple AWS accountsAWS IAMAn authentication and authorization service for securely managing access to AWS resources

Related Articles

Designing Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.Multi-Account Strategy and AWS Organizations - The Optimal Approach to Cloud GovernanceEstablish security boundaries and optimize cost allocation through OU hierarchy design and SCP governance controls in Organizations. This article covers the full picture of multi-account operations, including Control Tower guardrails and consolidated billing.Active Directory Integration - Extending Your On-Premises Identity Infrastructure to the Cloud with AWS Directory ServiceLearn how to integrate Active Directory with the cloud using AWS Directory Service. This article covers how to choose between AWS Managed Microsoft AD, AD Connector, and Simple AD, and how to integrate with WorkSpaces, RDS, and FSx.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Single Sign-On with AWS IAM Identity Center - Multi-Account Access ManagementAchieve single sign-on for multi-account environments and control access levels to each account with permission sets. Covers external IdP integration and ABAC usage.Amazon CognitoA service that provides authentication, authorization, and user management for web and mobile applicationsAWS IAMAn authentication and authorization service for securely controlling access to AWS resources, providing fine-grained access management through users, groups, roles, and policiesDesigning Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.