AWS IAM Identity Center
A single sign-on (SSO) service integrated with AWS Organizations that centrally manages access to multiple AWS accounts and business applications
Overview
AWS IAM Identity Center (formerly AWS SSO) is a service that provides single sign-on to multiple AWS accounts and business applications. Permission Sets allow you to declaratively define permissions for users and groups in each account, enabling large-scale access management that works in concert with your Organizations structure. Federation authentication leveraging your existing identity infrastructure is possible through integration with external IdPs (Okta, Azure AD, Google Workspace, etc.) that support SAML 2.0 and SCIM.
Limitations of IAM Users and How Identity Center Solves Multi-Account Authentication Challenges
As AWS usage grows, accounts multiply for environment isolation and security boundaries. Creating IAM users in each account requires managing credentials for every account-user combination, making password rotation and access key management a significant operational burden. Missed account deletions for departing employees become a breeding ground for security incidents. IAM Identity Center fundamentally solves this problem. Users log in to a portal with a single set of credentials and simply select from their assigned AWS accounts and roles to access the Management Console or CLI with temporary credentials. Since long-lived access keys are no longer needed, the risk of credential leakage is dramatically reduced. For organizations already using Azure AD (Microsoft Entra ID), a recommended configuration uses SCIM provisioning to automatically sync users and groups, so that disabling an account in Azure AD immediately blocks AWS access.
Permission Set Design Strategy and Practicing Least Privilege
Permission Sets are the core concept of Identity Center's authorization management. A single Permission Set is a collection of IAM policies that defines "which permissions" a user or group has "in which account." For example, you can assign a "ReadOnlyAccess" permission set to the audit team across all accounts while restricting "AdministratorAccess" to only the SRE team in production accounts. Both AWS managed policies and custom JSON-defined policies are available, and in practice they are combined. Session duration can be set per Permission Set from 1 to 12 hours, with production environments typically set short (1-2 hours) and development environments longer (8 hours). AWS security books (Amazon) cover permission design patterns for multi-account environments in detail. Combining with Permission Boundaries enables multi-layered defense that controls the upper limit of permissions granted by permission sets at the organizational level.
CLI/SDK Integration and Optimizing Developer Experience
Identity Center integrates natively with AWS CLI v2. Configuring an SSO profile with the aws configure sso command enables automatic retrieval of temporary credentials through browser authentication. By defining SSO profiles in ~/.aws/config, you can operate across multiple accounts simply by switching with the --profile option, eliminating the need to write access keys in .env files. IaC tools like Terraform and CDK also recognize SSO profiles, so the same authentication flow works when executing infrastructure code. For Organizations integration, the Delegated Administrator feature is recommended for operating Identity Center from an account other than the management account. A structure where the security team manages identities from a dedicated account while minimizing access to the management account is a best practice for large organizations. ABAC (Attribute-Based Access Control) is also supported, enabling advanced designs that propagate user attributes (department, project name, etc.) as session tags and dynamically control access by matching them against resource tags.