AWS IAM Identity Center (SSO)

AWS IAM Identity Center (SSO) – Complete Guide for AWS Security Specialty

Why AWS IAM Identity Center (SSO) Is Important

In modern cloud environments, organizations manage dozens or even hundreds of AWS accounts alongside third-party SaaS applications. Without a centralized identity solution, administrators face an explosion of IAM users, inconsistent permission policies, and security blind spots. AWS IAM Identity Center (formerly AWS Single Sign-On) solves this by providing a single place to manage workforce access across all AWS accounts and cloud applications. For the AWS Security Specialty exam, this service sits at the intersection of identity management, least-privilege access, and organizational security — making it a high-value topic.

What Is AWS IAM Identity Center (SSO)?

AWS IAM Identity Center is a cloud-based service that enables you to centrally manage single sign-on (SSO) access to multiple AWS accounts (organized through AWS Organizations) and business applications (such as Salesforce, Microsoft 365, and custom SAML 2.0 apps). Key characteristics include:

• Centralized Identity Management: Create and manage users and groups directly in its built-in identity store, or connect to an external identity provider (IdP) such as Microsoft Active Directory, Okta, Azure AD, or any SAML 2.0 / SCIM-compatible provider.

• Multi-Account Access: Assign users and groups fine-grained permissions across any or all AWS accounts in your AWS Organization using Permission Sets.

• Application Access: Provide SSO access to pre-integrated or custom SAML 2.0 applications from a single user portal.

• Temporary Credentials: IAM Identity Center does not create long-lived IAM users. Instead, it vends temporary STS credentials when users assume roles, following security best practices.

• Free to Use: There is no additional charge for IAM Identity Center itself; you pay only for the underlying AWS resources.

How AWS IAM Identity Center Works

Understanding the architecture is critical for both real-world implementation and exam success:

1. Identity Source Configuration
You choose where your identities live:
• IAM Identity Center Directory (Built-in): A simple directory managed within the service. Suitable for small organizations or proof-of-concept setups.
• AWS Managed Microsoft AD or AD Connector: Connect to an on-premises or AWS-hosted Active Directory via AWS Directory Service.
• External Identity Provider (IdP): Use SAML 2.0 federation and SCIM (System for Cross-domain Identity Management) for automatic user and group provisioning from providers like Okta, Azure AD, or Ping Identity.

2. AWS Organizations Integration
IAM Identity Center requires AWS Organizations and must be enabled in the management account (or can be delegated to a member account as a delegated administrator). It discovers all accounts in the organization automatically.

3. Permission Sets
A Permission Set is a template that defines the level of access a user or group has in an AWS account. Key details:
• Permission Sets are collections of one or more IAM policies (AWS managed policies, customer managed policies, or inline policies).
• You can also define a permissions boundary within a Permission Set.
• When you assign a Permission Set to a user/group for a specific account, IAM Identity Center automatically creates an IAM role in that target account. The user assumes this role via temporary STS credentials.
• A single Permission Set can be assigned to multiple accounts, ensuring consistency.
• The session duration of the assumed role can be configured (from 1 hour up to 12 hours).

4. User Portal & Access
Users log into the AWS access portal (a unique URL per organization) and see all accounts and applications they have been granted access to. Clicking an account shows available roles (derived from Permission Sets). Clicking a role opens the AWS Management Console or provides CLI/API temporary credentials.

5. Attribute-Based Access Control (ABAC)
IAM Identity Center supports passing user attributes (such as department, cost center, or title) from the identity source as session tags. These can be used in IAM policy conditions for fine-grained, attribute-based access control without creating multiple Permission Sets.

6. Multi-Factor Authentication (MFA)
IAM Identity Center has built-in MFA support:
• Supports TOTP authenticator apps, FIDO2 security keys, and built-in biometric authenticators.
• You can configure MFA to be required for all users, context-aware (risk-based), or optional.
• When using an external IdP, MFA is typically enforced at the IdP level, and the MFA configuration within IAM Identity Center may be secondary.

7. Integration with AWS CLI and SDKs
IAM Identity Center integrates with AWS CLI v2 using aws configure sso. This allows developers to authenticate via the portal and receive temporary credentials for CLI and SDK usage without ever storing long-term access keys.

8. CloudTrail Integration
All sign-in events and administrative actions within IAM Identity Center are logged in AWS CloudTrail, providing a full audit trail for compliance and forensic analysis.

Key Architectural Concepts Summary

• Identity Source → Where users/groups are defined (built-in, AD, external IdP)
• Permission Set → Template of IAM policies assigned to users/groups per account
• Account Assignment → Mapping of user/group + Permission Set + AWS account
• AWS Access Portal → Web-based portal for user authentication and role selection
• Temporary Credentials → STS-based short-lived credentials (no IAM users created)
• SCIM Provisioning → Automatic sync of users and groups from external IdP
• Delegated Administrator → Ability to manage IAM Identity Center from a non-management account

Common Use Cases

• Multi-account access management for organizations using AWS Organizations with dozens or hundreds of accounts.
• Centralizing workforce identity when migrating from per-account IAM users to a single identity source.
• Enabling SSO to SaaS applications from the same portal used for AWS access.
• Enforcing MFA across all AWS account access centrally.
• Implementing ABAC strategies using identity attributes for dynamic, scalable access control.
• Replacing long-term access keys with temporary credentials for developers and automation.

IAM Identity Center vs. Other AWS Identity Services

• IAM Identity Center vs. IAM Federation (AssumeRoleWithSAML): IAM Identity Center is the recommended approach for workforce SSO. Traditional SAML federation requires manual role trust configuration in each account, while IAM Identity Center automates role creation and assignment across all accounts in the organization.
• IAM Identity Center vs. Amazon Cognito: Cognito is for customer-facing application authentication (web/mobile apps). IAM Identity Center is for workforce access to AWS accounts and enterprise applications.
• IAM Identity Center vs. IAM Users: IAM Identity Center eliminates the need for individual IAM users in each account, reducing the attack surface and administrative overhead.

Security Best Practices

• Always enable MFA for all IAM Identity Center users.
• Use an external IdP for production environments to leverage existing corporate identity governance.
• Enable SCIM automatic provisioning to ensure timely deprovisioning when employees leave.
• Apply least-privilege Permission Sets and use permissions boundaries where appropriate.
• Use ABAC with session tags to reduce the number of Permission Sets needed.
• Monitor sign-in and administrative events via CloudTrail.
• Consider using a delegated administrator account rather than the management account for day-to-day IAM Identity Center administration.
• Regularly review and audit Permission Set assignments using IAM Access Analyzer and AWS Config.

Exam Tips: Answering Questions on AWS IAM Identity Center (SSO)

Here are the key strategies and facts to remember for the AWS Security Specialty exam:

1. Recognize the Trigger Words: When a question mentions "centralized access management," "single sign-on across multiple AWS accounts," "workforce identity," or "replacing IAM users with federated access at scale," think IAM Identity Center.

2. AWS Organizations is a Prerequisite: IAM Identity Center requires AWS Organizations. If a scenario doesn't mention Organizations, or mentions a standalone account without Organizations, IAM Identity Center is unlikely to be the answer.

3. Permission Sets Create IAM Roles Automatically: Understand that a Permission Set is not a role itself — it is a template. When assigned to an account, it automatically creates and manages an IAM role in that account. Users never get IAM users or long-term credentials.

4. Temporary Credentials Only: IAM Identity Center always uses STS temporary credentials. If an exam question asks about eliminating long-term credentials or access keys, IAM Identity Center is a strong answer.

5. Know the Identity Sources: Be clear on the three identity source options (built-in directory, AWS Managed Microsoft AD / AD Connector, external SAML 2.0 IdP with SCIM). Questions may test whether you know that you can only have one identity source at a time.

6. SCIM for Automated Provisioning: If a question discusses automatic synchronization of users and groups from an external IdP, the answer involves SCIM provisioning in IAM Identity Center.

7. Delegated Administrator: Know that IAM Identity Center administration can be delegated to a member account. This is a security best practice to limit use of the management account.

8. ABAC with Session Tags: Questions about dynamically controlling access based on user attributes (department, team, project) without creating many policies point to ABAC using IAM Identity Center session tags.

9. MFA Enforcement: IAM Identity Center supports built-in MFA. When using an external IdP, MFA should be enforced at the IdP. Know the difference.

10. CloudTrail for Auditing: IAM Identity Center sign-in events appear in CloudTrail. If asked about auditing SSO access, CloudTrail is the answer.

11. Don't Confuse with Cognito: If the scenario involves end-user or customer authentication for a web or mobile application, the answer is Amazon Cognito, not IAM Identity Center. IAM Identity Center is strictly for workforce (employee/contractor) access.

12. Prefer IAM Identity Center Over Manual Federation: When given a choice between configuring SAML federation manually in each account versus using IAM Identity Center, the latter is the preferred, modern, and more secure approach — especially at scale across multiple accounts.

13. Region Awareness: IAM Identity Center is deployed in a single AWS Region (you choose during setup). All configuration data resides in that Region. Some questions may test awareness of this regional characteristic and its implications for disaster recovery planning.

14. Service Control Policies (SCPs) Still Apply: Even when access is granted via IAM Identity Center Permission Sets, SCPs in AWS Organizations still act as guardrails. The effective permissions are the intersection of the Permission Set policies and SCPs.

15. Elimination Strategy: On the exam, if you see answer options that include creating IAM users in each account, sharing root credentials, or using long-term access keys for multi-account access, eliminate those immediately. The correct answer will almost always favor IAM Identity Center for centralized, scalable, secure multi-account workforce access.