Amazon IAM Identity Center FAQs

Q: What is Amazon IAM Identity Center?

IAM Identity Center is built on top of Amazon Identity and Access Management (IAM) to simplify access management to multiple Amazon Web Services accounts, Amazon Web Services applications, and other SAML-enabled cloud applications. In IAM Identity Center, you create, or connect, your workforce users for use across Amazon Web Services. You can choose to manage access just to your Amazon Web Services accounts, just to your cloud applications, or to both. You can create users directly in IAM Identity Center, or you can bring them from your existing workforce directory. With IAM Identity Center, you get a unified administration experience to define, customize, and assign fine-grained access. Your workforce users get a user portal to access their assigned Amazon Web Services accounts or cloud applications.

Q: What are the benefits of IAM Identity Center?

You can use IAM Identity Center to quickly and easily assign and manage your employees’ access to multiple Amazon Web Services accounts, SAML-enabled cloud applications (such as Salesforce, Microsoft 365, and Box), and custom-built in-house applications, all from a central place. Employees can be more productive by signing in with their existing credentials or credentials that you configure in IAM Identity Center. They can use a single personalized user portal. You'll get better visibility into cloud application use because you can monitor and audit sign-in activity centrally from Amazon CloudTrail.

Q: What problems does IAM Identity Center solve?

IAM Identity Center eliminates the administrative complexity of federating and managing permissions separately for each Amazon Web Services account. It allows you to set up Amazon Web Services applications from a single interface, and to assign access to your cloud applications from a single place.

IAM Identity Center also helps improve access visibility by integrating with Amazon CloudTrail and providing a central place for you to audit single sign-on access to Amazon Web Services accounts and SAML-enabled cloud applications, such as Microsoft 365, Salesforce, and Box.

Q: Why should I use IAM Identity Center?

IAM Identity Center is our recommended front door into Amazon Web Services. It should be your primary tool to manage the access of your workforce users. It allows you to manage your identities in your preferred identity source, connect them once for use in Amazon Web Services, allows you to define fine-grained permissions and apply them consistently across accounts. As the number of your accounts scales, IAM Identity Center gives you the option to use it as a single place to manage user access to all your cloud applications.

Q: What can I do with IAM Identity Center?

You can use IAM Identity Center to quickly and easily assign your employees access to Amazon Web Services accounts within Amazon Organizations, business cloud applications (such as Salesforce, Microsoft 365, and Box), and custom applications that support Security Assertion Markup Language (SAML) 2.0. Employees can sign in with their existing corporate credentials or credentials they configure in IAM Identity Center to access their business applications from a single user portal. IAM Identity Center also allows you to audit users’ access to cloud services by using Amazon CloudTrail.

Q: Who should use IAM Identity Center?

IAM Identity Center is for administrators who manage multiple Amazon Web Services accounts and business applications, want to centralize user access management to these cloud services, and want to provide employees a single location to access these accounts and applications without them having to remember yet another password.

Q: How do I start using IAM Identity Center?

As a new IAM Identity Center customer, you:

1. Sign in to the Amazon Web Services Management Console of the management account in your Amazon Web Services account and navigate to the IAM Identity Center console.
   
2. Select the directory you use for storing the identities of your users and groups from the IAM Identity Center console. IAM Identity Center provides you a directory by default that you can use to manage users and groups in IAM Identity Center. You can also change directory to connect to a Microsoft AD directory by clicking through a list of Managed Microsoft AD and AD Connector instances that IAM Identity Center discovers in your account automatically. If you want to connect to a Microsoft AD directory, see Setting up Amazon Directory Service.
   
3. Grant users single sign-on access to Amazon Web Services accounts in your organization by selecting the Amazon Web Services accounts from a list populated by IAM Identity Center, and then selecting users or groups from your directory and the permissions you want to grant them.
   
4. Give users access to business cloud applications by:
   a. Selecting one of the applications from the list of pre-integrated applications supported in IAM Identity Center.
   b. Configuring the application by following the configuration instructions.
   c. Selecting the users or groups that should be able to access this application.
5. Give your users the IAM Identity Center sign-in web address that was generated when you configured the directory so that they can sign in to IAM Identity Center and access accounts and business applications.

Q: How much does IAM Identity Center cost?

IAM Identity Center is offered at no extra charge.

Q: In which regions is IAM Identity Center available?

IAM Identity Center is available in the Amazon Web Services China (Beijing) region, operated by Sinnet, and Amazon Web Services China (Ningxia) region, operated by NWCD.

Q: What identity sources can I use with IAM Identity Center?

With IAM Identity Center, you can create and manage user identities in IAM Identity Center’s identity store, or easily connect to your existing identity source including Microsoft Active Directory, Okta Universal Directory, Azure Active Directory (Azure AD), or another supported IdP*. See the IAM Identity Center User Guide to learn more.

Q: Can I connect more than one identity source to IAM Identity Center?

No. At any given time, you can have only one directory or one SAML 2.0 identity provider connected to IAM Identity Center. But, you can change the identity source that is connected to a different one.

Q: What SAML 2.0 IdPs can I use with IAM Identity Center?

You can connect IAM Identity Center to most SAML 2.0 IdPs, such as Okta Universal Directory or Azure Active Directory*. See the IAM Identity Center User Guide to learn more.

Q: How can I provision identities from my existing IdPs into IAM Identity Center?

Identities from your existing IdP must be provisioned into IAM Identity Center before you can assign permissions. You can synchronize user and group information from Okta Universal Directory, Azure AD, OneLogin, and PingFederate* automatically using the System for Cross-domain Identity Management (SCIM) standard. For other IdPs, you can provision users from your IdP using the IAM Identity Center console. See the IAM Identity Center User Guide to learn more.

Q: Can I automate identity synchronization into IAM Identity Center?

Yes. If you use Okta Universal Directory, Azure AD, OneLogin, or PingFederate*, you can use SCIM to synchronize user and group information from your IdP to IAM Identity Center automatically. See the IAM Identity Center User Guide to learn more.

Q: How do I connect IAM Identity Center to my Microsoft Active Directory?

You can connect IAM Identity Center to your on-premises Active Directory (AD) or to an Amazon Managed Microsoft AD directory using Amazon Directory Service. See the IAM Identity Center User Guide to learn more.

Q: I manage my users and groups in Active Directory on-premises. How can I leverage these users and groups in IAM Identity Center?

You have two options for connecting Active Directory–hosted on-premises to IAM Identity Center: (1) use AD Connector, or (2) use an Amazon Managed Microsoft AD trust relationship. AD Connector simply connects your existing on-premises Active Directory to Amazon Web Services. AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. To connect an on-premises directory using AD Connector, see the Amazon Directory Service Administration Guide. Amazon Managed Microsoft AD makes it easy to set up and run Microsoft Active Directory in Amazon Web Services. It can be used to set up a forest trust relationship between your on-premises directory and Amazon Managed Microsoft AD. To set up a trust relationship, see the Amazon Directory Service Administration Guide.

Q: Does IAM Identity Center support the browser command line and mobile interfaces?

Yes, you can use IAM Identity Center to control access to the Amazon Web Services Management Console and CLI v2. IAM Identity Center enables your users to access the CLI and Amazon Web Services Management Console through a single sign-on experience. 

Q: Which cloud applications can I connect to IAM Identity Center?

You can connect the following applications to IAM Identity Center:

1. IAM Identity Center-integrated applications: IAM Identity Center-integrated applications use IAM Identity Center for authentication and work with the identities you have in IAM Identity Center. There is no need for additional configuration to synchronize identities into these applications or to set up federation to separately.
2. Pre-integrated SAML applications: IAM Identity Center comes pre-integrated with commonly used business applications. For a comprehensive list, see the IAM Identity Center console.
3. Custom SAML applications: IAM Identity Center supports applications that allow identity federation using SAML 2.0. You can enable IAM Identity Center to support these applications by using the custom application wizard.
   

Q: Which Amazon Web Services accounts can I connect to IAM Identity Center?

You can add any Amazon Web Services account managed using Amazon Organizations to IAM Identity Center. You need to enable all features in your organizations to manage your accounts single sign-on.

Q: How do I setup single sign-on to Amazon Web Services accounts in an organizational unit (OU) within my organization?

You can pick accounts within the organization or filter accounts by OU.

Q: How do I control what permissions my users get when they use IAM Identity Center to access their accounts?

When granting access to your users, you can limit the users’ permissions by picking a permission set. Permission sets are a collection of permissions that you can create in IAM Identity Center, modeling them based on Amazon Web Services managed policies for job functions or any Amazon Web Services managed policies. Amazon Web Services managed policies for job functions are designed to closely align to common job functions in the IT industry. If required, you can also fully customize the permission set to meet your security requirements. IAM Identity Center applies these permissions to the selected accounts automatically. As you change the permission sets, IAM Identity Center enables you to apply the changes to the relevant accounts easily. When your users access the accounts through the access portal, these permissions restrict what they can do within those accounts. You can also grant multiple permission sets to your users. When they access the account through the user portal, they can pick which permission set they want to assume for that session.

Q: How do I automate permissions management across multiple accounts?

IAM Identity Center provides APIs and Amazon CloudFormation support to automate permissions management in multi-account environments, and retrieve the permissions programmatically for audit and governance purposes.

Q: How do I select which user attributes to use for ABAC?

To implement ABAC, you can select attributes from the IAM Identity Center’s identity store for IAM Identity Center users and users synchronized from Microsoft AD or external SAML 2.0 IdPs including Okta Universal Directory, Azure AD, OneLogin, or PingFederate*. When using an IdP as your identity source, you can optionally send the attributes as a part of a SAML 2.0 assertion.

Q: For which Amazon Web Services accounts can I get Amazon Web Services CLI credentials?

You can get Amazon Web Services CLI credentials for any Amazon Web Services account and user permissions that your IAM Identity Center administrator has assigned to you. These CLI credentials can be used for programmatic access to the Amazon Web Services account.

Q: How long are the Amazon Web Services CLI credentials from the access portal valid?

Amazon Web Services CLI Credentials fetched through IAM Identity Center are valid for 60 minutes. You can get a fresh set of credentials as often as needed.

Q: How do I set up IAM Identity Center to business applications, such as Salesforce?

From the IAM Identity Center console, navigate to the applications pane, choose Configure new application, and choose an application from the list of cloud applications that are pre-integrated with IAM Identity Center. Follow the on-screen instructions to configure the application. Your application is now configured and you may assign access to it. Choose the groups or users that you want to provide with access to the application and Choose Assign Access to complete the process.

Q: My company uses business applications that are not in IAM Identity Center's preintegrated application list. Can I still use IAM Identity Center?

Yes. If your application supports SAML 2.0, you can configure your application as a custom SAML 2.0 application. From the IAM Identity Center console, navigate to the applications pane, choose Configure new application, and choose Custom SAML 2.0 application. Follow the instructions to configure the application. Your application is now configured and you may assign access to it. Choose the groups or users that you want to provide with access to the application, and choose Assign Access to complete the process.

Q: My application supports OpenID Connect (OIDC) only. Can I use it with IAM Identity Center?

No. IAM Identity Center supports only SAML 2.0–based applications.

Q: Does IAM Identity Center support single sign-on to native mobile and desktop applications?

No. IAM Identity Center supports single sign-on to business applications through web browsers only.

Q: What data will IAM Identity Center store on my behalf?

IAM Identity Center will store data about which Amazon Web Services accounts and cloud applications are assigned to which users and groups, as well as what permissions have been granted for accessing Amazon Web Services accounts. IAM Identity Center will also create and manage IAM roles in individual Amazon Web Services accounts for each permission set you grant access for your users.

Q: What multi-factor authentication (MFA) capabilities can I use with IAM Identity Center?

With IAM Identity Center, you can enable standard-based strong authentication capabilities for all your users across all identity sources. If you use a supported SAML 2.0 IdP as your identity source, you can enable multi-factor authentication capabilities of your provider. When using IAM Identity Center or Active Directory as your identity source, IAM Identity Center supports the Web Authentication specification to help you secure user access to Amazon Web Services accounts and business applications with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable one-time-passwords (TOTPs) using authenticator apps such as Twilio Authy*.

You can also use your existing Remote Authentication Dial-In User Service (RADIUS) MFA configuration with IAM Identity Center and Amazon Directory Service to authenticate your users as a secondary form of verification. To learn more about configuring MFA with IAM Identity Center, visit the IAM Identity Center User Guide.

Q: Does IAM Identity Center support the Web Authentication specification?

Yes. For user identities in IAM Identity Center’s identity store and Active Directory, IAM Identity Center supports the Web Authentication (WebAuthn) specification to help you secure user access to Amazon Web Services accounts and business applications with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable one-time-passwords (TOTPs) using authenticator apps such as Twilio Authy*.

Q: How do my employees get started using IAM Identity Center?

Employees can get started with IAM Identity Center by visiting the access portal that is generated when you configure your identity source in IAM Identity Center. If you manage your users in IAM Identity Center, your employees can use their email address and password they configured with IAM Identity Center to sign into the user portal. If you connect IAM Identity Center to a Microsoft Active Directory or a SAML 2.0 identity provider, your employees can sign in to user portal with their existing corporate credentials and then view the accounts and applications assigned to them. To access an account or application, employees choose the associated icon from the access portal.

Q: Is there an API available for IAM Identity Center?

Yes. IAM Identity Center provides account assignment APIs to help you automate permissions management in multi-account environments, and retrieve the permissions programmatically for audit and governance purposes.

*The application and identity providers referenced here are third parties. Their instances may be located outside of China.  Customers should verify the location of the instances with the third-party providers directly, and customers should confirm whether any cross-border transfers of data comply with their obligations under applicable laws.  If customers use the services offered by these third parties, customers may experience higher latency due to reasons beyond the control of Amazon Web Services (e.g., if the third party’s servers are outside of China), and customers should work with the third-party provider directly to address latency.