AWS IAM Identity Center (Successor to AWS Single Sign-On) - Overview.
Scope:
- Intro,
- Key Features,
- Why the Name Changed,
- Implementation and Cost,
- The Concept of AWS IAM Identity Center (deep dive)
- IAM Identity Center Architecture Overview,
- Table of Key Components & Description
- Identity Sources,
- Permission Sets & Role Creation (How it works)
- Access Flow (Login → Access),
- Integration Points,
- Deep Dive into Role Trust & Federated Sessions
- Security Best Practices,
- Comparison of IAM Identity Center vs. Legacy SSO,
- Real-World Sample for Enterprise Setup.
Intro:
- AWS IAM Identity Center is the successor to AWS Single Sign-On (AWS SSO).
- AWS IAM Identity Center serves as the central hub for managing workforce identities, access to multiple AWS accounts and cloud applications.
- Centralized Access Management: Admins can assign and manage permissions across an entire AWS Organization from a single console.
- Single Sign-On (SSO): Users log in once to a personalized web portal to access all their assigned AWS accounts and third-party SaaS applications like Salesforce, Slack, or Microsoft 365.
- Flexible Identity Sources: twtech can manage users directly in the Identity Center's own directory or connect to an existing external identity provider (IdP) such as Microsoft Entra ID (formerly Azure AD), Okta, or Google Workspace.
- Temporary Credentials: The service improves security by issuing short-term, time-limited credentials for both console and CLI access, reducing the risks associated with long-term IAM access keys.
- Permission Sets: Standardized collections of permissions that can be consistently applied to users or groups across multiple accounts.
- The rename on July 26, 2022, reflects the service's foundation in AWS IAM and its expanded role beyond just single sign-on.
- While traditional AWS IAM is used for fine-grained resource-level control within a single account, IAM Identity Center is the recommended "front door" for human workforce access across many accounts.
- Cost: The service is provided at no additional charge.
- Automation: It supports SCIM (System for Cross-domain Identity Management) to automatically synchronize users and groups from external directories.
1. The Concept of AWS IAM Identity Center (deep dive)
- AWS IAM Identity
Center (successor to AWS Single Sign-On) is a centralized identity and access
management service that lets twtech to:
- Manage
workforce identities (users,
groups)
- Control
access to AWS accounts and cloud applications
- Enable
single sign-on (SSO) to AWS and third-party apps
- Integrate with external identity providers (IdPs) such as Microsoft
Entra ID (Azure AD), Okta, or Ping
- AWS IAM Identity
Center is built as a native AWS
service.
- AWS IAM Identity
Center is deeply
integrated with AWS Organizations and IAM.
- AWS IAM Identity
Center provides a unified way to control access across an
enterprise AWS environment.
2. IAM Identity Center Architecture Overview
Table of Key Components & Description
|
Component |
Description |
|
|
Identity Source |
The directory where your user identities reside (AWS Identity Center directory, or
external IdP via SCIM/OIDC/SAML). |
|
|
Users and Groups |
Logical entities you can assign permissions to. Synced
from the chosen identity source. |
|
|
Permission Sets |
IAM policies defining a set of permissions (converted into IAM roles in each target
AWS account). |
|
|
Assignments |
Bindings that link a user/group
to a permission set in a target
AWS account. |
|
|
AWS Access Portal |
User-facing web portal for signing in and selecting AWS
accounts and applications. |
|
3. Identity Sources
twtech
can configure one identity source per IAM
Identity Center instance:
A.
Built-in
Identity Center directory
- Simple internal directory managed in AWS
- Ideal for small/mid-size orgs
- No external IdP needed
B. External Identity Provider (IdP)
- Supported via SAML 2.0, OIDC, or SCIM provisioning
- Common choices: Microsoft Entra ID (Azure AD), Okta, Ping, Google Workspace
- Enables federated SSO and automated user/group provisioning
4. Permission Sets & Role Creation (How it works):
When twtech assigns a permission set to a
user/group in an AWS account:
- IAM Identity Center creates an IAM role in that account.
- The role is named like:
AWSReservedSSO_<PermissionSetName>_<UUID> - The trust policy allows the Identity Center service principal to assume the role on behalf of the user.
Permission Set Content
- One or more IAM policies (AWS managed, customer managed, or inline JSON)
- Optional session duration and relay state
- Optional tag propagation
5. Access
Flow (Login → Access)
The authentication and authorization
flow:
A)UsernavigatestoAWSAccessPortal (orIdP app portal)B)Userauthenticates via configuredIdentitySourceC)IAMIdentityCenter issues atemporarysession(federatedlogin)D)Userselects an AWS account + permissionset(role)E)IAMIdentityCenter assumes the corresponding IAMroleinthat accountF)UserisredirectedtoAWS Console (orgets CLI credentials)
NB:
CLI access works via AWS CLI v2 or AWS SDKs with IAM Identity Center integration, retrieving temporary credentials securely.
6. Integration Points
AWS Accounts
- Managed centrally through AWS Organizations
- twtech can assign users/groups to accounts or OU-level
AWS
Applications
- Pre-integrated apps: AWS Management Console, CLI, SDKs
- Custom SAML 2.0 apps supported
Third-Party
SaaS Apps
- IAM Identity Center can act as an IdP to SaaS apps like Salesforce, GitHub, or Slack
- Enables centralized SSO and identity lifecycle management.
7. Deep Dive into Role Trust & Federated
Sessions
IAM Identity Center leverages STS
(Security Token Service) under the hood:
- When a user selects an account/role, Identity
Center calls
AssumeRoleon the target role. - The trust policy of that role allows the service principal:
# json"Principal": { "Service": "sso.amazonaws.com"}NB:- Temporary credentials are issued and cached in the user’s client (browser or CLI profile).
8. Security
Best Practices
✅ Integrate
with a corporate IdP
- Use SCIM provisioning for lifecycle automation (auto-provision/deprovision users).
✅ Use
groups instead of individual assignments
- Makes permission management scalable.
✅ Limit
permission set scope
- Follow least privilege; use custom policies when possible.
✅ Enable
CloudTrail + IAM Identity Center logs
- Audit sign-ins and access assignments.
✅ Set
session duration appropriately
- Default 1 hour; can be extended up to 12 hours.
✅ Use
Attribute-Based Access Control (ABAC)
- Tag-based dynamic access policies supported in IAM roles created by Identity Center.
9. Comparison: IAM Identity Center vs. Legacy SSO
|
Feature |
AWS SSO (Legacy) |
IAM Identity Center |
|
AWS Organization Integration |
✅ |
✅ |
|
SCIM provisioning |
Limited |
Full SCIM v2 support |
|
Attribute-based access |
❌ |
✅ |
|
Fine-grained session control |
Basic |
Advanced |
|
Custom apps (SAML 2.0) |
✅ |
✅ |
|
Identity Store flexibility |
Limited |
Enhanced (OIDC,
SAML, etc.) |
10.
Real-World Sample for Enterprise Setup
Scenario:
- An enterprise with 50 AWS accounts in an AWS Organization
- Identity managed in Microsoft Entra ID
- Access model:
- Groups like
DevOps,Finance,Security - Permission sets:
-
PowerUserAccess -
ReadOnlyAccess -
BillingAccess - Assignments made at OU level via the AWS Console or API
- SCIM syncs groups from Entra ID → Identity Center
- All users log in via company portal → AWS Access Portal
ExpectedResults:
Centralized,
auditable, and scalable identity management — with minimal IAM sprawl.
No comments:
Post a Comment