A deep dive into AWS IAM Identity Center (A successor
to AWS Single Sign-On).
Scope:
- The Concept: AWS IAM Identity Center,
- IAM Identity Center Architecture Overview,
- Identity Sources,
- Permission Sets & Role Creation,
- Access Flow (Login → Access),
- Integration Points,
- Deep Dive into Role Trust & Federated Sessions
- Security Best Practices,
- Comparison: IAM Identity Center vs. Legacy SSO,
- Real-World Example: Enterprise Setup.
1. The Concept: AWS IAM Identity Center
- AWS IAM Identity
Center (successor to AWS Single Sign-On) is a centralized identity and access
management service that lets twtech to:
- Manage
workforce identities (users,
groups)
- Control
access to AWS accounts and cloud applications
- Enable
single sign-on (SSO) to AWS and third-party apps
- Integrate with external identity providers (IdPs) such as Microsoft
Entra ID (Azure AD), Okta, or Ping
- AWS IAM Identity
Center is built as a native AWS
service.
- AWS IAM Identity
Center is deeply
integrated with AWS Organizations and IAM.
- AWS IAM Identity
Center provides a unified way to control access across an
enterprise AWS environment.
2. IAM Identity Center Architecture Overview
# Architecture.jpg
Key Components
|
Component |
Description |
|
|
Identity Source |
The directory where your user identities reside (AWS Identity Center directory, or
external IdP via SCIM/OIDC/SAML). |
|
|
Users and Groups |
Logical entities you can assign permissions to. Synced
from the chosen identity source. |
|
|
Permission Sets |
IAM policies defining a set of permissions (converted into IAM roles in each target
AWS account). |
|
|
Assignments |
Bindings that link a user/group
to a permission set in a target
AWS account. |
|
|
AWS Access Portal |
User-facing web portal for signing in and selecting AWS
accounts and applications. |
|
3. Identity Sources
twtech
can configure one identity source per IAM
Identity Center instance:
1.
Built-in
Identity Center directory
o
Simple internal directory managed in AWS
o
Ideal for small/mid-size orgs
o
No external IdP needed
2. External Identity Provider (IdP)
o
Supported via SAML 2.0, OIDC,
or SCIM provisioning
o
Common choices: Microsoft Entra ID
(Azure AD), Okta, Ping, Google
Workspace
o
Enables federated SSO and automated
user/group provisioning
4.
Permission Sets & Role Creation
How it works:
When twtech assigns a permission set to a
user/group in an AWS account:
- IAM Identity Center creates an IAM role in that account.
- The role is named like:
AWSReservedSSO_<PermissionSetName>_<UUID> - The trust policy allows the Identity Center service principal to assume the role on behalf of the user.
Permission Set Content
- One or more IAM policies (AWS managed, customer managed, or inline JSON)
- Optional session duration and relay state
- Optional tag propagation
5. Access
Flow (Login → Access)
The authentication and authorization
flow:
1) User navigates to AWS Access Portal (or IdP app portal)2) User authenticates via configured Identity Source3) IAM Identity Center issues a temporary session (federated login)4) User selects an AWS account + permission set (role)5) IAM Identity Center assumes the corresponding IAM role in that account6) User is redirected to AWS Console (or gets CLI credentials)NB:
CLI access works via AWS CLI v2 or AWS SDKs
with IAM Identity Center integration, retrieving temporary
credentials securely.
6. Integration Points
AWS
Accounts
- Managed centrally through AWS Organizations
- twtech can assign users/groups to accounts or OU-level
AWS
Applications
- Pre-integrated apps: AWS Management Console, CLI, SDKs
- Custom SAML 2.0 apps supported
Third-Party
SaaS Apps
- IAM Identity Center can act as an IdP to SaaS apps like Salesforce, GitHub, or Slack
- Enables centralized SSO and identity lifecycle management.
7. Deep Dive into Role Trust & Federated
Sessions
IAM Identity Center leverages STS
(Security Token Service) under the hood:
- When a user selects an account/role, Identity
Center calls
AssumeRoleon the target role. - The trust policy of that role allows the service principal:
# json"Principal": { "Service": "sso.amazonaws.com"}- Temporary credentials are issued and cached in the user’s client (browser or CLI profile).
8. Security
Best Practices
✅ Integrate
with a corporate IdP
- Use SCIM provisioning for lifecycle automation (auto-provision/deprovision users).
✅ Use
groups instead of individual assignments
- Makes permission management scalable.
✅ Limit
permission set scope
- Follow least privilege; use custom policies when possible.
✅ Enable
CloudTrail + IAM Identity Center logs
- Audit sign-ins and access assignments.
✅ Set
session duration appropriately
- Default 1 hour; can be extended up to 12 hours.
✅ Use
Attribute-Based Access Control (ABAC)
- Tag-based dynamic access policies supported in IAM roles created by Identity Center.
9. Comparison: IAM Identity Center vs. Legacy SSO
|
Feature |
AWS SSO (Legacy) |
IAM Identity Center |
|
AWS Organization Integration |
✅ |
✅ |
|
SCIM provisioning |
Limited |
Full SCIM v2 support |
|
Attribute-based access |
❌ |
✅ |
|
Fine-grained session control |
Basic |
Advanced |
|
Custom apps (SAML 2.0) |
✅ |
✅ |
|
Identity Store flexibility |
Limited |
Enhanced (OIDC,
SAML, etc.) |
10.
Real-World Example: Enterprise Setup
Scenario:
- An enterprise with 50 AWS accounts in an AWS Organization
- Identity managed in Microsoft Entra ID
- Access model:
- Groups like
DevOps,Finance,Security - Permission sets:
-
PowerUserAccess -
ReadOnlyAccess -
BillingAccess - Assignments made at OU level via the AWS Console or API
- SCIM syncs groups from Entra ID → Identity Center
- All users log in via company portal → AWS Access Portal
ExpectedResults:
Centralized,
auditable, and scalable identity management — with minimal IAM sprawl.
No comments:
Post a Comment