IAM Identity Center

AWS Identity Center (formerly AWS SSO) — your centralized hub for managing access across multiple AWS accounts and applications.

🧑‍💼 What is AWS Identity Center?¶

AWS Identity Center is a centralized user identity and access management service that lets you:

✅ Manage access to multiple AWS accounts from one place
✅ Integrate with external identity providers (like Microsoft Entra ID, Okta, Google Workspace, etc.)
✅ Use built-in user directory or connect external IdPs
✅ Enable SSO (Single Sign-On) for AWS Management Console, CLI, SDKs

Component	Purpose
Users/Groups	Central directory (or synced from external IdP)
Permission Sets	Predefined sets of IAM roles + policies
Account Assignments	Who (user/group) gets what permission set on which account
Applications	Assign access to cloud or SaaS apps (SAML 2.0)

Enable Identity Center in the management account.
Create or sync users and groups.
Define permission sets (think of them as IAM roles + policy templates).
Assign users/groups to AWS accounts using permission sets.
Users log in to AWS access portal for SSO access to:
- AWS accounts
- Cloud/SaaS apps
- CLI / SDK access

You’re managing 3 AWS accounts: dev, test, prod

Create users in Identity Center (or sync via Entra ID).
Create permission sets:
- DeveloperAccess → AdministratorAccess
- ReadOnlyAccess → ReadOnlyPolicy
Assign:
- Dev group → DeveloperAccess on dev
- Dev group → ReadOnlyAccess on test and prod

Users can log in via the SSO browser or AWS CLI:

aws configure sso

Then choose:

This gives temporary credentials, like aws sts assume-role.