Skip to main content

AWS IAM Identity Center

Status: Final

AWS IAM Identity Center (formerly AWS Single Sign-On) provides centralized access management across multiple AWS accounts in an AWS Organization. It is the recommended approach for multi-account AWS environments over per-account IAM users.

Architecture

Identity Source (Entra ID / Okta / built-in)


IAM Identity Center
    ├── User Portal (https://<your-domain>.awsapps.com/start)
    ├── Permission Sets (map to IAM roles in each account)
    └── Account Assignments (user/group → permission set → account)

Identity Sources

SourceHow it worksNotes
IAM Identity Center built-inLocal user directorySimple but no external IdP
Entra ID (SCIM + SAML)SCIM provisions users; SAML authenticatesMost common enterprise config
Okta (SCIM + SAML)Same pattern
External SAML IdPSAML only (no SCIM)Manual provisioning

Permission Sets

A Permission Set is a template that creates an IAM role in a target account:

  • Can reference AWS managed policies (e.g., AdministratorAccess)
  • Can reference inline policies
  • Duration: configurable (max 12h for sessions)

When a user accesses an account through Identity Center, they assume the IAM role created by the Permission Set in that account.

Attack Surface

AttackConditionImpact
Compromise Identity Center adminsso:* permissionsAssign AdministratorAccess to attacker user across all accounts
SAML IdP compromiseFederated auth via SAMLGolden SAML → access any account/permission set
SCIM token theftSCIM provisioning tokenAdd attacker user or modify group membership
Permission Set misconfigurationAdministratorAccess assigned too broadlyPrivilege escalation
Session token theftPortal session cookieImpersonate user across all assigned accounts

Telemetry

AWS CloudTrail in the management account logs Identity Center events:

  • sso:CreateAccountAssignment, sso:DeleteAccountAssignment
  • sso:ProvisionPermissionSet
  • User portal logins: sso-oauth:CreateTokenWithIAM
TopicLink
AWS IAM Overviewaws-iam-overview
AWS STSaws-sts
Golden SAMLgolden-saml