☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS IAM Identity Center
🔶

AWS IAM Identity Center

  • Global service providing centralized Single Sign-On (SSO) for:
    • All AWS accounts in an AWS Organization
    • Business cloud applications (e.g., Salesforce, Box, Microsoft 365)
    • Custom SAML 2.0-enabled applications
    • Windows EC2 Instances (via SSO login)
  • Benefits:
    • Single sign-on for multiple AWS accounts and applications
    • Centralized management of users, groups, and permissions
    • Support for external identity providers

Identity Sources

  • Built-in Identity Store: internal directory managed by IAM Identity Center
  • External Identity Providers:
    • Active Directory (on-premises or cloud)
    • Okta
    • OneLogin
  • Supports SAML 2.0 for custom applications

Permission Sets

  • Collections of one or more IAM policies defining a user’s or group’s permissions for a specific AWS account
  • Assignable at the user/group and account level
  • Can be combined with ABAC (Attribute-Based Access Control) using user attributes (e.g., cost_center, title, locale)
  • Define permissions once and apply them across multiple accounts

Access Flow

  1. User signs in to the IAM Identity Center portal using credentials (from the built-in store or external IdP)
  1. MFA is prompted if configured
  1. User sees a web interface listing:
      • AWS accounts
      • Linked applications
  1. When an account is selected, IAM Identity Center uses AWS STS to issue temporary credentials based on the assigned Permission Set

AWS Organizations Integration

  • Configured in the management account of an AWS Organization
  • Enables centralized multi-account access management
  • Fine-grained assignments: user/group → account → permission set

Example Configuration

  • OU Development → Dev Account A, Dev Account B
  • OU Production → Prod Account A, Prod Account B
  • Group Developers includes Bob and Alice
  • Permission Sets: ReadOnlyAccess, FullAccess
  • Bob → ReadOnlyAccess on Dev A
  • Alice → FullAccess on Prod B

Supported Applications

  • Pre-integrated business apps (Salesforce, Box, Microsoft 365)
  • Custom SAML 2.0-enabled apps (configured with URLs, certificates, and metadata)
  • SSO access to Windows EC2 Instances

ABAC – Attribute-Based Access Control

  • Grants access based on user attributes stored in the identity source
  • Example: allow access only to resources tagged with CostCenter=123
  • Benefit: change access by updating user attributes instead of modifying policies