IAM Identity Center (formerly AWS SSO) provides single sign-on access to multiple AWS accounts and business applications. Users log in once and access everything they need without managing separate IAM users in each account.
Employee logs into Identity Center portal (mycompany.awsapps.com/start)
|
v
[Identity Provider authentication]
- AWS Identity Center (built-in directory)
- Active Directory (on-premises or AWS Directory Service)
- Okta, Azure AD, Google Workspace (external IdP via SAML 2.0)
|
v
User sees their portal:
- AWS Account: Production (Developer permissions)
- AWS Account: Development (Admin permissions)
- AWS Account: Staging (Read-only permissions)
- App: Salesforce
- App: Jira
|
v
Click on account --> Temporary credentials automatically provisionedPermission Sets are like templates for what a user can do in an account. Assign a Permission Set to a user + account combination.
| Permission Set | What It Allows | Assigned To |
|---|---|---|
| ReadOnly | View all resources, no changes | All developers in production |
| Developer | Full access except IAM | Developers in development account |
| DatabaseAdmin | RDS, DynamoDB management only | Database team in all accounts |
| NetworkAdmin | VPC, Route 53, Direct Connect | Network team |