Cargando...
Cargando...
Centralized workforce identity and single sign-on for every AWS account and business application in your organization
AWS IAM Identity Center (formerly AWS SSO) is the recommended service for centrally managing workforce user access to multiple AWS accounts and cloud applications from a single place. It integrates natively with AWS Organizations to provide SSO across all member accounts, supports external identity providers via SAML 2.0 and SCIM, and uses Permission Sets to define and deploy IAM policies at scale. It is purpose-built for workforce (employee) identity — not customer-facing application identity.
Enable workforce users (employees, contractors) to access multiple AWS accounts and business applications through a single sign-on portal, using either a built-in directory, AWS Managed Microsoft AD, or an external IdP — without managing per-account IAM users.
Use When
Avoid When
Single Sign-On (SSO) Portal
Users access a web portal (d-xxxxxxxxxx.awsapps.com) to see all assigned accounts and applications
Permission Sets
Reusable IAM policy bundles deployed as roles across multiple accounts; can include AWS managed policies, customer-managed policies, and inline policies
Built-in Identity Store
Managed directory for users and groups when no external IdP exists; supports MFA
External IdP Federation (SAML 2.0)
Connect Okta, Azure AD, Ping Identity, OneLogin, etc. as the authoritative identity source
SCIM 2.0 Automatic Provisioning
Automatically sync users and groups from your IdP; deprovisioning removes access immediately
AWS Managed Microsoft AD Integration
Use AWS Directory Service (Managed AD) as the identity source; supports on-premises AD via AD Connector
AD Connector Support
Proxy authentication to on-premises Active Directory without syncing data to AWS
Multi-Factor Authentication (MFA)
Supports TOTP apps, FIDO2/WebAuthn keys; can be enforced per context (always-on, context-aware)
Attribute-Based Access Control (ABAC)
Pass user attributes (department, cost center, title) as session tags to enable tag-based IAM policies
AWS CLI / SDK SSO Integration
aws configure sso and aws sso login provide short-lived credentials to CLI; replaces long-lived access keys
CloudTrail Integration
All sign-in and administrative events logged to CloudTrail in the management account
Cross-Region Support
Identity Center is regional but access to accounts is global; choose the region carefully as it cannot be changed
Delegated Administration
A member account can be designated as the delegated administrator for Identity Center, reducing management account usage
Trusted Token Issuer (OIDC)
Allows workforce identity tokens from external IdPs to be trusted for programmatic access — newer feature
Session Duration Control
Permission sets define max session duration (1–12 hours) for the temporary credentials issued
Organization-Wide SSO Deployment
high freqIAM Identity Center is enabled in the management account and integrates with all member accounts via AWS Organizations. Permission Sets are provisioned as IAM roles to member accounts automatically. This is the foundational pattern — Identity Center without Organizations only provides single-account SSO.
Centralized Access Audit Trail
high freqAll Identity Center sign-in events, permission set assignments, and administrative changes are recorded in CloudTrail in the management account. Use CloudTrail Lake or S3 + Athena to audit who accessed which account, when, and with which permission set. This is the primary audit mechanism for workforce access.
Permission Set → IAM Role Mapping
high freqWhen a permission set is provisioned to an account, Identity Center creates a corresponding IAM role (AWSReservedSSO_*) in that account. Users who authenticate via Identity Center assume this role via STS and receive temporary credentials. IAM policies attached to the permission set govern what the user can do.
Temporary Credential Issuance
high freqIAM Identity Center never issues long-lived access keys. Authentication results in STS AssumeRoleWithSAML or the Identity Center token broker issuing short-lived credentials (default 1 hour, max 12 hours per permission set). This eliminates the IAM access key rotation problem.
Workforce vs. Customer Identity Separation
high freqUse IAM Identity Center for employees accessing AWS accounts/internal tools. Use Amazon Cognito for customers authenticating to your application. These are complementary, not competing — a company may use both simultaneously for different audiences. Confusing them is the #1 exam trap.
Active Directory Integration
high freqConnect AWS Managed Microsoft AD or AD Connector as the Identity Center identity source to authenticate users against on-premises or cloud AD. Users and groups from AD are available for permission set assignments. No need to recreate users in IAM.
SAML 2.0 + SCIM Enterprise Federation
high freqConfigure the external IdP as the identity source via SAML 2.0 for authentication. Enable SCIM to automatically provision/deprovision users and groups from the IdP to Identity Center's identity store. When an employee is terminated in the IdP, SCIM removes their Identity Center access within minutes.
Attribute-Based Access Control (ABAC)
high freqPass user attributes (e.g., Department=Finance, Project=Apollo) from the identity source as session tags. IAM policies in permission sets use aws:PrincipalTag conditions to grant access to resources tagged with matching values. Reduces the number of permission sets needed — one permission set can serve many use cases.
IAM Identity Center is for WORKFORCE identity (employees, contractors accessing AWS accounts). Amazon Cognito is for CUSTOMER identity (end users authenticating to your app). Any exam question about employees accessing multiple AWS accounts → IAM Identity Center. Any question about app users signing up/logging in → Cognito. Never mix these up.
AWS Organizations provides account structure and SCPs — it does NOT manage user access or authentication. IAM Identity Center sits on top of Organizations to provide the actual SSO and access management. A question asking 'how do you give employees access to all accounts in your organization' → IAM Identity Center, not Organizations alone.
Permission Sets are the core concept. They are defined once in Identity Center and provisioned (deployed) as IAM roles to target accounts. When you update a permission set, Identity Center automatically updates the corresponding IAM role in all provisioned accounts. This is the key advantage over managing IAM roles manually in each account.
IAM Identity Center issues TEMPORARY credentials only — via STS. There are no long-lived access keys. For CLI access, users run 'aws configure sso' and 'aws sso login'. This is a security best practice and a common exam differentiator when the question asks about eliminating long-lived credentials for human users.
Workforce SSO to multiple AWS accounts = IAM Identity Center. Customer app authentication = Amazon Cognito. Never swap these — it is the single most common wrong answer on identity-related exam questions.
IAM Identity Center is FREE. Always the most cost-effective choice for multi-account workforce access. Permission Sets propagate as IAM roles automatically — no manual per-account role management needed.
Identity Center issues only TEMPORARY credentials via STS — no long-lived IAM access keys for human users. Use SCIM for automatic deprovisioning. Use ABAC (session tags) to reduce permission set sprawl at scale.
IAM Identity Center is FREE. When an exam question asks for the most cost-effective solution for workforce SSO across multiple accounts, IAM Identity Center wins over any third-party IdP-only solution or custom federation setup. Always factor in zero cost when evaluating architectures.
SCIM enables automatic user lifecycle management. When a user is deprovisioned in the IdP (e.g., employee leaves), SCIM immediately removes their access in Identity Center. Without SCIM, you must manually remove access. Exam questions about 'automatically revoking access when employees leave' → SCIM + IAM Identity Center.
IAM Identity Center must be enabled in the AWS Organizations MANAGEMENT account (or a delegated administrator account). It cannot be enabled in a regular member account and then extended to other accounts. The management account has visibility and control over all Identity Center configurations.
ABAC with IAM Identity Center reduces permission set sprawl. Instead of creating separate permission sets for each team/project, use one permission set with tag-based conditions and pass user attributes (department, project) as session tags. Exam scenarios describing 'hundreds of teams needing similar but slightly different access' → ABAC solution.
CloudTrail is the audit mechanism for IAM Identity Center. All sign-in events and administrative changes are logged. For compliance questions asking 'how do you audit who accessed which AWS account' → CloudTrail + IAM Identity Center. The events appear in the management account's CloudTrail.
Customer-managed policies referenced in a permission set must pre-exist in every target AWS account BEFORE the permission set is provisioned. If the policy doesn't exist in an account, provisioning fails for that account. This is a common operational gotcha and appears in professional-level exam scenarios.
Common Mistake
Amazon Cognito can be used to give employees single sign-on access to multiple AWS accounts
Correct
Amazon Cognito is for customer/external user authentication in applications (User Pools for auth, Identity Pools for AWS resource access). IAM Identity Center is the correct service for workforce SSO to multiple AWS accounts. Cognito cannot integrate with AWS Organizations or deploy permission sets across accounts.
This is the #1 exam trap. Both services involve 'identity' and 'access to AWS', but they serve completely different audiences. Memory trick: Cognito = Customers log into your App; Identity Center = Employees log into AWS Accounts. The word 'workforce' in a question is a direct signal for IAM Identity Center.
Common Mistake
AWS Organizations manages user access and permissions across accounts
Correct
AWS Organizations manages account structure, consolidated billing, SCPs (which DENY permissions), and service control policies — it does NOT authenticate users, manage usernames/passwords, or assign permissions to individuals. IAM Identity Center provides the actual user access management layer on top of Organizations.
Organizations and Identity Center are complementary. Organizations = account governance structure. Identity Center = user access management. SCPs in Organizations set the maximum permissions boundary; Permission Sets in Identity Center grant actual permissions within that boundary. Both are needed for a complete multi-account security posture.
Common Mistake
You need to create IAM users in each AWS account to give employees access
Correct
With IAM Identity Center, you create users/groups ONCE (in the built-in directory, AD, or external IdP) and assign Permission Sets to accounts. Identity Center creates IAM roles in each account automatically. Users never have IAM users or long-lived credentials — they authenticate once and assume roles via STS.
This misconception leads to the 'IAM user sprawl' anti-pattern — dozens of IAM users per account, manual key rotation, no centralized offboarding. IAM Identity Center eliminates all of this. Any exam question describing this pain point is pointing toward IAM Identity Center as the solution.
Common Mistake
IAM Identity Center replaces IAM entirely and you no longer need IAM
Correct
IAM Identity Center works WITH IAM, not instead of it. Permission Sets are implemented as IAM roles in target accounts. IAM policies still govern what actions are allowed. IAM is still used for service roles, resource-based policies, and machine identities. Identity Center handles the human/workforce authentication and role assumption layer.
Understanding the layered relationship (Identity Center authenticates → STS issues credentials → IAM role governs access) is essential for professional-level exams. They are complementary services in the same security stack.
Common Mistake
IAM Identity Center costs money and requires additional licensing
Correct
IAM Identity Center is completely free. There is no per-user, per-account, or per-application charge. You only pay for underlying resources like AWS Managed Microsoft AD if you choose that as your identity source. This makes it the default recommended solution for any multi-account workforce access scenario.
Cost-optimization exam questions may present IAM Identity Center vs. a third-party SSO solution. The correct answer factors in that Identity Center is free. Never let a cost-focused question make you choose a paid alternative when Identity Center meets the requirements.
Common Mistake
Changing the identity source in IAM Identity Center is a simple, reversible operation
Correct
Changing the identity source (e.g., from built-in directory to an external IdP) is a significant operation that deletes all existing user and group assignments. It requires careful planning, pre-migration of assignments, and cannot be done without disruption. AWS warns that this operation removes all existing assignments.
This appears in scenario questions about migrating from one IdP to another. The correct answer always involves planning, backup of assignments, and staged migration — not a simple configuration change.
I.C.E. Framework for Identity Center: I = Identity source (built-in, AD, or external IdP), C = Configure permission sets (what can they do), E = Establish assignments (who gets what where). Always think I→C→E when designing an Identity Center architecture.
Cognito vs. Identity Center: 'C for Customers' (Cognito), 'W for Workers' (IAM Identity Center / Workforce). If the question says customer, consumer, or app user → Cognito. If it says employee, workforce, or staff → Identity Center.
Permission Set lifecycle: DEFINE once → PROVISION to accounts (creates IAM roles) → ASSIGN to users/groups → UPDATE propagates automatically. The key word is 'propagates automatically' — this is the exam differentiator vs. manual IAM role management.
SCIM = 'Sync Changes In Minutes' — when your IdP deprovisions a user, SCIM syncs the removal to Identity Center within minutes, automatically revoking all AWS access.
CertAI Tutor · SAP-C02, CLF-C02, SAA-C03, DOP-C02, SCS-C03, AIF-C01 · 2026-03-08
In the Same Category
Comparisons
Guides & Patterns