IAM Identity Center
AWS IAM Identity Center provides centralized access management for the AWS Organization. It integrates with external identity providers to enable single sign-on access across all AWS accounts while maintaining strict security controls through permission sets.
Architecture Overview
Permission Sets
We use AWS managed permission sets to provide consistent access levels across all accounts, with specialized permission sets for specific service requirements.
Admin
Purpose: Full administrative access for privileged operations requiring temporary elevation.
Policy: AdministratorAccess
Key Characteristics:
We recommend activation through your identity provider's Privileged Identity Management (PIM) system
Time-limited access (typically 1-8 hours depending on IDP configuration)
Should only be used when specialized permissions are insufficient
ReadOnly
Purpose: Read-only access for monitoring, auditing, and troubleshooting.
Policy: ReadOnlyAccess
Key Characteristics:
Cannot modify any resources
Can view configurations, logs, and resource states
Ideal for monitoring and compliance roles
NetworkAdmin
Purpose: Focused permissions for network infrastructure management in the Connectivity account.
Policy: NetworkAdministrator
Key Characteristics:
Full access to networking services (VPC, Route 53, Direct Connect, etc.)
Cannot access non-networking services
Specialized for network operations teams
SSOAdmin
Purpose: Specialized permissions for managing AWS Identity Center in the Auth account.
Policy: AWSSSOMemberAccountAdministrator
Key Characteristics:
Full access to Identity Center configuration
Permissions to manage permission sets and account assignments
Specialized for identity and access management teams
Analyst
Purpose: Specialized access for log analysis and security monitoring in the Logs account.
Policies:
CloudWatchLogsFullAccessAWSCloudTrail_ReadOnlyAccessAmazonAthenaFullAccessAmazonS3ReadOnlyAccess
Key Characteristics:
Enables comprehensive log analysis without operational privileges
Cannot modify AWS infrastructure or create new resources
Group Mapping
Identity provider groups are mapped to specific AWS accounts and permission sets through IAM Identity Center:
Environment-Specific Groups (Workloads OU)
AWS Prod Admin
Production
Admin
AWS Prod ReadOnly
Production
ReadOnly
AWS Stage Admin
Staging
Admin
AWS Stage ReadOnly
Staging
ReadOnly
AWS Dev Admin
Development
Admin
AWS Dev ReadOnly
Development
ReadOnly
Service-Specific Groups (Shared Services OU)
AWS Conn Admin
Connectivity
Admin
AWS Conn NetworkAdmin
Connectivity
NetworkAdmin
AWS Conn ReadOnly
Connectivity
ReadOnly
AWS Mgmt Admin
Management
Admin
AWS Mgmt ReadOnly
Management
ReadOnly
Security Groups (Security OU)
AWS Auth Admin
Auth
Admin
AWS Auth SSOAdmin
Auth
SSOAdmin
AWS Auth ReadOnly
Auth
ReadOnly
AWS Logs Admin
Logs
Admin
AWS Logs Analyst
Logs
Analyst
AWS Logs ReadOnly
Logs
ReadOnly
Root Groups
AWS Root Admin
Root
Admin
AWS Root ReadOnly
Root
ReadOnly
Identity Provider Integration
IAM Identity Center supports integration with various external identity providers, enabling organizations to maintain their existing identity management systems while gaining secure AWS access.
Just-in-Time Access
For administrative access, we recommend enabling Just-in-Time in your identity provider:
Benefits:
Time-limited access to administrative permissions
Approval workflows for sensitive operations
Comprehensive audit trails
Configuration: Access management and approval workflows are configured within your identity provider, not in AWS.
Last updated
Was this helpful?