AWS

AWS IAM Identity Center Tutorial: Getting Started with AWS SSO

madhukarreddyeng 4 min read

Introduction to AWS IAM Identity Center

In the early days of cloud computing, managing access was straightforward: you had one AWS account, a handful of users, and you managed them directly within Identity and Access Management (IAM). However, as organizations scale, they often adopt multi-account strategies to improve security, isolate billing, and manage resources effectively. This is where AWS IAM Identity Center (formerly AWS Single Sign-On or AWS SSO) becomes essential.

AWS IAM Identity Center is a cloud-based service that centralizes access management for all your AWS accounts and cloud applications. Instead of creating individual IAM users in every account, you create a user once in a central hub and grant them specific access across your environment. In this tutorial, we will explore why you should make the switch and how to set it up from scratch.

Why Move from Traditional IAM Users to Identity Center?

If you are still using “traditional” IAM users—logging in via an account ID, username, and password—you may be facing significant scaling challenges. Managing distributed IAM users creates several risks:

  • Security Overhead: Every user has unique credentials. Consistently rotating passwords and access keys across multiple accounts is a massive security burden.
  • Administrative Complexity: When an employee leaves, you must manually delete their credentials from every individual AWS account they accessed, increasing the risk of “orphaned” accounts.
  • Poor User Experience: Users must manage multiple login URLs and distinct sets of credentials for different environments (Production, Development, Staging).

AWS IAM Identity Center eliminates these pain points by providing a single login portal, integrated Multi-Factor Authentication (MFA), and a centralized dashboard for permissions management.

Key Concepts to Understand

Before beginning the setup, let’s define the core components:

  • Identity Source: The directory where your users live. You can use the built-in Identity Center directory or connect an external provider like Okta, Microsoft Entra ID (Azure AD), or Google Workspace.
  • Permission Sets: Templates that define what a user can do. These are collections of IAM policies applied to a user when they access a specific account.
  • AWS Organizations: To use Identity Center effectively across multiple accounts, your environment must be part of an AWS Organization.

Step-by-Step Tutorial: Setting Up AWS IAM Identity Center

Step 1: Enable Identity Center

Log in to the AWS Management Console using your Organization’s Management account. Search for “IAM Identity Center” and select the service. If it isn’t active, click the Enable button. (Note: Ensure you are in the correct AWS Region for your primary identity management).

Step 2: Choose Your Identity Source

AWS provides a default directory by default, which is ideal for small teams or those new to the cloud. This allows you to create users and groups directly in the console. For enterprise environments, navigate to the Settings tab to link an external SAML 2.0 provider.

Step 3: Create a User and a Group

It is a security best practice to manage permissions via groups rather than individuals.

  1. Go to Groups in the left sidebar and click “Create group.” Name it (e.g., Cloud-Administrators).
  2. Go to Users and click “Add user.”
  3. Enter their name and email, then assign them to the Cloud-Administrators group.

Step 4: Create a Permission Set

Next, define what the Cloud-Administrators can do. Navigate to Permission sets and click “Create permission set.” You can choose a Predefined permission set (like AdministratorAccess) or a Custom permission set for granular JSON policies. For this tutorial, selecting AdministratorAccess is the fastest way to start.

Step 5: Assign Access to Accounts

The final step is linking your users to your accounts. Go to AWS accounts to see your Organization hierarchy.

  1. Check the boxes for the accounts you want the team to access.
  2. Click “Assign users or groups.”
  3. Select the Cloud-Administrators group and the AdministratorAccess permission set.
  4. Click “Submit.”

How Users Access the AWS Console

Once configured, users receive an email to set their password. They are provided a unique AWS access portal URL (formatted as https://d-xxxxxxxxxx.awsapps.com/start). Upon logging in, they see a personalized dashboard displaying all authorized AWS accounts. They can open the Management Console for any account with a single click—no secondary credentials required.

Security Best Practices

To maximize the security of your new setup, follow these guidelines:

  • Enforce MFA: Always require Multi-Factor Authentication. Configure Identity Center to require software tokens (Google Authenticator) or hardware keys (YubiKey).
  • Principle of Least Privilege: Avoid giving everyone Administrator access. Create specific permission sets for developers, auditors, and billing managers.
  • Monitor Activity: Use AWS CloudTrail to track who is logging in via Identity Center and what actions they perform across your accounts.

Conclusion

AWS IAM Identity Center is a free, powerful tool that strengthens your cloud security posture. By centralizing user management, you minimize the risk of credential leaks and streamline the workflow for your team. Whether you are a solo developer or an enterprise managing hundreds of accounts, Identity Center is the modern standard for AWS access management.

Ready to secure your cloud? Head to the AWS Console and follow these steps to deploy IAM Identity Center today.

Leave a comment

Your email will not be published. Required fields are marked *