Managing access to multiple AWS accounts and applications within an organization can be complex and time-consuming, leading to several challenges especially during serverless application development process. As organizations grow, they may face issues such as fragmented access management, inefficient permission management, security risks due to permanent access keys, and inconsistent user experience. AWS IAM Identity Center, formerly known as AWS Single Sign-On (AWS SSO), offers a complete solution to simplify the access management process, providing fine-grained access control and effectively addressing these challenges.
To set up IAM Identity Center for multiple accounts, they need to be under the same AWS Organizations hierarchy. The first step is to identify an Organization Parent Account and set up billing in that account. AWS Organizations allows for centralized management of multiple AWS accounts. After setting up the organization, the subsequent step is to activate AWS IAM Identity Center within the management account. Serving as the portal for managing access to AWS accounts and applications, IAM Identity Center requires you to select an identity source during the configuration process. Options include AWS SSO, Active Directory, or an external identity provider (IdP). If you don’t use an SSO service like Okta or CyberArk for your organization yet, then you can go with AWS SSO itself. This portal will be the entry point for all the developers who would be accessing the AWS Accounts setup. You can create a vanity URL for the portal like
The next step involves setting up users and groups, inviting users to join the IAM Identity Center, and adding them to the appropriate groups. As an admin, you could enforce password policies, expiries, session length, and MFA (Multi-Factor Authentication) to all users, enhancing security and compliance within the organization.
With SSO implemented and users invited and assigned to their respective groups, the next step is to create permission sets that outline various access levels for different users and groups. Permission sets enable you to define specific access to AWS accounts and resources, depending on job roles or responsibilities. To simplify things, you can use AWS Managed policies or craft custom policies that align with your organization’s needs.
Now you will be able to assign users or groups to AWS Accounts under the Organization along with the permission sets. Users will be able to see their respective AWS Accounts and Permission Sets once they log in to this portal. For each combination of Account and Permission Set, they can either click on
Management Console or click on
Command line or programmatic access to fetch temporary Access Keys and Secret to be able to access AWS Account through CLI.
In conclusion, using AWS IAM Identity Center helps simplify access management across your organization’s AWS accounts. This service streamlines the process and improves security by offering fine-grained access control for individual developers while minimizing the reliance on permanent access keys. From a developer’s perspective, it makes it easy for them to switch between accounts and not have to worry about rotating the permanent access keys on their local machines. The IAM Identity Center also allows developers to generate temporary access keys and tokens, reinforcing the security advantages of this approach.