Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to well use IAM Identity Center / AWS Organizations / IAM?

0

Ok, I'm a little bit lost. The back story: all the user account in my org are created on the IAM. So for a better management and CLI access I want to use the Identity Center like aws recommend doing so (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html).

So firstly, in my mind, I am here:

  • IAM is for programmatic access, for example I need access to aws cli on a ci/cd pipeline
  • Identity Center (IC) handle "real human"
  • AWS orgs allow me to create account to allow user from IC to use via groups / permissions sets

Next my use case is pretty much the following: I need to handle account for people over my org so IC seem a very good idea, I got an account for the CTO, let's say one for dev, and let's say one for the billing guys and I need something for my CI/CD, dev and CTO need to got CLI access over their pc. Also, we have the root account.

So I have created in IC:

  • Jon Doe CTO > assigned to the group Admin - he should have access to everything over the platform
  • Jeanne Doe senior dev > assigned to the group PowerUser - he should have access to the production resource to help the CTO for example
  • Donald Duck junior dev > assigned to the group PowerUser - he should have access to the staging resource only
  • Mad Max Billing > assigned to the group Billing - he should have access only to the billing part of the platform

I also have created in IC the following predefined permissions sets:

  • Billing
  • PowerUserAccess
  • AdministratorAccess

Now I don't understand how to attach the permissions sets to the right group. After some research, I find that I need to create some accounts on aws organization, is that right? Because now I also have to put an email on these account, but it's not representing any "human".

What is the way to configure my aws correctly to use identity center correctly?

I'm lost with the impression that 3 tools are doing (pretty much) the same job, but I know that it's not the case. And since I got "policies", "group", "user", "role" over them, it contributes to my confusion.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS IAM Identity CenterAWS Identity and Access ManagementAWS Account ManagementSecurity, Identity, & Compliance
Language
English
asked 7 months ago411 views
1 Answer
1

AWS IAM Identity Center, AWS Organizations, and IAM work together to provide comprehensive identity and access management, but they serve different purposes.

Let me clarify how these services work together and how to set up your environment:

AWS Organizations is the foundation that allows you to centrally manage and govern multiple AWS accounts. It's not primarily for user management but for account organization. You should set up AWS Organizations first, with your existing account becoming the management account.

IAM Identity Center (formerly AWS SSO) is designed for managing human users across your organization. It provides single sign-on access to all your AWS accounts and applications. This is where you'll create and manage your users and groups.

IAM is primarily for creating roles and policies that define permissions within individual AWS accounts. While IAM can create users, AWS recommends using IAM Identity Center for human users.

For your setup:

  1. First, ensure AWS Organizations is properly configured with your main account as the management account.

  2. In AWS Organizations, create member accounts for different environments or purposes (e.g., Production, Staging, Development, Billing). These accounts don't represent humans but rather logical separations of your AWS resources. You'll need unique email addresses for each account, but these are just for account creation and notifications.

  3. In IAM Identity Center, you've already created your users and groups correctly. The next step is to assign permission sets to these groups for specific accounts:

  • For Jon Doe (Admin group): Assign the AdministratorAccess permission set to all accounts
  • For Jeanne Doe (PowerUser group): Assign PowerUserAccess to the Production account
  • For Donald Duck (PowerUser group): Assign PowerUserAccess to the Staging account only
  • For Mad Max (Billing group): Assign the Billing permission set to all accounts or just the management account

To make these assignments:

  • Go to IAM Identity Center console
  • Select "AWS accounts" from the navigation pane
  • Select the AWS Organization or specific accounts
  • Choose "Assign users or groups"
  • Select the appropriate group
  • Choose the permission set to assign
  • Complete the assignment

For CLI access, your users will need to configure AWS CLI with IAM Identity Center. They'll use the "aws configure sso" command and follow the prompts to set up their credentials.

This approach gives you centralized user management through IAM Identity Center while maintaining proper separation of duties across your AWS accounts organized in AWS Organizations.
Sources
IAM Identity Center and AWS Organizations - AWS IAM Identity Center
AWS IAM Identity Center and AWS Organizations - AWS Organizations
Configure access to AWS accounts - AWS IAM Identity Center
features

answered 7 months ago
  • a2n
    7 months ago

    Ok so that mean that if I want to deploy something on staging or something on production I need to switch account because the resource (lets say a EC2 or a S3) is bound to the account itself?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content