Understanding Amazon Kiro setup on IAM Identity center instances

Question

I need to understand how amazon kiro setup works with the root and child IAM Identity center. I have a root IAM Identity center and when configuring Kiro in the child AWS account it creates IAM IC in the child account but it does not sync with the root account. However if I create an IAM IC first in child account and then create Kiro, it works (syncs with root account). I have following doubts or questions
1. When Kiro creates/enables IAM IC in the child account it behaves independently and doesnt sync with root account but there are some users and groups that are added in this instance from root, how this happens? Why specific users/groups are added?
2. My user does not have permission to setup/enable IAM IC in child account but when Kiro is enabled, the child IAM IC is created, how this works?
3. Is it mandatory to have child IAM IC account for enabling Kiro?

MikeLim · Answer

Kiro can [work](https://docs.aws.amazon.com/singlesignon/latest/userguide/awsapps-that-work-with-identity-center.html) with Organization or Account [instances](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html) IAM Identity Center (IdC). There can only be one Organization IdC instance in a AWS Org.  Each AWS account can have a account instance IdC.

Note that Kiro only support IdC in [certain Regions](https://kiro.dev/docs/enterprise/supported-regions/#iam-identity-center-regions-supported-by-kiro).

> My user does not have permission to setup/enable IAM IC in child account

Probably an account instance.  You can block account instance creation as per [documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/control-account-instance.html)

Understanding Amazon Kiro setup on IAM Identity center instances

Add your answer

Relevant content