By using AWS re:Post, you agree to the AWS re:Post Terms of Use

What is the real use of the Identity Center and how does it stand next to IAM

0

I am setting up my organisation with my management account and am logged in as an IAM user. I would like to log in via SSO so I thought about giving Identity Center a try. But after reading the docs, I am not sure what is the real use case of the Identity Center. What kind of users should be logging in via the Identity Center and via IAM.

Since the Identity Center is region locked, will users logging in via the Identity Center be able to access (CRUD) resources in other regions? If not, should admin level users always use IAM to login?

2 Answers
3
Accepted Answer

You can still access your AWS account in Identity Center and still use other regions.
The advantage of the "IAM Identity Center" is that unlike IAM users, there is no need to create users for each AWS account.
The management account will be able to manage everything.
This is a great benefit for customers who have multiple AWS accounts.
The "IAM Identity Center" can also issue access keys that expire in a few hours, making them more secure than permanent access keys for IAM users.
https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

profile picture
EXPERT
answered 2 years ago
profile picture
EXPERT
reviewed 5 months ago
  • Regarding "You can still access your AWS account in Identity Center and still use other regions" I need some clarity. Do you mean that if I create the Identity Center in US East, then a user signing in through the Identity Center (and not as an IAM user) can create resources in Asia Pacific?

  • Yes, that is correct.
    Even if you set up an "IAM Identity Center" in US East, you can create resources in other regions.

1

One thing to note (although this wasn’t your concern) is that IdC does have a dependency on one region. Meaning that there’s a small chance that if that region has an event that makes it inaccessible, IdC won’t work at all - and all users won’t be able to log in. Although a whole region being inaccessible is unlikely, it’s possible - and AWS recommends having a “break glass” ability to log in with IAM just in case.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions