By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Identity Center cannot be enabled

0

My organisation has created individual accounts for the development team. AWS Organisations Dashboard

I am able to login as root using my email address but not able to enable Identity Center

Identity Center Enable screen

When I try to enable IAM Identity Center, I am presented with 2 options: Select Preferred

  1. (Recommended) Cancel creating the account instance and use the organisation instance
  2. Continue with setup by creating the account instance. Only one account instance can be created per account for all regions. There are two buttons at the bottom part of the page: Cancel and use organisation instance (enabled) Continue (disabled)

Only organisation instance are enabled for all these: (disabled for Account instance) Manage multiple account permissions Simplify Application access across multiple accounts Configure customers managed application

What is the difference between: Account instance vs Organisation Instance member account vs management account

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
profile picture
Lottie
asked 4 months ago387 views
2 Answers
1

Have you set up and AWS organisation yet?

Identity centre is best used when you have an org and multiple workload accounts contained in the org. The first account in the org is the management account and should be as empty as possible with workload resources in their own account.

Identity centre should be enabled in the management account with delegated administrator to a sub account for management.

profile picture
EXPERT
Gary Mclean
answered 4 months ago
  • Lottie
    4 months ago

    Can I setup an administrative account without enabling Identity Center? I have attached some screen shots on my post.

0

The issue around the access to Identity Center is the policy needs to be setup for the member account. Even though the user is login as root, the member account of the root needs to be delegated with access to Organisations. If the user is login using root of a management account, then the user is able to enable and access to Identity Center without needing to be delegated which involves setting up/applying policy to the account.

To elaborate the answer provided by Gary above, I found an article of (how to delegate administrator for AWS organisations) [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html]. The first example in the article provides the policy to allow the member account the access to IAM Identity Center.

The structure of your organisation should be like this:

Root

Management Account (created by default during account setup)

AdminstratorTeam (Organisation Unit)

=> Projects (a member account of AdministratorTeam)

=> Projects/PowerAccount (A Group created using Identity Center)

=> Projects/PowerAccount/Nikki (A user within PowerAccount group)

TechnicalSupport (Organisation Unit)

AWS recommends not login using a member/management account as root. AWS recommends to login as an user under a non-management Account, because SCP does not apply to Management account and users added to the Management account are not affected by the SCP.

I created an Organisation Unit (OU) call AdminstratorTeam and added a member account as Projects (using the management account). Then I added a Group (within Identity Center) to the Projects member account. The Power Account Group contain a user Nikki.

You can use (Create an Administrative User in IAM Identity Center)[https://docs.aws.amazon.com/SetUp/latest/UserGuide/setup-createadminperms.html] to setup user Nikki and the Group. On the Permission Set, I added AdministratorAccess.

Then use the above (how to delegate administrator for AWS organisations) [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html]. to setup the policy for the Projects member account. Replace the principal accountid with the account id for Projects.

"Principal": { "AWS": "arn:aws:iam::AccountId:root" },

Note that, in the policy, the root after the accountid can not be replaced with user or group like with IAM arn:(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) With Identity Center, you can only assign the policy to member account.

Now, try to login as Nikki. You should be able to access IAM Identity Center.

profile picture
Lottie
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content