Multi IAM Identity Center for different set of accounts within the same AWS Organization

Question

Hello we have an organization with several AWS accounts under and we are in the process of adding SSO to them with AWS IAM Identity Center. However that is a cluster of this accounts that belongs to our Security People which we want to keep independent from; yet they would like to have the benefits of SSO in their accounts if possible. So, Is it possible to delegate so that they can have their own independent Directory Service based IAM Identity Center to use only on their accounts? 
To sum this up; we would like to have multiple IAM Identity Center (by different AWS Directory Services on different accounts) to manage SSO to different sets of accounts within the same AWS Organization. This would allow to fully keep our Infosec folks fully independent from out Cloud Engineering/ IT people while providing SSO to the different teams.

Answer

It is not currently possible to do this in one AWS Organization. Each AWS Organization can have one and only one AWS IAM Identity Center, and IAM Identity Center only supports one Identity Provider at a time.

You would have to split out those Security accounts into their own AWS Organization if you wanted those accounts to have their own separate IAM Identity Center.

Answer

Yes, it is possible to have multiple IAM Identity Centers using different AWS Directory Services to manage SSO to different sets of accounts within the same AWS Organization. You can delegate access to the Security team to set up their own independent IAM Identity Center based on a separate AWS Directory Service that they control. This would allow them to have the benefits of SSO in their accounts while maintaining their independence from the Cloud Engineering/IT team. By having multiple IAM Identity Centers, you can provide SSO to different teams and maintain the necessary level of security and independence.

Multi IAM Identity Center for different set of accounts within the same AWS Organization

相關內容