Manage User Access to AWS accounts Using AWS IAM Identity Center

Introduction

In this tutorial, we will explain how to manage user access across multiple AWS accounts using AWS IAM Identity Center. AWS IAM Identity Center simplifies and centralizes the access management process from a single location. It offers integration with many identity providers, enabling access federation and single sign-on (SSO) for users, which provides a seamless experience when accessing AWS accounts or applications (AWS managed applications or user Custom applications) across an organization.

What is IAM identity center

AWS IAM Identity Center is the AWS solution for connecting your users to AWS managed applications such as Amazon Q Developer and Amazon QuickSight, and other AWS resources. You can connect your existing identity provider and synchronize users and groups from your directory, or create and manage your users directly in IAM Identity Center.

AWS IAM Identity Center is integrated with AWS Organizations, which enables you to centrally manage permissions across multiple AWS accounts.

Reference : https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

Key Features of AWS IAM Identity Center

AWS IAM Identity Center offers two main features:

• Manage User Access to Applications: Control access to both AWS-managed and custom user applications.

• Manage AWS User Access to Accounts: Simplify and centralize the process of managing AWS account permissions for your users.

This tutorial focuses on managing user access across multiple AWS accounts.

Prerequisites Before Starting this Tutorial

Before diving into the setup, ensure you have the following prerequisites:

1. Multiple AWS Accounts: At least two AWS accounts are required.

2. AWS Organizations Configured: Activate and configure AWS Organizations. For detailed guidance, refer to the following documentation:

   • Getting Started with AWS Organizations

   • Prerequisites for IAM Identity Center and AWS Organizations

3. Accounts under the Same Organization: Ensure the AWS accounts are part of the same AWS Organization. For instructions, see:

   • Managing AWS Accounts in an Organization

After meeting all prerequisites, you should see a list of multiple AWS accounts in the AWS Organizations interface.

Managing user access across Multiple AWS accounts

Follow these steps to manage user access across multiple AWS accounts using IAM Identity Center:

1-Enable the IAM identity center

Click the Enable button, but before selecting the region for IAM Identity Center, review this documentation:

Choose the Region for IAM Identity Center

2. Verify IAM Identity Center Activation

Ensure that IAM Identity Center is activated correctly in your AWS environment.

3-Checking on all AWS accounts that has been added

Confirm that all AWS accounts you added to your organization are recognized by IAM Identity Center.

3-create a user in IAM identity center

Set up a user in within the IAM identity center to begin managing access.

4-Verify the invitation mail from AWS

Check the email invitation sent by AWS to the newly created user from the used email during the user creation process.

5-login to your account

When the user logs into the IAM Identity Center portal for the first time, they will be prompted to register an MFA (Multi-factor Authentication) device. While registering an MFA device is a best practice, for simplicity in this tutorial, we will disable MFA temporarily.

6-Deactivating MFA

• Navigate to IAM Identity Center Settings.

• Select Authentication.

• In the Multi-factor authentication section, click on Configure.

• Follow the prompts to deactivate MFA for initial login.

7-Accessing the AWS Identity portal interface

After configuring MFA, the user can now log into the AWS Identity Center portal. However, to access specific AWS accounts, permissions must be granted. To do this, first create permission sets.

8-create you first permission sets

Permission sets define the level of access a user will have in AWS accounts. In this task, you will create a permission set that grants read-only access, which can then be assigned to the user for propagation across multiple AWS accounts.

• Choose Permission Set Type: For this tutorial, select the predefined ReadOnlyAccess policy.

• Verify Configuration: Review and confirm the permission set settings.

9-Assign the user into the two AWS accounts

Assign the created permission set to the user across the AWS accounts:

• Click on Assign Users or Groups.

• Select the user you created earlier.

• Choose the appropriate permission sets.

• Review the assignment details and submit.

10-Acess the portal after adding the user into the two AWS accounts

After the user has been assigned to the relevant AWS account with the defined permission sets, the user can log into the AWS Identity access portal and access the AWS account according to the permissions granted.

Conclusion

By leveraging AWS IAM Identity Center, organizations can streamline and centralize the management of user access across multiple AWS accounts. This powerful tool not only simplifies the process of assigning and governing permissions but also integrates seamlessly with AWS Organizations, providing a unified approach to access control and security.

Other References

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html#id_roles_providers_iam

https://aws.amazon.com/iam/identity-center/faqs/

https://docs.aws.amazon.com/singlesignon/latest/userguide/limits.html