AWS Services

AWS IAM Identity Center

Understand IAM Identity Center for centralized workforce access, including identity sources, organization instances, permission sets, AWS access portal, and SAA-C03 traps.

foundation6 min readUpdated 2026-06-02CloudCertificationSecurityOperations

IAM Identity CenterWorkforce IdentityIdentity SourceOrganization InstanceAccount InstancePermission SetAWS Access PortalTemporary Credentials

After this, you will understand

IAM Identity Center gives learners the modern AWS answer for workforce access across accounts without creating long-term IAM users everywhere.

Plain version

IAM Identity Center centrally connects workforce users to AWS accounts and applications through permission sets and the AWS access portal.

Decision pressure

Learners create IAM users in every account, copy long-term access keys, or confuse workforce access with workload role access.

Exam-ready model

Use IAM Identity Center with an organization instance to assign users and groups permission sets across AWS accounts.

Think before readingWhat does a permission set do in IAM Identity Center?

It defines a reusable level of access that can be assigned to users or groups for one or more AWS accounts.

Reading in progress

This page is saved in your local study history so you can continue later.

Next: AWS Key Management Service

Study path

Read these in order

Start with the mechanics, then move into the patterns that explain why the system is shaped this way.

Concepts Covered

IAM Identity Center
Workforce users
Identity sources
Organization instances
Account instances
Permission sets
AWS access portal
Temporary credentials
External identity providers
IAM Identity Center versus IAM users and roles
SAA-C03 exam traps

1. Plain-English Mental Model

AWS IAM Identity Center is centralized workforce access for AWS.

The simple model is:

user or group -> permission set -> AWS account -> temporary role session

Instead of creating IAM users in every AWS account, you connect or create workforce identities in one place, assign permission sets, and let users sign in through the AWS access portal. From there, they can choose the accounts and roles they are allowed to use.

IAM Identity Center is about human access to AWS accounts and applications. It is not the same as IAM roles used by EC2, Lambda, ECS tasks, or cross-account workloads.

2. Why This Service Exists

Multi-account AWS creates an identity problem.

If a company has 30 accounts and 100 engineers, creating IAM users in every account becomes painful and risky. Users leave the company. Groups change. MFA policies drift. Access keys get copied. Admins forget which accounts a person can access.

IAM Identity Center exists to centralize workforce identity and account access.

It can use an internal Identity Center directory or connect to an external identity provider. Administrators assign users or groups to accounts using permission sets. Users sign in once, then access the AWS accounts and applications assigned to them.

For SAA-C03, IAM Identity Center appears in questions about centralized access to multiple AWS accounts, workforce single sign-on, permission sets, external identity providers, temporary credentials for CLI access, and reducing IAM user sprawl.

3. The Naive Approach And Where It Breaks

The naive pattern is IAM users everywhere:

engineer -> IAM user in dev
engineer -> IAM user in staging
engineer -> IAM user in prod

This breaks because every account becomes an identity island. Disabling a departed employee requires updates in every account. Permissions become inconsistent. Long-term access keys spread. MFA enforcement may vary.

Another naive pattern is one shared admin role or one shared IAM user. That destroys accountability and makes CloudTrail investigation harder.

Another mistake is confusing IAM Identity Center with application workload identity. If Lambda needs to read DynamoDB, use an IAM execution role. If a human engineer needs access to several AWS accounts, IAM Identity Center is usually the modern answer.

4. Core Primitives

A workforce user is a human user who signs in to AWS accounts or applications.

An identity source is where users and groups come from. It may be the Identity Center directory or an external provider.

An organization instance is the recommended production model for AWS account access. It integrates with AWS Organizations for multi-account permissions.

An account instance is scoped to one AWS account and does not support assigning account access across an organization.

A permission set defines what access a user or group receives in an AWS account.

When a permission set is assigned to an account, IAM Identity Center provisions an IAM role in that account and attaches the relevant policies.

The AWS access portal is where users choose assigned accounts, roles, applications, console access, and temporary credentials.

5. Architecture Use Cases

Use IAM Identity Center for engineering access across dev, staging, production, sandbox, and security accounts.

Use groups mapped to job functions:

Developers -> DevPowerUser permission set -> dev accounts
Operators -> ReadOnly permission set -> production accounts
Security -> SecurityAudit permission set -> all accounts

Use external identity provider integration when the organization already manages users in a corporate directory.

Use temporary credentials from the access portal for CLI and SDK work instead of long-term IAM user keys.

Use delegated administration carefully when identity operations should be managed outside the management account.

Use SCPs alongside IAM Identity Center. Permission sets grant access; SCPs limit maximum possible access in member accounts.

7. Security Model

IAM Identity Center security depends on identity source security, permission set design, account assignments, session duration, MFA, and audit logging.

Use groups rather than individual user assignments where possible. Group-based access is easier to review.

Use least-privilege permission sets. Avoid assigning administrative access broadly.

Use MFA and strong identity provider controls for workforce users.

Remember that permission sets eventually provision IAM roles in target accounts. Resource policies, KMS key policies, and EKS access mappings may sometimes need to account for those role identities.

CloudTrail can help audit user activity, and Identity Center sign-in activity should be monitored.

Do not keep long-term IAM users for normal human access unless there is a clear exception.

8. Reliability And Resilience

IAM Identity Center improves access reliability by centralizing identity assignment.

However, it also becomes an important dependency. If identity provider access breaks, users may be unable to reach AWS accounts.

Have emergency access procedures for critical accounts, especially production and management accounts. Break-glass access should be tightly controlled, monitored, and tested.

Session duration choices affect operations. Very short sessions can frustrate incident response. Very long sessions increase risk after compromise.

Use organization-level patterns so new accounts receive the right assignments consistently.

9. Performance And Scaling

IAM Identity Center scales workforce access better than account-local IAM users.

The scaling challenge is access design, not CPU or request throughput. Too many unique permission sets create confusion. Too few create excessive privilege.

Design permission sets around job functions: read-only, developer, operator, database admin, security audit, billing viewer, and emergency admin.

Use automation where possible for account assignments.

For large organizations, identity governance becomes a lifecycle process: onboarding, role change, offboarding, periodic access review, and exception handling.

10. Cost Model

IAM Identity Center itself is generally not the main cost concern.

Costs may appear in related services, identity provider licensing, logging, monitoring, and operational work.

The bigger cost benefit is reducing identity sprawl and access-key risk.

Centralized workforce access reduces operational overhead compared with manually maintaining IAM users in every account.

Security incidents caused by stale users or leaked long-term keys are far more expensive than designing access properly.

12. SAA-C03 Exam Signals

"Centralized access to multiple AWS accounts" points to IAM Identity Center.

"Workforce single sign-on" points to IAM Identity Center.

"Assign users and groups access using permission sets" points to IAM Identity Center.

"Use existing corporate identity provider" can point to IAM Identity Center federation.

"Temporary CLI credentials for users" can point to the AWS access portal.

"Application running on EC2 needs S3 access" points to IAM roles, not IAM Identity Center.

"Restrict what all member accounts can do" points to SCPs, not permission sets alone.

13. Common Exam Traps

Do not create IAM users in every account when centralized workforce access is required.

Do not confuse workforce identity with workload identity.

Do not assume account instances of IAM Identity Center support organization-wide account access.

Do not forget permission sets provision IAM roles into accounts.

Do not use permission sets as organization-wide denies. Use SCPs for guardrails.

Do not ignore break-glass access for management and production accounts.

Review IAM Foundations, IAM Users vs Roles, AWS Organizations, and Service Control Policies.

Official AWS references:

What to study next

These links keep the session moving: read prerequisites first, then open the systems, concepts, and patterns that deepen this page.

Prerequisites

Read these first if the mechanics feel unfamiliar.

IAM FoundationsStart here if IAM Foundations is still fuzzy.AWS OrganizationsStart here if AWS Organizations is still fuzzy.

Read these in order

What to study next

Prerequisites

More Links