SSO

AWS Single Sign-On SSO

~ Last updated on : ~ jayendrapatil

AWS IAM Identity Center (formerly AWS Single Sign-On)

📢 Service Rebranded: AWS Single Sign-On (AWS SSO) was renamed to AWS IAM Identity Center in July 2022. All functionality remains the same. SDKs, CLI, and APIs retain the sso namespace for backward compatibility.

  • AWS IAM Identity Center is a cloud-based service that makes it easy to centrally manage single sign-on (SSO) access to all AWS accounts and cloud applications.
  • IAM Identity Center helps manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS managed applications, as well as custom applications that support SAML 2.0.
  • IAM Identity Center includes an AWS access portal where end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.
  • IAM Identity Center is the recommended service for managing workforce access to AWS applications and multiple AWS accounts.
  • IAM Identity Center is available at no additional cost in all AWS commercial, GovCloud, and China Regions where it is supported.

IAM Identity Center Features

  • AWS Organizations Integration
    • Natively integrates with AWS Organizations and enumerates all the AWS accounts.
    • Configures and maintains all the necessary permissions for accounts automatically, without requiring any additional setup in individual accounts.
  • SSO access to AWS accounts and cloud applications
    • Helps manage Single Sign-On across all AWS accounts, cloud applications, AWS managed applications, and custom SAML 2.0–based applications, without custom scripts or third-party SSO solutions.
    • Supports pre-integrated business applications including Salesforce, Box, Microsoft 365, and hundreds of others.
  • Create and manage users and groups in IAM Identity Center
    • Provides a built-in identity store to create and manage users and groups directly.
    • Supports connecting to an existing AWS Managed Microsoft AD directory through AWS Directory Service.
    • Supports external identity providers (IdPs) via SAML 2.0 and SCIM 2.0 for automated user provisioning.
  • Leverage existing corporate identities
    • Integrates with Microsoft Active Directory through AWS Directory Service.
    • Supports external IdPs including Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), Ping Identity, JumpCloud, and others.
  • Permission Sets
    • Permission sets are collections of one or more IAM policies that define the access for users/groups.
    • IAM Identity Center creates IAM roles based on permission sets and attaches the specified policies in each assigned account.
    • Multiple permission sets can be assigned to the same user.
    • Permissions can be based on common job functions or customized to meet specific security requirements.
  • Multi-factor Authentication (MFA)
    • Supports enforcement of MFA for all users, including requirement to set up MFA during sign-in.
    • Supports FIDO-enabled security keys (e.g., YubiKey), built-in biometric authenticators (Touch ID, facial recognition), and TOTP authenticator apps.
    • If using a supported SAML 2.0 IdP, MFA capabilities of the provider can be used.
  • Attribute-Based Access Control (ABAC)
    • Allows selecting user attributes (cost center, title, locale) from the identity source.
    • Attributes can be used for fine-grained access control across AWS without needing separate permission sets for each attribute combination.
  • Delegated Administration
    • Supports centralized administration and API access from an AWS Organizations delegated administrator account.
    • Reduces the need to use the management account for day-to-day operations.
  • Co-exists with existing IAM users, roles, and policies
    • Has no impact on the users, roles, or policies that are already managed in IAM.
  • No-cost identity management
    • Available at no additional cost.

IAM Identity Center Identity Sources

  • IAM Identity Center identity store (default)
    • Provides a built-in store to create and manage users and groups, and assign their level of access to AWS accounts and applications.
    • Users are created by configuring email address and name; IAM Identity Center sends an email for users to set their own password.
  • Active Directory
    • Supports self-managed Active Directory (AD) or AWS Managed Microsoft AD directory using AWS Directory Service.
    • Allows selecting user attributes from AD for ABAC.
  • External identity provider
    • Supports external IdPs via SAML 2.0, including Okta Universal Directory, Microsoft Entra ID (formerly Azure AD), Ping Identity, JumpCloud, and others.
    • Supports System for Cross-domain Identity Management (SCIM) 2.0 for automated user and group provisioning.
    • Multiple identity providers can be integrated using Okta as a hub.

IAM Identity Center Deployment Options

  • Organization Instance
    • Deployed in the management account of AWS Organizations.
    • Recommended best practice for multi-account production environments.
    • Provides single, central access control point for all AWS accounts and applications.
  • Account Instance
    • Limited-scope deployment for quickly evaluating a supported AWS application (e.g., Amazon Redshift).
    • Available to a narrow set of application users.
    • Organization instance administrators can control account instance creation through SCPs.

Trusted Identity Propagation

  • Trusted identity propagation is a feature built on the OAuth 2.0 Authorization Framework.
  • Enables applications to access data and other resources on behalf of a specific user, without sharing that user’s credentials.
  • Simplifies data access management, auditing, and improves the sign-in experience for analytics users.
  • Allows administrators to grant permissions based on user attributes such as user ID or group associations.
  • Auditing and security teams can trace access to data resources back to each individual user.
  • Supported AWS Services:
    • Amazon Redshift (Query Editor V2)
    • Amazon QuickSight
    • Amazon S3
    • Amazon EMR (EMR Studio, EMR Serverless)
    • AWS Lake Formation
    • Amazon SageMaker (Unified Studio)
    • Amazon Athena

Multi-Region Support (2025-2026)

  • IAM Identity Center can be replicated from the primary AWS Region to additional Regions.
  • Automatically replicates workforce identities, permission sets, user and group assignments, sessions, and metadata.
  • Provides active access portal endpoints in each replicated Region for reduced latency.
  • Improves resilience by maintaining account access with provisioned permissions during Regional disruptions.
  • Replication is asynchronous with eventual consistency.
  • Supports customer-managed AWS KMS keys for encryption (multi-Region KMS keys recommended).
  • Integrated with services like Amazon SageMaker Unified Studio and AWS Transfer Family across Regions.

Temporary Elevated Access

  • IAM Identity Center supports temporary elevated access through validated partner integrations.
  • Users without standing permissions can request access, receive approval, and perform operations during a specified time window.
  • Validated Partners:
    • CyberArk Secure Cloud Access – for sensitive operations demanding full auditability
    • Tenable Cloud Security – for multi-cloud environments with complex entitlements
    • Okta Access Requests – for organizations using multiple identity sources
  • Auditors can view a log of actions and approvals in the partner solution.

Customer-Managed KMS Keys (2025)

  • IAM Identity Center organization instances support customer-managed AWS KMS keys for encrypting workforce identity data at rest.
  • Encrypts user and group attributes using customer-managed keys.
  • Provides additional control over encryption key management and rotation.

AWS Access Portal

  • The AWS access portal (formerly user portal) is the web location where users sign in to IAM Identity Center.
  • Provides a single place to access all assigned AWS accounts, cloud applications, and custom applications.
  • Users authenticate once and can switch between accounts and applications without re-authentication.
  • Custom vanity domains can be configured for regional routing of access portals.

Integration with AWS Services

  • AWS Analytics Services – Amazon Redshift, QuickSight, EMR, Athena, Lake Formation
  • AWS Developer Tools – Amazon Q Developer (formerly CodeWhisperer)
  • AWS Management – AWS Systems Manager Change Manager
  • AWS AI/ML – Amazon SageMaker Unified Studio
  • AWS Storage – AWS Transfer Family web apps
  • Monitoring – AWS CloudTrail for auditing all administrative and access activity

AWS IAM Identity Center Use Cases

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which of the following can a customer use to enable single sign-on (SSO) to the AWS Console?
    1. Amazon Connect
    2. AWS IAM Identity Center (formerly AWS Single Sign-On)
    3. Amazon Pinpoint
    4. Amazon Rekognition
  2. A company uses AWS Organizations with multiple AWS accounts. The company needs to provide centralized access management for all accounts. Users should be able to sign in once and access multiple accounts based on their job function. What is the recommended approach?
    1. Create IAM users in each account and configure cross-account roles
    2. Use AWS IAM Identity Center with permission sets to manage multi-account access
    3. Use Amazon Cognito user pools for workforce identity federation
    4. Create a custom SAML identity provider in each account
  3. A company uses AWS Organizations and AWS IAM Identity Center. The company needs to restrict development teams to use only specific AWS Regions and specific AWS services. Which solution meets this requirement with the LEAST operational overhead?
    1. Use IAM Identity Center to set up service-linked roles with IAM policy conditions
    2. Deactivate AWS STS in Regions that developers are not allowed to use
    3. Create SCPs that include Condition, Resource, and NotAction elements to allow access to only specific Regions and services
    4. For each account, create tailored identity-based policies for IAM Identity Center
  4. A company wants to connect their existing Okta Universal Directory as the identity source for AWS IAM Identity Center. Which protocol does IAM Identity Center use for automatic provisioning of users and groups from Okta?
    1. OAuth 2.0
    2. OpenID Connect (OIDC)
    3. SCIM 2.0 (System for Cross-domain Identity Management)
    4. LDAP
  5. A company is using AWS IAM Identity Center and wants to grant fine-grained permissions to users based on their department and cost center attributes from their identity provider. Which IAM Identity Center feature should they use?
    1. Permission boundaries
    2. Service Control Policies (SCPs)
    3. Resource-based policies
    4. Attribute-Based Access Control (ABAC)
  6. An analytics team needs to access data across Amazon Redshift, Amazon S3 via Lake Formation, and Amazon QuickSight using their corporate identity without managing separate credentials for each service. Which IAM Identity Center feature enables this?
    1. Permission sets
    2. SAML federation
    3. Trusted identity propagation
    4. Cross-account roles

References

AWS Identity & Security Services Cheat Sheet

~ Last updated on : ~ jayendrapatil ~ 9 Comments

AWS Identity & Security Services Cheat Sheet

AWS Identity and Security Services

📌 Last Updated: June 2026 — Includes AWS Security Hub reimagined (re:Invent 2025), AWS Security Agent (GA March 2026), mandatory MFA enforcement for all root users, GuardDuty Extended Threat Detection, and IAM Identity Center multi-Region replication.

AWS Identity Services Cheat Sheet

AWS Security Services Cheat Sheet

AWS Identity & Security Services Overview

AWS Security, Identity, and Compliance services provide a comprehensive set of tools to help protect data, accounts, and workloads. These services are organized into the following categories:

Identity and Access Management

  • AWS Identity and Access Management (IAM) – Securely manage access to AWS services and resources using users, groups, roles, and policies
  • AWS IAM Identity Center (formerly AWS SSO) – Centrally manage SSO access to multiple AWS accounts and business applications
    • Now supports multi-Region replication (Feb 2026) for high availability
    • Supports IPv6 dual-stack endpoints
  • Amazon Cognito – Customer identity and access management (CIAM) for web and mobile apps
    • Now supports passwordless authentication with passkeys (FIDO2/WebAuthn), email OTP, and SMS OTP (Nov 2024)
    • New feature tiers: Essentials and Plus (Nov 2024)
    • Managed Login for pre-built authentication UIs
  • Amazon Verified Permissions – Scalable, fine-grained authorization using Cedar policy language for custom applications
  • AWS Resource Access Manager (RAM) – Securely share AWS resources across accounts and within AWS Organizations
  • AWS Directory Service – Managed Microsoft Active Directory in the AWS Cloud

Detection and Response

  • Amazon GuardDuty – Intelligent threat detection that continuously monitors for malicious activity
    • Extended Threat Detection (re:Invent 2024) – AI/ML-powered attack sequence identification across multiple data sources
    • Now covers EC2, ECS, EKS, S3, and IAM attack sequences
    • Custom entity lists for domain-based threat intelligence (Sept 2025)
  • Amazon Detective – Analyze, investigate, and identify root cause of security findings using ML and graph theory
  • Amazon Inspector – Automated vulnerability management for EC2 instances and container images in ECR
  • AWS Security Hub – Cloud security posture management (CSPM) and unified security operations
    • Reimagined at re:Invent 2025 – Unifies GuardDuty, Inspector, and other services into a single experience
    • Near real-time analytics and risk prioritization (GA Dec 2025)
    • Extended Plan (GA Feb 2026) – Full-stack enterprise security with 21 curated partner solutions across 9 categories
    • Expanding to multicloud environments
  • AWS Security Agent (GA March 2026) – AI-powered frontier agent for proactive application security
    • Automated security reviews tailored to organizational requirements
    • On-demand context-aware penetration testing
    • Full repository code scanning (Preview May 2026)
    • Operates like a human penetration tester – identifies, exploits, and validates vulnerabilities

Data Protection

Network and Application Protection

  • AWS WAF – Web application firewall to protect against common web exploits and bots
  • AWS Shield – Managed DDoS protection (Standard and Advanced tiers)
  • AWS Network Firewall – Managed network firewall for VPC with stateful inspection and IPS
  • AWS Firewall Manager – Centrally configure and manage firewall rules across accounts in AWS Organizations

Security Data Management and Compliance

  • Amazon Security Lake – Centralize security data from AWS, SaaS, on-premises using OCSF standard
    • Achieved FedRAMP High and Moderate authorization (April 2025)
  • AWS Audit Manager – Continuously audit AWS usage for risk and compliance assessment
  • AWS Artifact – On-demand access to AWS security and compliance reports

Key Updates (2024-2026)

  • MFA Enforcement (2024-2025) – AWS now mandates MFA for all root users across all account types. Prevents over 99% of password-related attacks.
  • AWS Security Hub Reimagined (re:Invent 2025) – Completely redesigned to unify security services into a single experience with near real-time analytics and AI-driven risk prioritization.
  • AWS Security Agent (GA March 2026) – First AI-powered frontier agent for autonomous application security testing and code scanning.
  • GuardDuty Extended Threat Detection (re:Invent 2024) – AI/ML attack sequence identification now covers EC2, ECS, EKS workloads.
  • IAM Identity Center Multi-Region (Feb 2026) – Replicate identity center configuration across multiple AWS Regions for high availability.
  • Amazon Cognito Passwordless (Nov 2024) – Native passkey support with FIDO2/WebAuthn, email OTP, and SMS OTP authentication.
  • Centralized Root Access Management (Nov 2024) – Centrally manage root credentials and perform privileged tasks across AWS Organizations member accounts.
  • Agentic AI Security Framework (2025) – New Agentic AI Security Scoping Matrix for securing autonomous AI systems.

AWS Certification Relevance

  • Solutions Architect (Associate/Professional) – IAM, VPC security, encryption, Security Hub, GuardDuty
  • Security Specialty – All services in depth, including Security Lake, Detective, Macie, Inspector
  • SysOps Administrator – Security Hub, Config, GuardDuty, IAM best practices
  • Developer Associate – Cognito, IAM roles, KMS, Secrets Manager
  • DevOps Professional – Security automation, Inspector, Security Hub integrations