Active Directory or external IdP AWS Organizations IAM roles Next-generation firewalls and secure web gateways

IAM Identity Center considerations

The following topics provide guidance for setting up IAM Identity Center for specific environments. Understand the guidance that applies to your environment before you proceed to Part 2: Create an administrative user in IAM Identity Center.

Topics

Active Directory or external IdP
AWS Organizations
IAM roles
Next-generation firewalls and secure web gateways

Active Directory or external IdP

If you're already managing users and groups in Active Directory or an external IdP, we recommend that you consider connecting this identity source when you enable IAM Identity Center and choose your identity source. Doing this before you create any users and groups in the default Identity Center directory will help you avoid the additional configuration that's required if you change your identity source later.

If you want to use Active Directory as your identity source, your configuration must meet the following prerequisites:

If you're using AWS Managed Microsoft AD, you must enable IAM Identity Center in the same AWS Region where your AWS Managed Microsoft AD directory is set up. IAM Identity Center stores the assignment data in the same Region as the directory. To administer IAM Identity Center, you might need to switch to the Region where IAM Identity Center is configured. Also, note that the AWS access portal uses the same access URL as your directory.
Use an Active Directory residing in your management account:

You must have an existing AD Connector or AWS Managed Microsoft AD directory set up in AWS Directory Service, and it must reside within your AWS Organizations management account. You can connect only one AD Connector or one AWS Managed Microsoft AD at a time. If you need to support multiple domains or forests, use AWS Managed Microsoft AD. For more information, see:
- Connect a directory in AWS Managed Microsoft AD to IAM Identity Center in the AWS IAM Identity Center User Guide.
- Connect a self-managed directory in Active Directory to IAM Identity Center in the AWS IAM Identity Center User Guide.
Use an Active Directory residing in the delegated admin account:

If you plan to enable IAM Identity Center delegated admin and use Active Directory as your IAM identity source, you can use an existing AD Connector or AWS Managed Microsoft AD directory set up in AWS directory residing in the delegated admin account.

If you decide to change IAM Identity Center source from any other source to Active Directory, or change it from Active Directory to any other source, the directory must reside in (be owned by) the IAM Identity Center delegated administrator member account if one exists; otherwise, it must be in the management account.

AWS Organizations

Your AWS account must be managed by AWS Organizations. If you haven't set up an organization, you don't have to. When you enable IAM Identity Center, you will choose whether to have AWS create an organization for you.

If you've already set up AWS Organizations, make sure that all features are enabled. For more information, see Enabling all features in your organization in the AWS Organizations User Guide.

To enable IAM Identity Center, you must sign in to the AWS Management Console by using the credentials of your AWS Organizations management account. You can't enable IAM Identity Center while signed in with credentials from an AWS Organizations member account. For more information, see Creating and managing an AWS Organization in the AWS Organizations User Guide.

IAM roles

If you've already configured IAM roles in your AWS account, we recommend that you check whether your account is approaching the quota for IAM roles. For more information, see IAM object quotas.

If you're nearing the quota, consider requesting a quota increase. Otherwise, you might experience problems with IAM Identity Center when you provision permission sets to accounts that have exceeded the IAM role quota. For information about how to request a quota increase, see Requesting a quota increase in the Service Quotas User Guide.

Next-generation firewalls and secure web gateways

If you filter access to specific AWS domains or URL endpoints by using a web content filtering solution such as NGFWs or SWGs, you must add the following domains or URL endpoints to your web-content filtering solution allow-lists.

Specific DNS domains

*.awsapps.com (http://awsapps.com/)
*.signin.aws

Specific URL endpoints

https://[yourdirectory].awsapps.com/start
https://[yourdirectory].awsapps.com/login
https://[yourregion].signin.aws/platform/login

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS account requirements

Using multiple AWS accounts