Using IAM Identity Center
| Applies to: Enterprise Edition and Standard Edition |
| Intended audience: System administrators and Amazon Quick administrators |
Amazon Quick Enterprise edition integrates with your existing directories, using either Microsoft Active Directory or single sign-on (IAM Identity Center) using Security Assertion Markup Language (SAML). You can use AWS Identity and Access Management (IAM) to further enhance your security, or for custom options such as embedding dashboards.
In Quick Standard edition, you can manage users entirely within Quick. If you prefer, you can integrate with your existing users, groups, and roles in IAM.
You can use the following tools for identity and access to Amazon Quick:
-
IAM Identity Center (Enterprise edition only)
-
IAM federation (Standard and Enterprise editions)
-
AWS Directory Service for Microsoft Active Directory (Enterprise edition only)
-
SAML-based single sign-on (Standard and Enterprise edition)
-
Multifactor authentication (MFA) (Standard and Enterprise edition)
Note
In the regions listed below, Amazon Quick accounts can only use IAM Identity Center for identity and access management.
-
af-south-1Africa (Cape Town) -
ap-southeast-3Asia Pacific (Jakarta) -
ap-southeast-5Asia Pacific (Malaysia) -
eu-south-1Europe (Milan) -
eu-south-2Europe (Spain) -
eu-central-2Europe (Zurich) -
il-central-1Israel (Tel Aviv) -
me-central-1Middle East (UAE)
IAM Identity Center helps you securely create or connect your workforce identities and manage their access across AWS accounts and applications.
Before you integrate your Amazon Quick account with IAM Identity Center, set up IAM Identity Center in your AWS account. If you haven't set up IAM Identity Center in your AWS organization, see Getting started in the AWS IAM Identity Center User Guide.
If you want to configure an external identity provider with IAM Identity Center, see Supported identity providers to view a list of supported identity providers' configuration steps.
Configure your Amazon Quick account with IAM Identity Center
| Applies to: Enterprise Edition |
| Intended audience: System administrators |
IAM Identity Center helps you securely create or configure your existing workforce identities and
manage their access across AWS accounts and applications. IAM Identity Center is the recommended
approach for workforce authentication and authorization on AWS for organizations of
any size and type. To learn more about IAM Identity Center, see AWS IAM Identity Center
Configure Amazon Quick and IAM Identity Center so that you can sign up for a new Amazon Quick account with an IAM Identity Center configured identity source. With IAM Identity Center, you can configure your external identity provider as an identity source. You can also use IAM Identity Center as an identity store if you don't want to use a third-party identity provider with Amazon Quick. Identity methods can't be changed after your account is created.
When you integrate your Amazon Quick account with IAM Identity Center, Amazon Quick account administrators can create a new Amazon Quick account that automatically has the identity provider's groups available. This simplifies asset sharing at scale in Amazon Quick.
Access to some sections of the Amazon Quick administration console is restricted by IAM permissions. The following table summarizes the admin actions that you can perform in Amazon Quick based on the access type that you choose.
To learn more how to sign up for an Amazon Quick account with IAM Identity Center, see Signing up for an Amazon Quick subscription.
The following table lists admin actions and whether they require IAM permissions.
| Admin action | IAM permissions required |
|---|---|
|
Account settings |
|
|
Manage assets |
|
|
Amazon Q |
|
|
Manage subscriptions |
|
|
SPICE capacity |
|
|
Index capacity |
|
|
Manage users (view) |
|
|
Manage users > Role groups |
|
|
Manage domains |
|
|
Mobile settings |
|
|
Manage IP/VPC restrictions |
|
|
Manage VPC connections |
|
|
Manage OAuth client applications |
|
|
KMS keys |
|
|
AWS resources |
|
|
Default access policy |
|
|
IAM policy assignments |
|
|
AWS actions |
|
|
Extension access |
|
|
Custom permissions |
|
|
Configure SageMaker |
|
|
Brand customization |
|
|
Agent customization |
|
|
Email customization |
|
|
Quick Usage Metrics |
|
If you have the Amazon Quick admin role, you can perform actions that do not
require IAM permissions. To perform actions that require IAM permissions, sign in to
the AWS Management Console as an IAM principal with the appropriate
quicksight:* permissions. You can also perform some admin actions
programmatically through the Amazon Quick API. For a list of available API operations,
see the Amazon Quick API Reference.
Considerations
Irreversible actions
The following actions permanently prevent all users from signing in to your Amazon Quick account. You cannot undo these actions.
-
Disabling or deleting the Amazon Quick application in the IAM Identity Center console. If you want to delete your Amazon Quick account, see Closing your Amazon Quick account.
-
Migrating the Amazon Quick account that contains your IAM Identity Center configuration to an AWS Organization that does not contain the IAM Identity Center instance that your Amazon Quick account is configured to.
-
Deleting the IAM Identity Center instance that is configured to your Amazon Quick account.
-
Editing IAM Identity Center application attributes, for example the requires assignment attribute.