# AWS managed applications
AWS IAM Identity Center streamlines and simplifies the task of connecting your workforce users to AWS managed applications such as Kiro and Amazon Quick. With IAM Identity Center, you can connect your existing identity provider once and synchronize users and groups from your directory, or create and manage your users directly in IAM Identity Center. By providing one point of federation, IAM Identity Center eliminates the need to set up federation or user and group synchronization for each application and reduces your administrative effort. You also get a common [view of user and group assignments](howtoviewandchangepermissionset.md).
For a table of AWS applications that work with IAM Identity Center, see [AWS managed applications that you can use with IAM Identity Center](awsapps-that-work-with-identity-center.md).
## Controlling access to AWS managed applications
Access to AWS managed applications is controlled in two ways:
+ **Initial entry to the application**
IAM Identity Center manages this through assignments to the application. By default, assignments are required for AWS managed applications. If you are an application administrator, you can choose whether to require assignments to an application.
If assignments are required, when users sign in to the AWS access portal, only users who are assigned to the application directly or through a group assignment can view the application tile.
If assignments aren't required, you can allow all IAM Identity Center users to enter the application. In this case, the application manages access to resources and the application tile is visible to all users who visit the AWS access portal.
**Important**
If you’re an IAM Identity Center administrator, you can use the IAM Identity Center console to remove assignments to AWS managed applications. Before you remove assignments, we recommend that you coordinate with the application administrator. You should also coordinate with the application administrator if you plan to modify the setting that determines whether assignments required, or automate application assignments.
+ **Access to application resources**
The application manages this through independent resource assignments that it controls.
AWS managed applications provide an administrative user interface that you can use to manage access to application resources. For example, Quick administrators can assign users to access dashboards based on their group membership. Most AWS managed applications also provide an AWS Management Console experience that enables you to assign users to the application. The console experience for these applications might integrate both functions, to combine user assignment capabilities with the ability to manage access to application resources.
## Sharing identity information
### Considerations for sharing identity information in AWS accounts
IAM Identity Center supports most commonly used attributes across applications. These attributes include first and last name, phone number, email address, address, and preferred language. Carefully consider which applications and which accounts can use this personally identifiable information.
You can control access to this information in either of the following ways:
+ You can choose to enable access in only the AWS Organizations management account or in all accounts in AWS Organizations.
+ Alternatively, you can use service control policies (SCPs) to control which applications can access the information in which accounts in AWS Organizations.
For example, if you enable access in the AWS Organizations management account only, then applications in member accounts have no access to the information. However, if you enable access in all accounts, you can use SCPs to disallow access by all applications except those you want to permit.
Service control policies are a feature of AWS Organizations. For instructions on attaching an SCP, see [Attaching and detaching service control policies](/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) in the *AWS Organizations User Guide.*
### Configuring IAM Identity Center to share identity information
IAM Identity Center provides an identity store that contains user and group attributes, excluding sign-in credentials. You can use either of the following methods to keep the users and groups in your IAM Identity Center identity store updated:
+ Use the IAM Identity Center identity store as your main identity source. If you choose this method, you manage your users, their sign-in credentials, and groups from within the IAM Identity Center console or AWS Command Line Interface (AWS CLI). For more information, see [Manage users in the Identity Center directory](manage-your-identity-source-sso.md).
+ Set up provisioning (synchronization) of users and groups coming from either of the following identity sources to your IAM Identity Center identity store:
+ **Active Directory** – For more information, see [Microsoft AD directory](manage-your-identity-source-ad.md).
+ **External identity provider** – For more information, see [External identity providers](manage-your-identity-source-idp.md).
If you choose this provisioning method, you continue managing your users and groups from within your identity source, and those changes are synchronized to the IAM Identity Center identity store.
Whichever identity source you choose, IAM Identity Center can share the user and group information with AWS managed applications. That way, you can connect an identity source to IAM Identity Center once and then share identity information with multiple applications in the AWS Cloud. This eliminates the need to independently set up federation and identity provisioning with each application. This sharing feature also makes it easy to give your users access to many applications in different AWS accounts.
## Constraining the use of AWS managed applications
When you first enable IAM Identity Center, it becomes available as an identity source for AWS managed applications across all accounts in your AWS Organizations. To constrain applications, you must implement service control policies (SCPs). SCPs are a feature of AWS Organizations that you can use to centrally control the maximum permissions that identities (users and roles) in your organization can have. You can use SCPs to block access to the IAM Identity Center user and group information and to prevent the application from being started, except in designated accounts. For more information, see [Service control policies (SCPs)](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide.*
The following SCP example blocks access to the IAM Identity Center user and group information and prevents the application from being started, except in designated accounts (111111111111 and 222222222222):
```
{
"Sid": "DenyIdCExceptInDesignatedAWSAccounts",
"Effect": "Deny",
"Action": [
"identitystore:*",
"sso:*",
"sso-directory:*",
"sso-oauth:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": [
"111111111111",
"222222222222"
]
}
}
}
```
# AWS managed applications that you can use with IAM Identity Center
IAM Identity Center lets you connect your existing identity source or create users once. This enables application administrators to manage access to the following AWS managed applications without separate federation or user and group synchronization.
All of the AWS managed applications in the following table integrate with [organization instances of IAM Identity Center](organization-instances-identity-center.md). The table also provides information about the following for a supported AWS managed application:
+ Whether the application also integrates with account instances of IAM Identity Center
+ Whether the application can enable trusted identity propagation through IAM Identity Center
+ Whether the application supports IAM Identity Center configured with a customer managed KMS key
+ Whether the application supports deployment in additional Regions of IAM Identity Center
**Note**
Applications that support deployment in additional Regions of IAM Identity Center also support IAM Identity Center configured with a customer managed KMS key. Every AWS managed application listed here supports deployment in the primary Region. For more information, see [Deploying and managing AWS managed applications across multiple AWS Regions](multi-region-application-use.md#multi-region-aws-managed-applications).
**AWS managed applications that integrate with IAM Identity Center**
| AWS managed application | Integrated with [account instances of IAM Identity Center](account-instances-identity-center.md) | Enables [trusted identity propagation](trustedidentitypropagation-overview.md) through IAM Identity Center | Supports IAM Identity Center configured with a [customer managed KMS key](encryption-at-rest.md) | Supports deployment in [additional Regions of IAM Identity Center](multi-region-iam-identity-center.md) |
| --- | --- | --- | --- | --- |
| Amazon Athena SQL | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes |
| Amazon CodeCatalyst | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon DataZone | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon EKS Capabilities | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon EMR on EC2 | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon EMR on EKS | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon EMR Serverless | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon EMR Studio | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon Kendra | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon Managed Grafana | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon Monitron | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon OpenSearch Service | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon OpenSearch Service Serverless Service | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon Q Business | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon Quick | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon Redshift | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes2 | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes |
| Amazon S3 Access Grants | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes |
| Amazon SageMaker Studio | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon SageMaker Unified Studio | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon WorkMail | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon WorkSpaces | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Amazon WorkSpaces Secure Browser | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| AWS App Studio | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| AWS Deadline Cloud | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes |
| AWS Glue | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| AWS IoT Events | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| AWS IoT SiteWise | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| AWS Lake Formation | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes |
| AWS re:Post Private | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| AWS Supply Chain | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| AWS Systems Manager | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes - Fleet Manager Remote Desktop |
| AWS Transfer Family web apps | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| AWS Transform | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| AWS Verified Access | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Kiro | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes1 | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| Multi-party approval | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
| OpenSearch user interface (Dashboards) | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/negative_icon.png) No |
1 For Kiro, account instances of IAM Identity Center are supported unless your users require access to the full set of Kiro features on AWS websites. For more information, see [Setting up Kiro](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/getting-started-q-dev.html) in the *Kiro User Guide*.
2 For Amazon Redshift, account instances of IAM Identity Center are supported except for applications like Query Editor v2 that require permission sets, which are not supported by account instances.
**Note**
Some AWS services such as Amazon Connect and AWS Client VPN are not listed in this table although you can use them with IAM Identity Center. This is because they integrate with IAM Identity Center exclusively using SAML and are therefore categorized as [customer managed applications](customermanagedapps.md).
# Quick start: Setting up IAM Identity Center to test AWS managed applications
If your administrator hasn’t already provided you with access to IAM Identity Center, you can use the steps in this topic to set up IAM Identity Center to test AWS managed applications. You'll learn how to enable IAM Identity Center, create a user directly in IAM Identity Center, and assign that user to an AWS managed application.
This topic provides quick-start steps on how to enable IAM Identity Center in either of the following ways:
+ **With AWS Organizations** – If you choose this option, an *organization instance* of IAM Identity Center is created.
+ **Only in your specific AWS account** – If you choose this option, an *account instance* of IAM Identity Center is created.
For information about these instance types, see [Organization and account instances of IAM Identity Center](identity-center-instances.md).
## Prerequisites
Before you enable IAM Identity Center, confirm the following:
+ **You have an AWS account** – If you do not have an AWS account, see [Getting started with an AWS account](https://docs.aws.amazon.com//accounts/latest/reference/getting-started.html) in the *AWS Account Management Reference Guide.*
+ **The AWS managed application works with IAM Identity Center** – Review the list of [AWS managed applications that you can use with IAM Identity Center](awsapps-that-work-with-identity-center.md) to confirm that the AWS managed application you want to test works with IAM Identity Center.
+ **You’ve reviewed Regional considerations** – Make sure that the AWS managed application you want to test is supported in the AWS Region where you enable IAM Identity Center. For more information, see the documentation for the AWS managed application.
**Note**
You must deploy your AWS managed application in the same Region where you plan to enable IAM Identity Center.
## Setting up an organization instance of IAM Identity Center to test AWS managed applications
**Note**
This topic describes how to enable IAM Identity Center with AWS Organizations, which is the recommended way to enable IAM Identity Center.
**Confirm your permissions**
To enable IAM Identity Center with AWS Organizations, you must sign in to the AWS Management Console as either of the following:
+ A user with administrative permissions in the AWS account where IAM Identity Center will be enabled with AWS Organizations.
+ The root user (not recommended unless no other administrative users exist).
**Important**
The root user has access to all AWS services and resources in the account. As a security best practice, unless you have no other credentials, do not use your account's root credentials to access AWS resources. These credentials provide unrestricted account access and are difficult to revoke.
### Step 1. Enable IAM Identity Center with AWS Organizations
1. Do one of the following to sign in to the AWS Management Console.
+ **New to AWS (root user)** – Sign in as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
+ **Already using AWS with a standalone AWS account (IAM credentials)** – Sign in using your IAM credentials with administrative permissions.
1. On the AWS Management Console Home page, select the IAM Identity Center service or navigate to the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. Choose **Enable**, and enable IAM Identity Center with AWS Organizations. When you do this, you’re creating an [organization instance](organization-instances-identity-center.md) of IAM Identity Center.
### Step 2. Create an administrative user in IAM Identity Center
This procedure describes how to create a user directly in the built-in Identity Center directory. This directory isn't connected to any other directory that your administrator might use to manage workforce users. After you create the user in IAM Identity Center, you'll specify new credentials for this user. When you sign in as this user to test your AWS managed application, you'll sign in with the new credentials, not with any existing credentials that you use to access corporate resources.
**Note**
We recommend that you use this method for creating users for testing purposes only.
1. In the navigation pane of the IAM Identity Center console, choose **Users**, and then choose **Add user**.
1. Follow the guidance in the console to add the user. Keep **Send an email to this user with password setup instructions** selected and make sure that you specify an email address to which you have access.
1. In the navigation pane, choose AWS accounts, select the check box next to your account, and choose **Assign users or groups**.
1. Choose the **Users** tab, select the check box next to the user that you just added, and choose **Next**.
1. Choose **Create permission set**, and follow the guidance in the console to create the `AdministratorAccess` predefined permission set.
1. When you’re done, the new permission set appears in the list. Close the **Permission sets** tab in your browser window, return to the **Assign users and groups** tab, and choose the refresh icon next to **Create permission set**.
1. On the **Assign users and groups** browser tab, the new permission set appears in the list. Select the check box next to the name of the permission set, choose **Next**, and then choose **Submit**.
1. Sign out of the console.
### Step 3. Sign in to the AWS access portal as an administrative user
The AWS access portal is a web portal that provides the user that you created with access to the AWS Management console. Before you can sign in to the AWS access portal, you must accept the invitation to join IAM Identity Center and activate your user credentials.
1. Check your email for the subject line **Invitation to join AWS IAM Identity Center**.
1. Choose **Accept invitation**, and follow the guidance on the sign-up page to set a new password, sign in, and register an MFA device for your user.
1. After you register your MFA device, the AWS access portal opens.
1. In the AWS access portal, select your AWS account and choose **AdministratorAccess**. You are redirected to the AWS Management Console.
### Step 4. Configure the AWS managed application to use IAM Identity Center
1. While you are signed in to the AWS Management Console, open the console for the AWS managed application that you plan to use.
1. Follow the guidance in the console to configure the AWS managed application to use IAM Identity Center. During this process, you can assign the user that you created to the application.
## Setting up an account instance of IAM Identity Center to test AWS managed applications
**Note**
An account instance of IAM Identity Center limits your deployment to a single AWS account. You must enable this instance in the same AWS Region as the AWS application you want to test.
**Confirm your app**
All AWS managed applications that work with IAM Identity Center can be used with organization instances of IAM Identity Center. However, only some of these applications can be used with account instances of IAM Identity Center. Review the list of [AWS managed applications that you can use with IAM Identity Center](awsapps-that-work-with-identity-center.md).
### Step1. Enable an account instance of IAM Identity Center
1. Do one of the following to sign in to the AWS Management Console.
+ **New to AWS (root user)** – Sign in as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
+ **Already using AWS with a standalone AWS account (IAM credentials)** – Sign in using your IAM credentials with administrative permissions.
1. On the AWS Management Console Home page, select the IAM Identity Center service or navigate to the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. Choose **Enable**.
1. On the **Enable IAM Identity Center with AWS Organizations** page, choose **enable an account instance of IAM Identity Center**.
1. On the **Enable account instance of IAM Identity Center** page, review the information and optionally add tags that you want to associate with this account instance. Then choose **Enable**.
### Step 2. Create a user in IAM Identity Center
This procedure describes how to create a user directly in the built-in Identity Center directory. This directory isn't connected to any other directory that your administrator might use to manage workforce users. After you create the user in IAM Identity Center, you'll specify new credentials for this user. When you sign in as this user to test your AWS managed application, you'll sign in with the new credentials. The new credentials will not allow you to access other corporate resources.
**Note**
We recommend that you use this method for creating users for testing purposes only.
1. In the navigation pane of the IAM Identity Center console, choose **Users**, and then choose **Add user**.
1. Follow the guidance in the console to add the user. Keep **Send an email to this user with password setup instructions** selected and make sure that you specify an email address to which you have access.
1. Sign out of the console.
### Step 3. Sign in to the AWS access portal as your IAM Identity Center user
The AWS access portal is a web portal that provides the user that you created with access to the AWS Management console. Before you can sign in to the AWS access portal, you must accept the invitation to join IAM Identity Center and activate your user credentials.
1. Check your email for the subject line **Invitation to join AWS IAM Identity Center**.
1. Choose **Accept invitation**, and follow the guidance on the sign-up page to set a new password, sign in, and register an MFA device for your user.
1. After you register your MFA device, the AWS access portal opens. When applications are available to you, you’ll find them under the **Applications** tab.
**Note**
AWS applications that support account instances allow users to sign in to applications without requiring additional permissions. Therefore, the **Accounts** tab will remain empty.
### Step 4. Configure the AWS managed application to use IAM Identity Center
1. While you are signed in to the AWS Management Console, open the console for the AWS managed application that you plan to use.
1. Follow the guidance in the console to configure the AWS managed application to use IAM Identity Center. During this process, you can assign the user that you created to the application.
# Viewing and changing details about an AWS managed application
After you connect an AWS managed application to IAM Identity Center by using the console or APIs for the application, the application is registered with IAM Identity Center. After an application is registered with IAM Identity Center, you can view and change details about the application in the IAM Identity Center console.
Information about the application includes whether user and group assignments are required, and if applicable, assigned users and groups and trusted applications for identity propagation. For information about trusted identity propagation, see [Trusted identity propagation overview](trustedidentitypropagation-overview.md).
**To view and change information about an AWS managed application in the IAM Identity Center console**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. Choose **Applications**.
1. Choose the **AWS managed** tab.
1. Choose the link for the managed application you'd like to open and view.
1. If you want to change information about an AWS managed application, choose **Action** and then choose **Edit Details**.
1. You can change the application's display name, description, as well as the user and group assignment method.
1. To change the display name, enter the desired name in the **Display name** field and choose **Save changes**.
1. To change the description, enter the desired description in the **Description** field and choose **Save changes**.
1. To change the user and group assignment method, make the desired change and choose **Save changes**. For more information, see [Users, groups, and provisioning in IAM Identity Center](users-groups-provisioning.md).
# Disabling an AWS managed application
To prevent users from authenticating to an AWS managed application, you can disable the application in the IAM Identity Center console.
**To disable an AWS managed application**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. Choose **Applications**.
1. On the **Applications** page, under **AWS managed applications**, choose the application that you want to disable.
1. With the application selected, choose **Actions**, and then choose **Disable**.
1. In the **Disable application** dialog box, choose **Disable**.
1. In the **AWS managed applications** list, the application status appears as **Inactive**.
**Note**
If an AWS managed application is disabled, you can restore users abilty to authenticate to the application by choosing **Actions** and then **Enable**.
# Enabling identity-enhanced console sessions
An identity-enhanced session for the console enhances a user's AWS console session by providing some additional user context to personalize that user's experience. This capability is currently supported for Kiro Pro users of [Kiro on AWS apps and websites](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/q-on-aws.html).
You can enable identity-enhanced console sessions without making any changes to existing access patterns or federation into the AWS console. If your users sign in to the AWS console with IAM (for example, if they sign in as IAM users or through federated access with IAM), they can continue using these methods. If your users sign in to the AWS access portal, they can continue using their IAM Identity Center user credentials.
**Topics**
+ [Prerequisites and considerations](#prereqs-and-considerations)
+ [How to enable identity-enhanced-console sessions](#enable-identity-enhanced-sessions-q)
+ [How identity-enhanced console sessions work](#how-identity-enhanced-sessions-work)
## Prerequisites and considerations
Before you enable identity-enhanced console sessions, review the following prerequisites and considerations:
+ If your users access Kiro on AWS apps and websites through an Kiro Pro subscription, you must enable identity-enhanced console sessions.
**Note**
Kiro users can access Kiro without identity-enhanced sessions, but they will not have access to their Kiro Pro subscriptions.
+ Identity-enhanced console sessions require an [organization instance](organization-instances-identity-center.md) of IAM Identity Center.
+ Integration with Kiro isn't supported if you enable IAM Identity Center in an opt-in AWS Region.
+ To enable identity-enhanced console sessions, you must have the following permissions:
+ `sso:CreateApplication`
+ `sso:GetSharedSsoConfiguration`
+ `sso:ListApplications`
+ `sso:PutApplicationAssignmentConfiguration`
+ `sso:PutApplicationAuthenticationMethod`
+ `sso:PutApplicationGrant`
+ `sso:PutApplicationAccessScope`
+ `signin:CreateTrustedIdentityPropagationApplicationForConsole`
+ `signin:ListTrustedIdentityPropagationApplicationsForConsole`
+ To enable your users to use identity-enhanced console sessions, you must grant them the `sts:setContext` permission in an identity-based policy. For information, see [Granting users permissions to use identity-enhanced console sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_sts-setcontext.html).
## How to enable identity-enhanced-console sessions
You can enable identity-enhanced console sessions in the Kiro console or in the IAM Identity Center console.
**Enable identity-enhanced console sessions in the Kiro console**
Before you enable identity-enhanced console sessions, you must have an organization instance of IAM Identity Center with an identity source connected. If you've already configured IAM Identity Center, skip to step 3.
1. Open the IAM Identity Center console. Choose **Enable**, and create an organization instance of IAM Identity Center. For information, see [Enable IAM Identity Center](enable-identity-center.md).
1. Connect your identity source to IAM Identity Center and provision users into IAM Identity Center. You can connect your existing identity source to IAM Identity Center or use the Identity Center directory if you are not already using another identity source. For more information, see [IAM Identity Center identity source tutorials](tutorials.md).
1. After you finish setting up IAM Identity Center, open the Kiro console and follow the steps in [Subscriptions](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/q-admin-setup-subscribe-management-account.html) in the *Kiro User Guide*. Make sure to enable identity-enhanced console sessions.
**Note**
If you do not have sufficient permissions to enable identity-enhanced console sessions, you might need to ask an IAM Identity Center administrator to perform this task for you in the IAM Identity Center console. For more information, see the next procedure.
**Enable identity-enhanced console sessions in the IAM Identity Center console**
If you are an IAM Identity Center administrator, you might be asked by another administrator to enable identity-enhanced console sessions in the IAM Identity Center console.
1. Open the IAM Identity Center console.
1. In the navigation pane, choose **Settings**.
1. Under **Enable identity-enhanced sessions**, choose **Enable**.
1. In the second message, choose **Enable**.
1. After you finish enabling identity-enhanced console sessions, a confirmation message appears at the top of the **Settings** page.
1. In the **Details** section, the status for **Identity-enhanced sessions** is **Enabled**.
## How identity-enhanced console sessions work
IAM Identity Center enhances a user's current console session to include the active IAM Identity Center user's ID and the IAM Identity Center session ID.
Identity-enhanced console sessions include the following three values:
+ **Identity store user ID** ([identitystore:UserId](condition-context-keys-sts-idc.md#condition-keys-identity-store-user-id)) - This value is used to uniquely identify a user in the identity source that is connected to IAM Identity Center.
+ **Identity store directory ARN** ([identitystore:IdentityStoreArn](condition-context-keys-sts-idc.md#condition-keys-identity-store-arn)) - This value is the ARN of the identity store that is connected to IAM Identity Center, and where you can look up attributes for `identitystore:UserId`.
+ **IAM Identity Center session ID** - This value indicates whether the user's IAM Identity Center session is still valid.
The values are the same, but obtained in different ways and added at different points of the process, depending on how the user signs in:
+ **IAM Identity Center (AWS access portal)**: In this case, the user's identity store user ID and ARN values are already provided in the active IAM Identity Center session. IAM Identity Center enhances the current session by adding only the session ID.
+ **Other sign-in methods**: If the user signs in to AWS as an IAM user, with an IAM role, or as a federated user with IAM, none of these values are provided. IAM Identity Center enhances the current session by adding the identity store user ID, identity store directory ARN, and the session ID.