Enable IAM Identity Center
When you enable IAM Identity Center you choose an AWS IAM Identity Center instance type to enable. An instance of a service is a single deployment of a service within your AWS environment. There are two types of instances available for IAM Identity Center: organization instances and account instances. The instance types available for you to enable depend upon the account type you are signed into.
The following list identifies the type of IAM Identity Center instances you can enable for each type of AWS account:
-
Your AWS Organizations management account (recommended) – Required to create an organization instance of IAM Identity Center. Use an organization instance for multi-account permissions and application assignments across the organization.
-
Your AWS Organizations member account – Use to create an account instance of IAM Identity Center to enable application assignments within that member account. One or more accounts with a member level instance can exist in an organization.
-
A standalone AWS account – Use to create an organization instance or account instance of IAM Identity Center. The standalone AWS account isn't managed by AWS Organizations. Only one instance of IAM Identity Center be associated with a standalone AWS account and you can use the instance for application assignments within that standalone AWS account.
Important
The organization management account can control whether organization member accounts can create account instances of IAM Identity Center by using a Service Control Policy.
For a comparison of the different capabilities provided by the different instance types, see Organization and account instances of IAM Identity Center.
Before enabling IAM Identity Center, we recommend you review the prerequisites IAM Identity Center prerequisites and considerations.
To enable an instance of IAM Identity Center
Choose the tab for the type of IAM Identity Center instance you want to enable, either an organization or account instance:
-
Do one of the following to sign in to the AWS Management Console.
-
New to AWS (root user) – Sign in as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.
-
Already using AWS with a standalone AWS account (IAM credentials) – Sign in using your IAM credentials with administrative permissions.
-
Already using AWS Organizations (IAM credentials) – Sign in using your management account credentials.
-
-
Open the IAM Identity Center console
. -
Under Enable IAM Identity Center, choose Enable.
-
On the Enable IAM Identity Center with AWS Organizations page, review the information and then select Enable to complete the process.
Note
AWS Organizations can have IAM Identity Center enabled only in a single AWS Region. After enabling IAM Identity Center, if you need to change the Region that IAM Identity Center is enabled in, you must delete the current instance and create an instance in the other Region.
After enabling your organization instance we recommend that you do the following steps to finish setting up your environment:
-
Confirm that you're using the identity source of your choice. If you already have an assigned identity source, you can continue to use it. For more information, see Confirm your identity sources in IAM Identity Center.
-
Register a member account as a delegated administrator. For more information, see Delegated administration.
-
IAM Identity Center provides you an access portal to AWS resources. If you filter access to specific AWS domains or URL endpoints by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), see Update firewalls and gateways to allow access to the AWS access portal.
