Enable IAM Identity Center
When you enable IAM Identity Center you choose an AWS IAM Identity Center instance type to enable. An instance of a
service is a single deployment of a service within your AWS environment. There are two types
of instances available for IAM Identity Center: organization instances and account instances. The instance
types available for you to enable depend upon the account type you are signed into.
The following list identities the type of IAM Identity Center instances you can enable for each type of AWS account:
-
Your AWS Organizations management account (recommended) –
Required to create an organization
instance of IAM Identity Center. Use an organization instance for multi-account permissions and
application assignments across the organization.
-
Your AWS Organizations member account – Use to create an
account instance of IAM Identity Center to
enable application assignments within that member account. One or more accounts with a
member level instance can exist in an organization.
-
A standalone AWS account – Use to create an
organization instance or
account instance of IAM Identity Center. The
standalone AWS account isn't managed by AWS Organizations. Only one instance of IAM Identity Center be associated
with a standalone AWS account and you can use the instance for application assignments
within that standalone AWS account.
For a comparison of the different capabilities provided by the different instance types, see Organization and account instances of IAM Identity Center.
Before enabling IAM Identity Center, we recommend you review the prerequisites IAM Identity Center prerequisites and
considerations.
To enable an instance of IAM Identity Center
Choose the tab for the type of IAM Identity Center instance you want to enable, either an organization
or account instance:
- Organization (recommended)
-
-
Do one of the following to sign in to the AWS Management Console.
-
New to AWS (root user)
– Sign in as the account owner by choosing Root
user and entering your AWS account email
address. On the next page, enter your password.
-
Already using AWS with a standalone
AWS account (IAM credentials) – Sign
in using your IAM credentials with administrative
permissions.
-
Already using AWS Organizations (IAM
credentials) – Sign in using your
management account credentials.
-
Open the IAM Identity Center console.
-
Under Enable IAM Identity Center, choose
Enable.
-
On the Enable IAM Identity Center with AWS Organizations page, review the
information and then select Enable to complete the
process.
AWS Organizations can have IAM Identity Center enabled only in a single AWS Region.
After enabling IAM Identity Center, if you need to change the Region that IAM Identity Center is
enabled in, you must delete the
current instance and create an instance in the other Region.
After enabling your organization instance we recommend that you do the
following steps to finish setting up your environment:
- Account
-
-
Do one of the following to sign in to the AWS Management Console.
-
New to AWS (root user)
– Sign in as the account owner by choosing Root
user and entering your AWS account email
address. On the next page, enter your password.
-
Already using AWS (IAM
credentials) – Sign in using your IAM
credentials with administrative permissions.
-
Already using AWS Organizations (IAM
credentials) – Sign in using your member
account administrative credentials.
-
Open the IAM Identity Center console.
-
If you are new to AWS or have a standalone AWS account, under
Enable IAM Identity Center, choose
Enable.
You see the Enable IAM Identity Center with AWS Organizations page. We
recommend this option, but it is not required.
Select the link enable an account instance of
IAM Identity Center.
-
If you are an administrator of an AWS Organizations member account, under
Enable an account instance of IAM Identity Center, select
Enable an account instance.
-
On the Enable an account instance of IAM Identity Center page,
review the information and optionally add tags that
you want to associate with this account instance. Then select
Enable to complete the process.
If your AWS account is a member of an organization, there might
be restrictions on your ability to enable an account instance of
IAM Identity Center.
If your organization enabled IAM Identity Center before November 15, 2023
the ability for member accounts to create account instances is
disabled by default and must be enabled by the management account of
the organization.
If your organization enabled IAM Identity Center after November
15, 2023 the ability for member account to create account instances
is enabled by default. However, service control policies can be used
to prevent the creation of account instances of IAM Identity Center within an
organization.
For more information, see Permit account instance creation in member
accounts and Control account instance creation with Service Control Policies.