# Getting started with IAM Identity Center
The following outlines how you can get started with IAM Identity Center.
1. **Enable IAM Identity Center**
When you [enable IAM Identity Center](enable-identity-center.md), you choose between two types of IAM Identity Center instances. These types are: [*organization instances*](organization-instances-identity-center.md) (recommended) and [*account instances*](account-instances-identity-center.md). To learn more about the different capabilities of these instance types, see [organization and account instances of IAM Identity Center](identity-center-instances.md).
**Note**
After IAM Identity Center is enabled, you can sign in and open the [IAM Identity Center console ](https://console.aws.amazon.com//singlesignon/) by doing either of the following:
**Organization instance** - Sign in to AWS using credentials with administrative permissions in the management account.
**Account instance** - Sign in to AWS using credentials with administrative permissions in the AWS account where IAM Identity Center is enabled.
1. **Connect your identity source to IAM Identity Center**
In IAM Identity Center console, confirm the identity source that you want to use. See the following for identity sources:
+ **External identity provider** - If you have an existing identity provider to manage your workforce users, you can connect it to IAM Identity Center. For more information about how to configure commonly used identity providers to work with IAM Identity Center, see [IAM Identity Center identity source tutorials](tutorials.md).
+ **Active Directory** - If you are using Active Directory to manage your workforce users, you can connect it to IAM Identity Center. For more information, see [Using Active Directory as an identity source](gs-ad.md).
+ **IAM Identity Center** - Alternatively, you can [create and manage users and groups directly in IAM Identity Center](quick-start-default-idc.md).
**Note**
Presently, you must use an external identity provider as the identity source to take advantage of a multi-Region setup with your IAM Identity Center. For more information about the benefits of this setup, see [Using IAM Identity Center across multiple AWS Regions](multi-region-iam-identity-center.md).
1. **Set up user access to AWS accounts (organization instance only)**
If you’re using an organization instance of IAM Identity Center, you can [assign user or group access to AWS accounts](https://docs.aws.amazon.com//singlesignon/latest/userguide/assignusers.html), using [permission sets](https://docs.aws.amazon.com//singlesignon/latest/userguide/permissionsetsconcept.html) to grant your users access to AWS accounts and resources.
1. **Set up user access to applications**
With IAM Identity Center, you can grant users access to two types of applications:
1. **[AWS managed applications](awsapps.md)**
+ You can use IAM Identity Center with AWS managed applications like Amazon Q Business, AWS CLI, and Amazon Redshift. For more information, see [AWS managed applications](awsapps.md) and [Integrating AWS CLI with IAM Identity Center](integrating-aws-cli.md).
1. **[Customer managed applications](customermanagedapps.md)**
+ You can integrate either of the following types of customer managed applications with IAM Identity Center:
+ [Applications listed in IAM Identity Center catalog](saasapps.md)
+ [Your custom applications](customermanagedapps-set-up-your-own-app-saml2.md)
+ After configuring your application, you can [assign your users access to the application](assignuserstoapp.md).
1. **Provide your users with sign-in instructions for the AWS access portal**
The AWS access portal is a web portal that provides your users with seamless access to all their assigned applications, AWS accounts, or both. New users in IAM Identity Center must activate their user credentials before they can sign in to the AWS access portal.
For information about how to sign in to the AWS access portal, see [Sign in to the AWS access portal](https://docs.aws.amazon.com//signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*. To learn about the sign-in process for the AWS access portal, see [Signing in to the AWS access portal](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtosignin.html).
# IAM Identity Center prerequisites and considerations
You can use IAM Identity Center for access to AWS managed applications only, AWS accounts only, or both. If you are using IAM federation to manage access to AWS accounts, you can continue to do so while using IAM Identity Center for application access.
Before enabling IAM Identity Center, consider the following:
+ AWS Region
You first enable IAM Identity Center in a single, [supported](regions.md) Region for each instance of IAM Identity Center. If you want to use IAM Identity Center for single-sign on access to AWS accounts, the Region must be accessible by all of the users in your organization. If you plan to use IAM Identity Center for application access, be aware that some AWS managed applications, such as Amazon SageMaker AI, can operate only in the Regions they support. Also, most AWS managed applications require IAM Identity Center to be available in the same Region as the application. This can be achieved by co-locating them in the same Region, or when supported, by replicating the IAM Identity Center instance to the desired deployment Region of an AWS managed application. For more information, see [Considerations for choosing an AWS Region](identity-center-region-considerations.md).
+ Application access only
You can use IAM Identity Center only for user access to applications such as Kiro, using your existing identity provider. For more information, see [Using IAM Identity Center for user access to applications only](identity-center-for-apps-only.md).
**Note**
Access to application resources is managed independently by the application owner.
+ Quota for IAM roles
IAM Identity Center creates IAM roles to give users permissions to account resources. For more information, see [IAM roles created by IAM Identity Center](identity-center-and-iam-roles.md).
+ IAM Identity Center and AWS Organizations
AWS Organizations is recommended, but not required, for use with IAM Identity Center. If you haven't set up an organization, you do not have to. If you've already set up AWS Organizations and are going to add IAM Identity Center to your organization, make sure that all AWS Organizations features are enabled. For more information, see [IAM Identity Center and AWS Organizations](identity-center-and-orgs.md).
IAM Identity Center web interfaces, including the access portal and the IAM Identity Center console, are intended to be accessed by humans through supported web browsers. Compatible browsers include the latest three versions of Microsoft Edge, Mozilla Firefox, Google Chrome, and Apple Safari. Accessing these endpoints using non-browser based paths is not supported. For programmatic access to IAM Identity Center services, we recommend using the documented APIs available in the IAM Identity Center and Identity Store API reference guides.
# Considerations for choosing an AWS Region
You can enable IAM Identity Center in a single, supported AWS Region of your choice and it is available to users globally. This global availability makes it easier for you to configure user access to multiple AWS accounts and applications. Following are key considerations for choosing an AWS Region.
+ **Geographical location of your users** – When you select a Region that is geographically closest to the majority of your end users, they'll have lower latency of access to the AWS access portal and AWS managed applications, such as Amazon SageMaker AI.
+ **Opt-in Regions (Regions that are disabled by default)** – An opt-in Region is an AWS Region that is disabled by default. To use an opt-in Region, you must enable it. For more information, see [Managing IAM Identity Center in an opt-in Region](regions.md#manually-enabled-regions).
+ **Replicating IAM Identity Center to additional Regions** – If you plan to replicate IAM Identity Center to additional AWS Regions, you must choose a Region enabled by default. For more information, see [Using IAM Identity Center across multiple AWS Regions](multi-region-iam-identity-center.md).
+ **Choosing deployment Regions for AWS managed applications** – AWS managed applications can operate only in the AWS Regions in which they are available. Many AWS managed applications can also operate only in a Region where IAM Identity Center is enabled or replicated to (primary or additional Region). To confirm if your IAM Identity Center instance supports replication to additional Regions, see [Using IAM Identity Center across multiple AWS Regions](multi-region-iam-identity-center.md). If replication is not an option, consider enabling IAM Identity Center in the Region where you plan to use AWS managed applications.
+ **Digital sovereignty** – Digital sovereignty regulations or company policies may mandate the use of a particular AWS Region. Consult with your company’s legal department.
+ **Identity source** – If you’re using [AWS Managed Microsoft AD](connectawsad.md) or your self-managed directory in [Active Directory (AD)](connectonpremad.md) as the identity source, its home Region must match the AWS Region in which you enabled IAM Identity Center.
+ **Cross-Region emails with Amazon Simple Email Service** – In some Regions, IAM Identity Center may call [Amazon Simple Email Service (Amazon SES)](https://docs.aws.amazon.com/ses/latest/dg/Welcome.html) in a different Region to send email. In these cross-Region calls, IAM Identity Center sends certain user attributes to the other Region. For more information, see [Cross-Region emails with Amazon SES](regions.md#cross-region-calls).
+ **AWS Control Tower** – If you’re enabling an organization instance of IAM Identity Center from AWS Control Tower, the instance will be created in the same Region as the AWS Control Tower landing zone.
**Topics**
+ [
# IAM Identity Center Region data storage and operations
](regions.md)
+ [
# Switching AWS Regions
](switching-regions.md)
+ [
# Disabling an AWS Region where IAM Identity Center is enabled
](disabling-region-with-identity-center.md)
# IAM Identity Center Region data storage and operations
Learn how IAM Identity Center handles data storage and operations across AWS Regions.
## Understand how IAM Identity Center stores data
When you enable IAM Identity Center, all the data that you configure in IAM Identity Center is stored in the Region where you enabled it. This data includes directory configurations, permission sets, application instances, and user assignments to AWS account applications. If you are using the IAM Identity Center identity store, all users and groups that you create in IAM Identity Center are also stored in the same Region. If you replicate your IAM Identity Center instance to additional Regions, IAM Identity Center automatically replicates users, groups, permission sets and their assignments, and other metadata and configuration to those Regions.
## Cross-Region emails with Amazon SES
IAM Identity Center uses [Amazon Simple Email Service (Amazon SES)](https://docs.aws.amazon.com/ses/latest/dg/Welcome.html) to send emails to end users when they attempt to sign-in with one-time password (OTP) as a second authentication factor. These emails are also sent for certain identity and credential management events, such as when the user is invited to set up an initial password, to verify an email address, and reset their password. Amazon SES is available in a subset of AWS Regions that IAM Identity Center supports.
IAM Identity Center calls Amazon SES local endpoints when Amazon SES is available locally in an AWS Region. When Amazon SES isn't available locally, IAM Identity Center calls Amazon SES endpoints in a different AWS Region, as indicated in the following table.
| IAM Identity Center Region code | IAM Identity Center Region name | Amazon SES Region code | Amazon SES Region name |
| --- | --- | --- | --- |
| ap-east-1 | Asia Pacific (Hong Kong) | ap-northeast-2 | Asia Pacific (Seoul) |
| ap-east-2 | Asia Pacific (Taipei) | ap-northeast-1 | Asia Pacific (Tokyo) |
| ap-south-2 | Asia Pacific (Hyderabad) | ap-south-1 | Asia Pacific (Mumbai) |
| ap-southeast-4 | Asia Pacific (Melbourne) | ap-southeast-2 | Asia Pacific (Sydney) |
| ap-southeast-5 | Asia Pacific (Malaysia) | ap-southeast-1 | Asia Pacific (Singapore) |
| ap-southeast-6 | Asia Pacific (New Zealand) | ap-southeast-2 | Asia Pacific (Sydney) |
| ap-southeast-7 | Asia Pacific (Thailand) | ap-northeast-3 | Asia Pacific (Osaka) |
| ca-west-1 | Canada West (Calgary) | ca-central-1 | Canada (Central) |
| eu-south-2 | Europe (Spain) | eu-west-3 | Europe (Paris) |
| eu-central-2 | Europe (Zurich) | eu-central-1 | Europe (Frankfurt) |
| mx-central-1 | Mexico (Central) | us-east-2 | US East (Ohio) |
| me-central-1 | Middle East (UAE) | eu-central-1 | Europe (Frankfurt) |
| us-gov-east-1 | AWS GovCloud (US-East) | us-gov-west-1 | AWS GovCloud (US-West) |
In these cross-Region calls, IAM Identity Center might send the following user attributes:
+ Email address
+ First name
+ Last name
+ Account in AWS Organizations
+ AWS access portal URL
+ Username
+ Directory ID
+ User ID
## Managing IAM Identity Center in an opt-in Region (Region that is disabled by default)
Most AWS Regions are enabled for operations in all AWS services by default, but you must enable the following [opt-in Regions](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#optinregion) if you want to use IAM Identity Center:
+ Africa (Cape Town)
+ Asia Pacific (Hong Kong)
+ Asia Pacific (Taipei)
+ Asia Pacific (Hyderabad)
+ Asia Pacific (Jakarta)
+ Asia Pacific (Melbourne)
+ Asia Pacific (Malaysia)
+ Asia Pacific (New Zealand)
+ Asia Pacific (Thailand)
+ Canada West (Calgary)
+ Europe (Milan)
+ Europe (Spain)
+ Europe (Zurich)
+ Israel (Tel Aviv)
+ Mexico (Central)
+ Middle East (Bahrain)
+ Middle East (UAE)
If you deploy IAM Identity Center in an opt-in Region, then you must enable this Region in all the accounts for which you want to manage access to IAM Identity Center. All accounts need this configuration, whether or not you'll create resources in that Region. You can enable a Region for the current accounts in your organization and you must repeat this action when you add new accounts. For instructions, see [Enable or disable a Region in your organization](https://docs.aws.amazon.com//accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-organization) in the *AWS Organizations User Guide*. To avoid repeating these additional steps, you can choose to deploy your IAM Identity Center in a [Region enabled by default](#regions-enabled-by-default).
**Note**
Your AWS member account must be opted into the same Region as the opt-in Region where your IAM Identity Center instance is located, so you can access the AWS member account from the AWS access portal.
**Metadata stored in opt-in Regions**
When you enable IAM Identity Center for a management account in an opt-in AWS Region, the following IAM Identity Center metadata for any member accounts is stored in the Region.
+ Account ID
+ Account name
+ Account email
+ Amazon Resource Names (ARNs) of the IAM roles that IAM Identity Center creates in the member account
## AWS Regions that are enabled by default
The following Regions are enabled by default and you can enable IAM Identity Center in these Regions.
+ US East (Ohio)
+ US East (N. Virginia)
+ US West (Oregon)
+ US West (N. California)
+ Europe (Paris)
+ South America (São Paulo)
+ Asia Pacific (Mumbai)
+ Europe (Stockholm)
+ Asia Pacific (Seoul)
+ Asia Pacific (Tokyo)
+ Europe (Ireland)
+ Europe (Frankfurt)
+ Europe (London)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Canada (Central)
+ Asia Pacific (Osaka)
# Switching AWS Regions
We recommend that you install IAM Identity Center in a Region that you intend to keep available for users, not a Region that you might need to disable. For more information, see [Considerations for choosing an AWS Region](identity-center-region-considerations.md).
You can switch your IAM Identity Center Region only by [deleting your current IAM Identity Center instance](delete-config.md) and creating an instance in another Region. If you already enabled an AWS managed application with your existing IAM Identity Center instance, disable the application before deleting IAM Identity Center. For instructions on disabling AWS managed applications, see [Disabling an AWS managed application](awsapps-remove.md).
**Note**
If you are considering switching your IAM Identity Center Region to enable the deployment of an AWS managed application in another Region, consider replicating your IAM Identity Center instance to that Region instead. For more information, see [Using IAM Identity Center across multiple AWS Regions](multi-region-iam-identity-center.md).
**Configuration considerations in the new Region**
You must recreate users, groups, permission sets, applications, and assignments in the new IAM Identity Center instance. You can use the IAM Identity Center account and application assignment [APIs](https://docs.aws.amazon.com/singlesignon/latest/APIReference/welcome.html) to get a snapshot of your configuration and then use that snapshot to rebuild your configuration in a new Region. Switching to a different Region also changes the URL for the [AWS access portal](using-the-portal.md), which provides your users with single sign-on access to their AWS accounts and applications. You might also need to recreate some IAM Identity Center configuration through the Management Console of your new instance.
# Disabling an AWS Region where IAM Identity Center is enabled
If you disable an AWS Region in which IAM Identity Center is installed, IAM Identity Center is also disabled. After IAM Identity Center is disabled in a Region, users in that Region won’t have single sign-on access to AWS accounts and applications.
To re-enable IAM Identity Center in [opt-in AWS Regions](regions.md#manually-enabled-regions), you must re-enable the Region. Because IAM Identity Center must reprocess all paused events, re-enabling IAM Identity Center might take some time.
**Note**
IAM Identity Center can manage access only to the AWS accounts that are enabled for use in an AWS Region. To manage access across all accounts in your organization, enable IAM Identity Center in the management account in an AWS Region that is automatically activated for use with IAM Identity Center.
For more information about enabling and disabling AWS Regions, see [Managing AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html) in the *AWS General Reference*.
# Using IAM Identity Center for user access to applications only
You can use IAM Identity Center for user access to applications such as Kiro, AWS accounts, or both. You can connect your existing identity provider and synchronize users and groups from your directory, or [create and manage users directly in IAM Identity Center](quick-start-default-idc.md). For information about how to connect your existing identity provider to IAM Identity Center, see the [IAM Identity Center identity source tutorials](tutorials.md).
**Already using IAM for access to AWS accounts?**
You don’t need to make any changes to your current AWS account workflows to use IAM Identity Center for access to AWS managed applications. If you’re using [federation with IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_providers.html#id_roles_providers_iam) for AWS account access, your users can continue to access AWS accounts in the same way they always have, and you can continue to use your existing workflows to manage that access.
# IAM roles created by IAM Identity Center
When you assign a user to an AWS account IAM Identity Center creates IAM roles to give users permissions to resources.
When you assign a permission set, IAM Identity Center creates corresponding IAM Identity Center-controlled IAM roles in each account, and attaches the policies specified in the permission set to those roles. IAM Identity Center manages the role, and allows the authorized users you’ve defined to assume the role, by using the AWS access portal or AWS CLI. As you modify the permission set, IAM Identity Center ensures that the corresponding IAM policies and roles are updated accordingly. Replicating your IAM Identity Center instance to additional Regions doesn’t affect existing IAM roles, and it doesn't create new IAM roles.
**Note**
Permissions sets are not used to grant permissions to applications.
If you've already configured IAM roles in your AWS account, we recommend that you check whether your account is approaching the quota for IAM roles. The default quota for IAM roles per account is 1000 roles. For more information, see [IAM object quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entities).
If you are nearing the quota, consider requesting a quota increase. Otherwise, you might experience problems with IAM Identity Center when you provision permission sets to accounts that have exceeded the IAM role quota. For information about how to request a quota increase, see [Requesting a quota increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html) in the *Service Quotas User Guide*.
**Note**
If you are reviewing IAM roles in an account that is already using IAM Identity Center, you might notice role names beginning with “AWSReservedSSO\$1”. These are the roles which the IAM Identity Center service has created in the account, and they came from assigning a permission set to the account.
# IAM Identity Center and AWS Organizations
AWS Organizations is recommended, but not required, for use with IAM Identity Center. If you haven't set up an organization, you do not have to. When you enable IAM Identity Center, you will choose whether to enable the service with AWS Organizations. When you set up an organization, the AWS account that sets up the organization becomes the management account of the organization. The root user of the AWS account is now the owner of the organizational management account. Any additional AWS accounts you invite to your organization are member accounts. The management account creates the organizations resources, organizational units, and policies that manage the member accounts. Permissions are delegated to member accounts by the management account.
**Note**
We recommend that you enable IAM Identity Center with AWS Organizations, which creates an organization instance of IAM Identity Center. An organization instance is our recommended best practice because it supports all features of IAM Identity Center and provides central management capabilities. For more information, see [Organization instances of IAM Identity Center](organization-instances-identity-center.md).
If you've already set up AWS Organizations and are going to add IAM Identity Center to your organization, make sure that all AWS Organizations features are enabled. When you create an organization, enabling all features is the default. For more information, see [Enabling all features in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html) in the *AWS Organizations User Guide*.
To enable an organization instance of IAM Identity Center, you must sign in to the AWS Management Console by signing in to your AWS Organizations management account as a user that has administrative credentials or as the root user (not recommended unless no other administrative users exist). For more information, see [Creating and managing an AWS Organization](http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the *AWS Organizations User Guide*.
When signed in with administrative credentials from an AWS Organizations member account, you can enable an account instance of IAM Identity Center. Account instances have limited capabilities and are bound to a single AWS account.
# Organization and account instances of IAM Identity Center
An instance is a single deployment of IAM Identity Center. There are two types of instances available for IAM Identity Center: *organization instances* and *account instances*.
+ Organization instance (recommended)
An instance of IAM Identity Center that you enable in the AWS Organizations management account. Organization instances support all features of IAM Identity Center. We recommend that you deploy an organization instance rather than account instances to minimize the number of management points.
+ Account instance
An instance of IAM Identity Center that is bound to a single AWS account, and that is visible only within the AWS account and AWS Region in which it is enabled. Use an account instance for simpler, single-account scenarios. You can enable an account instance from either of the following:
+ An AWS account that isn't managed by AWS Organizations
+ A member account in AWS Organizations
## AWS account types that can enable IAM Identity Center
To enable IAM Identity Center, sign in to the AWS Management Console by using one of the following credentials, depending on the instance type you want to create:
+ **Your AWS Organizations management account (recommended)** – Required to create an [organization instance](organization-instances-identity-center.md) of IAM Identity Center. Use an organization instance for multi-account permissions and application assignments across the organization.
+ **Your AWS Organizations member account** – Use to create an [account instance](account-instances-identity-center.md) of IAM Identity Center to enable application assignments within that member account. One or more accounts with a member level instance can exist in an organization.
+ **A standalone AWS account** – Use to create an [organization instance](organization-instances-identity-center.md) or [account instance](account-instances-identity-center.md) of IAM Identity Center. The standalone AWS account isn't managed by AWS Organizations. You can associate only one instance of IAM Identity Center with a standalone AWS account and use that instance for application assignments within that standalone AWS account.
Use the following table to compare the capabilities provided by the instance type:
| Capability | Instance in the AWS Organizations management account (recommended) | Instance in a member account | Instance in a standalone AWS account |
| --- | --- | --- | --- |
| Manage users | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes |
| AWS access portal for single-sign on access to your AWS managed applications | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes |
| OAuth 2.0 (OIDC) customer managed applications | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png)Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png)Yes |
| Multi-account permissions | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No |
| AWS access portal for single-sign on access to your AWS accounts | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No |
| SAML 2.0 customer managed applications | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No |
| Delegated administrator can manage instance | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No |
| Encryption at rest using a customer-managed KMS key | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No |
| Replicating IAM Identity Center to additional Regions | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No |
For more information about AWS managed applications and IAM Identity Center, see [AWS managed applications that you can use with IAM Identity Center](awsapps-that-work-with-identity-center.md).
**Topics**
+ [
## AWS account types that can enable IAM Identity Center
](#identity-center-instances-account-types)
+ [
# Organization instances of IAM Identity Center
](organization-instances-identity-center.md)
+ [
# Account instances of IAM Identity Center
](account-instances-identity-center.md)
+ [
# Delete your IAM Identity Center instance
](delete-config.md)
# Organization instances of IAM Identity Center
When you enable IAM Identity Center in conjunction with AWS Organizations, you are creating an organization instance of IAM Identity Center. Your organization instance must be enabled in your management account and you can centrally manage the access of users and groups with a single organization instance. You can have only one organization instance for each management account in AWS Organizations.
If you enabled IAM Identity Center before November 15, 2023, you have an organization instance of IAM Identity Center.
To enable an organization instance of IAM Identity Center, see [To enable an instance of IAM Identity Center](enable-identity-center.md#to-enable-identity-center-instance).
## When to use an organization instance
An organization instance is the primary method of enabling IAM Identity Center and usually, an organization instance is recommended. Organization instances offer the following benefits:
+ **Support for all features of IAM Identity Center** – Including managing permissions for multiple AWS accounts in your organization, assigning access to customer managed applications, and multi-Region replication.
+ **Reduction of the number of management points** – An organization instance has a single management point, the management account. We recommend that you enable an organization instance, rather than an account instance, to reduce the number of management points.
+ **Central control of the creation of account instances** – You can control whether account instances can be created by member accounts in your organization as long as you haven't deployed an instance of IAM Identity Center to your organization in an opt-in Region (AWS Region that is disabled by default).
For instructions on enabling an organization instance of IAM Identity Center, see [To enable an instance of IAM Identity Center](enable-identity-center.md#to-enable-identity-center-instance).
# Account instances of IAM Identity Center
With an account instance of IAM Identity Center, you can deploy supported AWS managed applications and OIDC-based customer managed applications. Account instances support isolated deployments of applications in a single AWS account, leveraging IAM Identity Center workforce identity and access portal features.
Account instances are bound to a single AWS account and are used only to manage user and group access for supported applications in the same account and AWS Region. You are limited to one account instance per AWS account. You can create an account instance from either of the following: a member account in AWS Organizations or a standalone AWS account that isn't managed by AWS Organizations.
For instructions on enabling an account instance of IAM Identity Center, see [To enable an instance of IAM Identity Center](enable-identity-center.md#to-enable-identity-center-instance) and choose the **Account** tab.
## When to use an account instance
In most cases, an [organization instance](organization-instances-identity-center.md) is recommended. Use account instances only if one of the following scenarios applies:
+ You want to run a temporary trial of a supported AWS managed application to determine if the application suits your business needs.
+ You don’t have plans to adopt IAM Identity Center across your organization, but you want to support one or more AWS managed applications.
+ You have an organization instance of IAM Identity Center, but you want to deploy a supported AWS managed application to an isolated set of users that are distinct from users in your organization instance.
+ You do not control the AWS organization in which you operate. For example, a third-party controls the AWS organization that manages your AWS accounts.
**Important**
If you plan to use IAM Identity Center to support applications in multiple accounts, use an organization instance. Account instances do not support this use case.
## AWS managed applications that support account instances
See [AWS managed applications that you can use with IAM Identity Center](awsapps-that-work-with-identity-center.md) to learn which AWS managed applications support account instances of IAM Identity Center. Verify the availability of account instance creation with your AWS managed application.
## Availability constraints for member accounts
To deploy account instances of IAM Identity Center in AWS Organizations member accounts, one of the following conditions must be true:
+ There is no organization instance of IAM Identity Center in your organization.
+ There is an organization instance of IAM Identity Center in your organization and the instance administrator permits creation of account instances of IAM Identity Center (for organization instances created after November 15, 2023).
+ There is an organization instance of IAM Identity Center in your organization and the instance administrator manually enabled creation of account instances by member accounts in the organization (for organization instances created before November 15, 2023). For instructions, see [Permit account instance creation in member accounts](enable-account-instance-console.md).
After one of the preceding conditions is met, all of the following conditions must be true:
+ Your administrator hasn’t created a [Service Control Policy](control-account-instance.md) that prevents member accounts from creating account instances.
+ You do not already have an instance of IAM Identity Center in this same account, regardless of AWS Region.
+ You're working in an AWS Region where IAM Identity Center is available. For information about Regions, see [IAM Identity Center Region data storage and operations](regions.md).
## Account instance considerations
An account instance is designed for specialized use cases, and offers a subset of features available to an organization instance. Consider the following before creating an account instance:
+ Account instances do not support permission sets and therefore do not support access to AWS accounts.
+ You can’t convert or merge an account instance into an organization instance.
+ Only select [AWS managed applications](awsapps-that-work-with-identity-center.md) support account instances.
+ Use account instances for isolated users that will use applications in a single account only and for the lifetime of the applications used.
+ Applications that are attached to an account instance must remain attached to the account instance until you delete the application and its resources.
+ An account instance must remain in the AWS account where it is created.
# Permit account instance creation in member accounts
If you enabled IAM Identity Center before November 15, 2023, you have an [organization instance](organization-instances-identity-center.md) of IAM Identity Center with the ability for member accounts to create account instances disabled by default. You can choose whether your member accounts can create account instances by enabling the account instance feature in the IAM Identity Center console.
**To enable creation of account instances by member accounts in your organization**
**Important**
Enabling account instances of IAM Identity Center for member accounts is a one-time operation. This means that this operation cannot be reversed. Once enabled, you can limit the creation of account instances by creating a service control policy (SCP). For instructions, see [Control account instance creation with Services Control Policies](https://docs.aws.amazon.com/singlesignon/latest/userguide/control-account-instance.html).
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. Choose **Settings**, and then choose the **Management** tab.
1. In the **Account instances of IAM Identity Center** section, choose **Enable account instances of IAM Identity Center**.
1. In the **Enable account instances of IAM Identity Center** dialog box, confirm that you want to allow member accounts in your organization to create account instances by choosing **Enable**.
# Use Service Control Policies to control account instance creation
The ability for member accounts to create account instances depends on when you enabled IAM Identity Center:
+ **Before November 2023** – You must [permit account instance creation in member accounts](enable-account-instance-console.md), which is an action that cannot be reversed.
+ **After November 15, 2023** – Member accounts can create account instances by default.
In either case, you can use Service Control Policies (SCPs) to:
+ Prevent all member accounts from creating account instances.
+ Allow only specific member accounts to create account instances.
## Prevent account instances
Use the following procedure to generate an SCP that prevents member accounts from creating account instances of IAM Identity Center.
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. On the **Dashboard**, in the **Central management** section, choose the **Prevent account instances** button.
1. In the **Attach SCP to prevent creation of new account instances** dialog box, an SCP is provided for you. Copy the SCP and choose the **Go to SCP dashboard** button. You'll be directed to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) to create the SCP or attach it as a statement to an existing SCP. SCPs are a feature of AWS Organizations. For instructions on attaching an SCP, see [Attaching and detaching service control policies](/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) in the *AWS Organizations User Guide.*
## Limit account instances
Instead of preventing all account instance creation, this policy denies any attempt to create an account instance of IAM Identity Center for all AWS accounts except those explicitly listed in the *""* placeholder.
**Example : Deny policy to limit account instance creation**
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Sid": "DenyMemberAccountInstances",
"Effect": "Deny",
"Action": "sso:CreateInstance",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": [""]
}
}
}
]
}
```
+ Replace [*""*] with the actual AWS account ID(s) that you want to allow to create an account instance of IAM Identity Center.
+ You can list multiple allowed account IDs in the array format: [*"111122223333", "444455556666"*].
+ Attach this policy to your organization SCP to enforce centralized control over IAM Identity Center account instance creation.
For instructions on attaching an SCP, see [Attaching and detaching service control policies](/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) in the *AWS Organizations User Guide.*
# Delete your IAM Identity Center instance
When an IAM Identity Center instance is deleted, all the data in that instance is deleted and cannot be recovered. The following table describes what data is deleted based on the directory type that is configured in IAM Identity Center.
| What data gets deleted | Connected directory - AWS Managed Microsoft AD, AD Connector, or external identity provider | IAM Identity Center identity store |
| --- | --- | --- |
| All permission sets you have configured for AWS accounts | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes |
| All applications you have configured in IAM Identity Center | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes |
| All user assignments you have configured for AWS accounts and applications | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes |
| All users and groups in the directory or store | N/A | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes |
If you replicated your IAM Identity Center instance to additional Regions, you must remove those Regions before deleting the instance.
Use the following procedure to delete your IAM Identity Center instance.
**To delete your IAM Identity Center instance**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. In the left navigation pane, choose **Settings**.
1. On the **Settings** page, choose the **Management** tab.
1. In the **Delete IAM Identity Center configuration** section, choose **Delete**.
1. In the **Delete IAM Identity Center configuration** dialog, select each checkbox to acknowledge you understand that your data will be deleted. Type your IAM Identity Center instance in the text box, and then choose **Confirm**.