Organization and account instances of IAM Identity Center
An instance is a single deployment of IAM Identity Center. There are two types of instances available for IAM Identity Center: organization instances and account instances.
AWS account types that can enable IAM Identity Center
To enable IAM Identity Center, sign in to the AWS Management Console by using one of the following credentials, depending on the instance type you want to create:
-
Your AWS Organizations management account (recommended) – Required to create an organization instance of IAM Identity Center. Use an organization instance for multi-account permissions and application assignments across the organization.
-
Your AWS Organizations member account – Use to create an account instance of IAM Identity Center to enable application assignments within that member account. One or more accounts with a member level instance can exist in an organization.
-
A standalone AWS account – Use to create an organization instance or account instance of IAM Identity Center. The standalone AWS account isn't managed by AWS Organizations. Only one instance of IAM Identity Center can be associated with a standalone AWS account and you can use the instance for application assignments within that standalone AWS account.
| Capability | Instance in the AWS Organizations management account (recommended) | Instance in a member account | Instance in a standalone AWS account |
|---|---|---|---|
| Manage users |
|
|
|
| AWS access portal for single-sign on access to your AWS managed applications |
|
|
|
| OAuth 2.0 (OIDC) customer managed applications |
|
|
|
| Multi-account permissions |
|
|
|
| AWS access portal for single-sign on access to your AWS accounts |
|
|
|
| SAML 2.0 customer managed applications |
|
|
|
| Delegated administrator can manage instance |
|
|
|
For more information about AWS managed applications and IAM Identity Center, see AWS managed applications that you can use with IAM Identity Center.
Topics
- Organization instances of IAM Identity Center
- Account instances of IAM Identity Center
- Enable account instance creation in the IAM Identity Center console
- Control account instance creation with Services Control Policies
- Create an account instance of IAM Identity Center
- Delete your IAM Identity Center instance
