Trusted identity propagation prerequisites and considerations

IAM Identity Center deployment with users and groups provisioned

To use trusted identity propagation, you must enable IAM Identity Center and provision users and groups. For information, see Get started with common tasks in IAM Identity Center.

Organization instance recommended – We recommend that you use an organization instance of IAM Identity Center that you enable in the management account of AWS Organizations. If you plan to use trusted identity propagation to enable users to access AWS services and related resources in different AWS accounts within the same organization, you can delegate administration of your instance of IAM Identity Center to a member account.

If you plan to use a single account instance of IAM Identity Center, all AWSservices and resources that you want users to access through trusted identity propagation must reside in the same standalone AWS account, or in the same member account in the organization where you enabled IAM Identity Center. For more information, see Account instances of IAM Identity Center.

For AWS managed applications; connection to IAM Identity Center

To use trusted identity propagation, AWS managed applications must integrate with IAM Identity Center.

Don't modify the Require assignments setting for AWS managed applications

AWS managed applications have a default setting configuration that determines whether assignments are required for users and groups. We recommend that you do not modify this setting. Even if you have configured fine-grained permissions that allow user access to specific resources, modifying the Require assignments setting might result in unexpected behavior, including disrupted user access to these resources.

Multi-account permissions (permission sets) not required

Trusted identity propagation doesn't require you to set up multi-account permissions (permission sets). You can enable IAM Identity Center and use it for trusted identity propagation only.