Managing access across multiple AWS accounts became a growing pain for our team. IAM Users were enough when we had just one environment, but as we scaled to multiple accounts (dev, stage, prod), security and access management became a bottleneck. That’s when we migrated to AWS SSO (now AWS Identity Center).

The IAM User Bottleneck: Why We Made the Switch

• Difficult to enforce consistent MFA policies across accounts

• Manual IAM user provisioning (per account)

• Long-lived credentials = security risk

• Onboarding/offboarding was slow and error-prone

• Poor visibility into who accessed what and when

WHY AWS Identity Center makes the Cut ?!

With AWS Identity Center (formerly SSO), we got:

• A central dashboard for all AWS account access

• No more IAM users per account

• Role-based access using Permission Sets

• MFA enforced centrally

• Log in via SSO with no long-lived credentials

Why It’s a No-Brainer for Multi-Account Setups?

If you're managing:

• Dev / Staging / Prod AWS accounts

• Multiple engineers or teams

• Security best practices

Then, going with SSO seems to be the only sane path forward.

Your users get one login. You get full control.

Step-by-Step Setup of AWS Identity Center

Create the AWS Organization

When you navigate to AWS Organizations, you’ll find a default setup already in place, consisting of a root account and a designated management account

root
|
|--> Management Account

Then, create the organizational unit with the name

Orgaizational Name: test-OU

AWS Account name: test-OU
Email Address of Accounts Owner: <The Email Address>
IAM Role name: OrganizationaAccountAccessRole

Check out the Organizational Unit created

Further, we will need to create the user within the account for this

Checkmark the test-ou as organizational unit > Hit "Add an AWS Account"

Now, create an AWS Account under the newly created Organizational Unit with the following details

AWS Account name: <Enter the required name>
Email Address of Accounts Owner: <Your Valid Email Address>
IAM Role name: OrganizationaAccountAccessRole

NOTE: Enter the Email address that is not associated with the AWS Account in case you are choosing the 1st Option (Create an AWS Account) > HIT "Create"

Hop to IAM Identity Center

Enable the IAM Identity Center

Verify the details now after enabling the AWS Identity Center

NOTE: Keep the AWS Access Portal URL Handy

Create the permission associated with the SSO for the selective access of the services

For these, we need to navigate to Side navigation > Multi-Account Permissions > Permission Sets

Permission set in AWS Identity Center is a reusable set of IAM policies that defines what actions a user or group can perform in assigned AWS accounts.

Create the permission sets > Predefined Permission Set > Adminstartor Access

NOTE: This is clearly intentional here and is not recommened to make use of this in the setup of the AWS Identity Center, just for demo purposes.

Now there is a parameter named Session Duration; this is an intentional paramter to throw out the loged in user from the session aka a TTL for the logged in users.

Its by default set to 1 hour and can be max setted to 12 hours whereas min is setted to 1 hour

Goto Preview > Hit "Create"

Verify for the Permission Sets Created

We can even hook up applications directly to users whether it’s your in-house AWS apps or third-party tools that support SAML. Identity Center plays well with both worlds. 😎

But for now let’s keep it chill for now. We’re not diving into that rabbit hole.

Hop to User and Groups in IAM Identity Center

These are very similar to that of the User and Group in IAM Console

This is where we can create a Group of Test Users and add the test user under the group.

Create the User

Add the following details

Useername: <Your Desired Username> (KEEP IT SAFE)
Password: USe a one time password to shsare with the user (KEEP IT SAFE)
Email ID: <Your Desired EMAIL ID>
First Name: <Desired First Name>
Last Name: <Desired Last Name>

There are also further information which can be put to gather detailed information about the user listed below

Create Group

We need to add the newly created user to the group

A user associated with the Group we now can use in the AWS Identity Center

Navigate to the Side nav in IAM Identity Center > Multi Account Permissions > AWS Accounts

Checkmark the test-OU (Organizational Unit / Any Organizational unit that you have created) > Hit "Assign users or Groups" Button

Assign the newly created Group

Also, Hit Review and Submit, and check out the testuser added

Verify that the user from the group can access the AWS Console

Check for the Access Link Portal Under the Dashboard of AWS IAM Identity Center.

Access it via a browser; it will ask for the user's details

Enter the Username and the Password we have kept handy earlier.

NOTE: It will ask for the MFA Setup as it's now compulsory for all users who want to have access console. If you are new to this, follow the link

After setting up the whole MFA we would relogin and reach the console

We can also cross-verify in the IAM Roles that a new IAM Role for the SSO will be added, like this, consisting of a Trust Identity

AWSReservedSSO_AdministratorAccess_563f582437b8fe06 

Viola, we have established the Connection with the help of AWS Identity Center.

EzyInfra.dev – Expert DevOps & Infrastructure consulting! We help you set up, optimize, and manage cloud (AWS, GCP) and Kubernetes infrastructure—efficiently and cost-effectively. Need a strategy? Get a free consultation now!