Previously called AWS Single Sign-On (SSO). It gives you one login for everything — instead of logging into each AWS account or app separately, you log in once and get access to all of them.

What can you access with one login?

• All AWS accounts in your AWS Organization
• Business apps — Salesforce, Box, Microsoft 365, Slack, Dropbox
• SAML 2.0 enabled custom apps
• EC2 Windows Instances

Where are user identities stored?

Two options:

How the Login Flow Works

1. User opens browser and goes to the IAM Identity Center login page
2. Logs in once with their credentials
3. IAM Identity Center checks their identity (from AD or built-in store)
4. Shows them a dashboard with all the accounts and apps they have access to
5. User clicks the account/app they want → directly in, no second login needed

Permission Sets — How Access is Controlled

A Permission Set is a collection of IAM policies that defines what a user can do. You create permission sets in IAM Identity Center and assign them to users or groups across accounts.

Example:

• Group: Developers (Bob and Alice)
• Permission Set ReadOnlyAccess → assigned to Prod Account A and Prod Account B
• Permission Set FullAccess → assigned to Dev accounts

So Bob and Alice can do everything in Dev accounts but only read in Prod accounts — all managed from one place.

Fine-Grained Permissions — 3 Types

1. Multi-Account Permissions