Skip to content

IAM Identity Center

AWS IAM Identity Center (formerly AWS Single Sign-On) is a service that simplifies access management by enabling centralized user sign-in and permissions for AWS accounts and applications. It integrates with external identity providers (IdPs) or the internal Identity Center directory to manage users and authentication. This provides a unified way to assign and enforce access permissions.

The Data Landing Zone does not create an IAM Identity Center instance but integrates with an existing one. Once the required IDs are provided to the DLZ construct, it manages users, permissions, and thier account assignment within the IAM Identity Center.

Refer to the SOP - IAM Identity Center Setup for detailed instructions on setting up IAM Identity Center and providing the necessary IDs to the DLZ configuration.

Users can be added to access groups, which are assigned permission sets. Permission sets can be created from managed policies or inline policies. Access groups support wildcards for account names, making it easy to assign permissions across multiple accounts.

The example below assigns the AdministratorAccess permission set (created by ...Defaults.iamIdentityCenterPermissionSets()) to the user [email protected] in all accounts, as specified by the wildcard *.

import {App} from 'aws-cdk-lib';
import { DataLandingZone } from 'aws-data-landing-zone';
const app = new App();
const dlz = new DataLandingZone(app, {
iamIdentityCenter: {
arn: 'IdentityCenterARN',
id: 'IdentityCenterID',
storeId: 'StoreID',
users: [
{
userName: '[email protected]',
name: 'Name',
surname: 'LastName',
},
],
permissionSets: [
// Provides the AWS managed policy `AdministratorAccess` and `ReadOnlyAccess` as permission sets
...Defaults.iamIdentityCenterPermissionSets(),
// Create custom permission sets from managed policies
{
name: 'power-user-permission-set',
managedPolicyArns: ['arn:aws:iam::aws:policy/PowerUserAccess']
},
// Create a custom permission sets from inline policies
{
name: 's3-only-access',
inlinePolicyStatement: new iam.PolicyStatement({
actions: ['s3:*'],
resources: ['*'],
})
}
],
accessGroups: [
{
name: 'admin-access-group',
accountNames: ['*'], // All accounts
// accountNames: ['project-1-*'], // All accounts starting with `project-1-`
// accountNames: ['root', 'development', 'production'], // Specific accounts
userNames: [
],
permissionSetName: 'AdministratorAccess',
},
],
},
});

Defaults

The Defaults.iamIdentityCenterPermissionSets function creates two permission sets:

  • AdministratorAccess: Using the AWS managed policy AdministratorAccess
  • ReadOnlyAccess: Using the AWS managed policy ReadOnlyAccess

API References