AWS IAM Identity Center (formerly AWS Single Sign-On) is a service that simplifies access management by enabling
centralized user sign-in and permissions for AWS accounts and applications. It integrates with external identity
providers (IdPs) or the internal Identity Center directory to manage users and authentication. This provides a unified
way to assign and enforce access permissions.
The Data Landing Zone does not create an IAM Identity Center instance but integrates with an existing one. Once the
required IDs are provided to the DLZ construct, it manages users, permissions, and thier account assignment
within the IAM Identity Center.
Refer to the SOP - IAM Identity Center Setup for detailed instructions on setting up IAM
Identity Center and providing the necessary IDs to the DLZ configuration.
Users can be added to access groups, which are assigned permission sets. Permission sets can be created from managed
policies or inline policies. Access groups support wildcards for account names, making it easy to assign permissions
across multiple accounts.
The example below assigns the AdministratorAccess permission set (created by
...Defaults.iamIdentityCenterPermissionSets()) to the user [email protected] in all accounts, as specified by the wildcard
*.