Skip to content
GitHub

IAM Identity Center

AWS IAM Identity Center (formerly AWS Single Sign-On) is a service that simplifies access management by enabling centralized user sign-in and permissions for AWS accounts and applications. It integrates with external identity providers (IdPs) or the internal Identity Center directory to manage users and authentication. This provides a unified way to assign and enforce access permissions.

The Data Landing Zone does not create an IAM Identity Center instance but integrates with an existing one. Once the required IDs are provided to the DLZ construct, it manages users, permissions, and thier account assignment within the IAM Identity Center.

Refer to the SOP - IAM Identity Center Setup for detailed instructions on setting up IAM Identity Center and providing the necessary IDs to the DLZ configuration.

Users can be added to access groups, which are assigned permission sets. Permission sets can be created from managed policies or inline policies. Access groups support wildcards for account names, making it easy to assign permissions across multiple accounts. There are three fixed named accounts: root, log, and audit as per required configuration, the rest are as per the account configuration in the Workloads OU.

The example below assigns the AdministratorAccess permission set (created by ...Defaults.iamIdentityCenterPermissionSets()) to the user [email protected] in all accounts, as specified by the wildcard *.

import { App } from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';
import { DataLandingZone, Defaults } from 'aws-data-landing-zone';


const app = new App();


new DataLandingZone(app, {
  // ... other DLZ props (regions, mandatoryTags, organization, ...)
  iamIdentityCenter: {
    arn: 'IdentityCenterARN',
    id: 'IdentityCenterID',
    storeId: 'StoreID',
    users: [
      {
        userName: '[email protected]',
        name: 'Name',
        surname: 'LastName',
      },
    ],
    permissionSets: [
      // Provides the AWS managed policies `AdministratorAccess` and `ReadOnlyAccess` as permission sets
      ...Defaults.iamIdentityCenterPermissionSets(),
      // Create a custom permission set from a managed policy
      {
        name: 'power-user-permission-set',
        managedPolicyArns: ['arn:aws:iam::aws:policy/PowerUserAccess'],
      },
      // Create a custom permission set from an inline policy
      {
        name: 's3-only-access',
        inlinePolicyDocument: new iam.PolicyDocument({
          statements: [
            new iam.PolicyStatement({
              actions: ['s3:GetObject'],
              resources: ['arn:aws:s3:::mybucket/*'],
            }),
          ],
        }),
      },
    ],
    accessGroups: [
      {
        name: 'admin-access-group',
        accountNames: ['*'], // All accounts
        // accountNames: ['project-1-*'],              // All accounts starting with `project-1-`
        // accountNames: ['root', 'development'],      // Specific accounts
        userNames: ['[email protected]'],
        permissionSetName: 'AdministratorAccess',
      },
    ],
  },
});

Defaults

The Defaults.iamIdentityCenterPermissionSets function creates two permission sets:

  • AdministratorAccess: Using the AWS managed policy AdministratorAccess
  • ReadOnlyAccess: Using the AWS managed policy ReadOnlyAccess

Restricting a permission set to specific accounts

By default, a permission set defined in permissionSets can be referenced by any access group and assigned to any account. To pin a permission set to a specific set of accounts (and fail synth if anyone tries to assign it elsewhere), set allowedAccountNames:

permissionSets: [
  {
    name: 'FinOpsQuickSightConsole',
    managedPolicyArns: ['arn:aws:iam::aws:policy/ReadOnlyAccess'],
    // Synth fails if any access group resolves this permission set to an
    // account outside this list — wildcard expansion is checked too.
    allowedAccountNames: ['finOps'],
  },
],

The check runs after wildcard expansion, so accountNames: ['*'] against a restricted permission set fails too. Useful for any permission set tied to account-specific resources (a single-tenant data plane, a billing account, etc.) where assigning it elsewhere would be either a no-op or a foot-gun.

Exported SSM parameters

When iamIdentityCenter is configured, DLZ writes the instance identity plus one parameter per group and permission set to SSM, in the management account, in regions.global, under /dlz/identity-center/. Downstream stacks and external automation read these instead of threading IDs through configuration or paging sso-admin/identitystore APIs.

See Integration → Exported SSM Parameters → IAM Identity Center for the canonical list and the IAM scopes required to read it across accounts. The manifest parameters (group-names, permission-set-names) are skipped when no groups or permission sets are configured; everything else is always written.

Example enumeration of every group → GroupId in one shell loop. Works in bash, zsh, and POSIX sh:

Terminal window
export REGION=eu-west-1   # whatever regions.global resolves to


aws ssm get-parameter --region "$REGION" \
  --name /dlz/identity-center/group-names \
  --query Parameter.Value --output text | tr ',' '\n' | \
while IFS= read -r NAME; do
  [ -z "$NAME" ] && continue
  ID=$(aws ssm get-parameter --region "$REGION" \
    --name "/dlz/identity-center/groups/$NAME/id" \
    --query Parameter.Value --output text 2>/dev/null) \
    || ID="(missing)"
  printf '%s\t%s\n' "$NAME" "$ID"
done

tr ',' '\n' splits the comma-separated StringList into one name per line, and while IFS= read -r NAME iterates them safely regardless of shell or special characters in the name. 2>/dev/null || ID="(missing)" keeps the loop going if a single lookup fails, so you can spot which specific name (if any) has a problem.

These values feed directly into other DLZ docs that wire up Identity Center groups — e.g. the QuickSight setup step that maps Identity Center groups to QuickSight roles.

API References