Replace Legacy IAM Users with AWS IAM Identity Center in 3 Simple Steps
This guide explains how to replace traditional IAM users with AWS IAM Identity Center by defining permission sets, assigning them to groups and AWS accounts, and enabling users to log in via the SSO portal for seamless, secure access across multiple accounts.
Core Concept: Decouple Users and Permissions
Traditional IAM binds users to policies. IAM Identity Center introduces Permission Sets and Assignments to separate identity from permissions.
Process Overview
Users & Groups – Define who the person is. Example user dave belongs to group dev.
Permission Sets – Define what can be done. These act as role blueprints, e.g., DatabaseAdmin, DeveloperReadOnly, EC2FullAccess.
Assignments – Bind a user/group, a permission set, and a target AWS account.
Step‑by‑Step Guide
Step 1 – Create a Permission Set
In the IAM Identity Center console, navigate to “Permission sets” and click “Create permission set”. Choose one of three options:
Use AWS managed policies – e.g., AdministratorAccess or PowerUserAccess.
Copy an existing permission set – duplicate and tweak a template.
Custom permission set – write inline JSON policies or attach multiple managed/custom policies.
Example: create a permission set named DeveloperAccess and attach AmazonEC2FullAccess and AmazonS3ReadOnlyAccess for typical developer needs.
Step 2 – Assign the Permission Set to an AWS Account
Open “AWS accounts” in the left navigation to list all accounts in the organization.
Select the target account(s) (e.g., dev-account) for the dev group.
Click “Assign users or groups”.
Choose the dev group and proceed.
Check the newly created DeveloperAccess permission set and continue.
Review the assignment and click “Submit”.
When submitted, IAM Identity Center automatically creates an IAM role named AWSReservedSSO_DeveloperAccess_xxxxxxxx in the target account, with the permission set’s policies and a trust relationship back to the Identity Center.
Step 3 – User Login and Use the Permissions
User dave can now log in via the organization’s AWS SSO portal (e.g., d-xxxxxxxxxx.awsapps.com/start) with his username and password. After authentication, he sees a card for dev-account. Selecting the DeveloperAccess role lets him open the AWS console or obtain CLI/API credentials without re‑entering a password.
Conclusion
By defining permission blueprints (Permission Sets) and assigning them to groups and accounts, you eliminate the need to search for attached roles on individual user pages. Adding a new developer is as simple as adding them to the dev group, automatically granting all pre‑assigned accounts and permissions—making multi‑account permission management more secure, efficient, and auditable.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Ops Development & AI Practice
DevSecOps engineer sharing experiences and insights on AI, Web3, and Claude code development. Aims to help solve technical challenges, improve development efficiency, and grow through community interaction. Feel free to comment and discuss.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.