What is an IAM Identity Center Delegated administrator account and how to configure it
Delegated administration provides a way for designated users in a member account to perform most IAM Identity Center administrative tasks.
AWS IAM Identity Center is the recommended AWS service for managing human user access to AWS resources. It is a single place where you can assign your workforce users access to multiple AWS accounts and applications.
However, best practices for multi-account management recommend limiting who has access to the management account.
Even though your IAM Identity Center instance must permanently reside in the management account, you can delegate administration of IAM Identity Center to a member account in AWS Organizations, thereby extending the ability to manage IAM Identity Center from outside the management account.
Delegated administration provides a convenient way for designated users in a registered member account to perform most IAM Identity Center administrative tasks.
Enabling delegated administration provides the following benefits:
- Minimizes the number of people who require access to the management account to help mitigate security concerns and follow best practices.
- Allows select administrators to assign users and groups to applications and your organization's member accounts, allowing AWS Organization administrators to focus on other activities.
Note 1: Recently, AWS launched a new feature that allows deployment of account instances of AWS IAM Identity Center . With this launch, you can now have two types of IAM Identity Center instances: organization instances and account instances. An organization instance is the IAM Identity Center instance that’s enabled in the management account of your organization created with AWS Organizations. This instance is used to manage access to AWS accounts and applications across your entire organization. Organization instances are the best practice when deploying IAM Identity Center. The new account instances are only usable from within the account and AWS Region in which they were created. The delegated administrator concept does not apply to IAM Identity Center account instances.
Note 2: Other AWS Organizations-integrated services also allow Delegated administrator accounts.
Enabling delegated administration in AWS IAM Identity Center
These are the steps to Enable Delegated Administration:
- Ensure your AWS environment is set up correctly, including having an AWS Organizations setup and the necessary permissions.
- Choose a member account within your AWS Organizations to act as the delegated administrator.
- Use the AWS Management Console to register the chosen member account as the delegated administrator for IAM Identity Center.
- Configure roles and permissions for the delegated administrator account, adhering to the principle of least privilege.
- Verify the setup and test the delegated administrator's capabilities to ensure they align with your organization's requirements.
Configuration Example
I have an AWS Organization. Its Management Account is called JCR MPA. A member account called JCRSecurity will be registered as the Delegated Administrator account.
Initially, the IAM Identity Center dashboard in account JCR Security does not allow the management of IAM Identity Center.
As IAM Identity Center has already been configured in the AWS Organization, I get a message stating it. I'm also given the option to configure and IAM Identity Center account instance, but that is not what I want.
To allow the JCR Security account to manage IAM Identity Center, I need to register it from the AWS Organization Management Account (in my case, the account called JCR MPA). In the settings section, in the Management tab, I can see no delegated administrator account registered yet.
After clicking on the "Register account" button, I can now choose the JCR Security account as the delegated administrator:
Please notice the warning message:
This operation has security implications
This operation delegates IAM Identity Center administrative access to users in this member account. All users who have sufficient permissions to this delegated administrator account can perform all IAM Identity Center administrative tasks from the account, except for: deleting IAM Identity Center, registering other member accounts as delegated administrators, managing assignments to the management account, or managing permission sets provisioned in the management account.
The Management tab now shows the JCR Security account as the delegated administrator.
Back in the JCR Security account, the IAM Identity Center console is available.
You can now start managing IAM Identity Center from the delegated administrator account.
Deregistering the Delegated Administrator account
You can deregister the current delegated member account from the management account anytime. To achieve this, from the IAM Identity Center console, choose Settings and then select the Management tab. In the Delegated administrator section, choose "Deregister account" and confirm the deregistration.
This operation will remove the ability for all admin users to manage IAM Identity Center from that account. However, this action will not affect any permissions or assignments configured in IAM Identity Center and therefore will have no impact on your end users.