Hey everyone! I'm diving into a greenfield project that involves setting up Control Tower, Organizations, and Identity Center in our master account. We're also considering having individual accounts for each application and developer, and it got me thinking: with Identity Center now available, do we still need to use the traditional IAM in each account? If so, what are the key roles or policies that still matter? Looking forward to your insights!
2 Answers
IAM users are still needed for certain scenarios, like service accounts where applications don’t support role-based access. Though tools like 'Roles Anywhere' are helping to reduce these cases, many software applications still rely on access keys and secret pairs. So, it's best to use Identity Center for people and stick with IAM roles for services and apps.
Just to add, even though humans use Identity Center, they might still need IAM roles for specific access.
You actually don't need IAM users for accounts anymore, but you still need IAM policies and roles. Identity Center manages authentication, but for authorization—what users can do—you’ll still need IAM roles and policies. Don’t forget about accounting too, which is covered by CloudTrail!
Got it, thanks for clarifying the roles distinction!