I'm looking for insights into when to use IAM versus IAM Identity Center, especially within a developer team context. I've heard that for each developer, accounts should be set up in IAM Identity Center, and roles are managed there. Does this mean that in traditional IAM, it's just the root user and maybe an IAM admin overseeing the Identity Center? How do we decide where to assign AWS users? Also, should IAM Identity Center only be for human users? Are traditional roles for apps, Lambdas, etc., strictly within IAM, or can Identity Center apply there too?
5 Answers
You're spot on! IAM Identity Center is all about managing human access and works well with external identity providers like Okta or Microsoft Entra ID. IAM should be your go-to for service access and truly critical operations. Just remember to avoid using your root account regularly; it’s best to have a delegated admin for that.
Just to clarify, IAM is your generic permissions tool while IAM Identity Center is more geared towards user permissions. They serve different purposes, so it’s key not to mix them up even if their names sound similar!
Also, IAM Identity Center simplifies the permissions management across all accounts by allowing you to set up permission sets centrally, which is a huge plus! It reduces the hassle of configuring each account individually.
In terms of security features, IAM Identity Center brings in SSO functionality, which is such a big deal for improving security compared to traditional IAM setups. Also, if you have an existing identity provider, take full advantage of what IAM Identity Center offers!
For user accounts, you definitely want to use IAM Identity Center. It's optimized for human access. However, for service accounts or 'machine accounts', go with IAM. This separation helps maintain better access management.
Totally agree! And just to emphasize, never create IAM users for machine accounts; always use roles instead.
Absolutely, and don’t forget to set up MFA on your root account, but be cautious about having the correct contact number to retrieve it!