Matt Karmazyn

# Enable AWS IAM Identity Center (AWS SSO)

Set up centralized user access across all accounts:

Enable IAM Identity Center (must be done via Console):

  1. Go to IAM Identity Center in AWS Console
  2. Click "Enable"
  3. Choose "Enable with AWS Organizations"

Create Permission Sets:

Via AWS Console:

  1. Go to IAM Identity Center → Permission sets
  2. Create the following permission sets:

Administrator Access:

Developer Access:

ReadOnly Access:

Assign Users to Accounts:

  1. Go to IAM Identity Center → AWS accounts
  2. Select an account
  3. Assign users or groups
  4. Select permission set

Example Assignment:

# Set Up Cross-Account Access

The OrganizationAccountAccessRole was automatically created when you created each account. This role allows administrators in the Management account to assume roles in member accounts.

Assume Role to Access Member Account:

# Get credentials for a member account
aws sts assume-role \
  --role-arn arn:aws:iam::111111111111:role/OrganizationAccountAccessRole \
  --role-session-name admin-session

# Or configure AWS CLI profile - ~/.aws/confi
[profile dev-admin]
role_arn = arn:aws:iam::111111111111:role/OrganizationAccountAccessRole
source_profile = default
region = us-east-2

[profile prod-admin]
role_arn = arn:aws:iam::222222222222:role/OrganizationAccountAccessRole
source_profile = default
region = us-east-2

# Use the profile
aws sts get-caller-identity --profile dev-admin

What We Accomplished:

IAM Identity Center (SSO) enabled for centralized access management
Cross-account access configured with OrganizationAccountAccessRole

# Additional Resources

← AWS Account Setup AWS Organizations →