Everyone has individual IAM users with their own password
Identity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
Try this first
- 1Enable IAM Identity Center on the org account
- 2Connect to Entra ID, Google Workspace or the built-in directory
- 3Create permission-sets per role (Developer, ReadOnly, Billing) and assign per account
- 4Remove old IAM users once everyone is on SSO
When to bring us in
If you run multiple AWS accounts, AWS Organizations plus Identity Center is practically mandatory.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Not all IAM users have MFAWithout MFA, a leaked password equals account takeover. Force it via policy.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.