AWS IAM Identity Center Setup Guide: Secure Console Access Without IAM Users

AWS IAM Identity Center Setup Guide: Secure Console Access Without IAM Users

Setting up a secure AWS environment is critical from day one. This guide walks you through configuring AWS IAM Identity Center (formerly AWS SSO) to enable secure, free console access without creating IAM users or using the root account for daily operations.

✨ Why Use IAM Identity Center?

• ❌ Avoids insecure IAM user passwords
• ✅ Built-in support for MFA and federated login
• ✅ Free to use for internal users
• ✅ Scalable, audit-friendly, and aligned with AWS best practices

✅ Prerequisites

• Access to the AWS root account (used once only)
• MFA enabled on the root account (strongly recommended)
• AWS Management Console access

🔧 Step 1: Enable IAM Identity Center

1. Go to the IAM Identity Center service in the AWS Console
2. Click Enable
3. Keep the default identity source (Identity Center directory) unless integrating with an external IdP
4. Confirm identity source when prompted

📅 Step 2: Create an Admin User

1. Navigate to IAM Identity Center → Users
2. Click Add user
3. Enter:

• Name: Admin
• Email: your desired admin email (can be same as the AWS account email)
  1. Leave groups blank (optional)
  2. Click Create user

The user will receive an email invitation to set a password.

📄 Step 3: Create a Permission Set

1. Go to IAM Identity Center → Permission sets
2. Click Create permission set
3. Choose AWS managed policy
4. Select AdministratorAccess
5. Leave other settings default and create the set

🏦 Step 4: Assign the User to Your AWS Account

1. Go to IAM Identity Center → AWS accounts
2. Select your AWS account by checking the box
3. Click Assign users or groups
4. Choose the admin user created earlier
5. Select the AdministratorAccess permission set
6. Click Submit

🌐 Step 5: Log In via Access Portal

1. Visit your IAM Identity Center user portal URL (found in Settings)

• Example: https://d-abc123.awsapps.com/start
  1. Log in using the email and password created in the email invite
  2. You should now see a tile for your AWS account
  3. Click Management Console to access the AWS Console as an administrator

⚡ Optional But Recommended

Enable MFA Globally

• Go to IAM Identity Center → Settings → Multi-factor authentication
• Require MFA for all users

Enable CloudTrail

• Go to CloudTrail and create a trail for management events
• Free tier covers this

Remove Root Access Keys (if any)

• Go to IAM → Users
• Delete any root access keys
• Store root password securely and use only for rare account-level actions

🚀 You’re Done

You now have:

• ✅ Secure, MFA-enabled AWS console access
• ✅ No IAM users with passwords
• ✅ Fully free-tier compliant setup
• ✅ Safe root account usage practices

This setup is suitable for personal, test, and even production AWS accounts.