SYSTEM Cited by 1 source

AWS IAM Identity Center¶

Definition¶

AWS IAM Identity Center (formerly AWS SSO) is the AWS service for centralised workforce identity management across an AWS Organization. It integrates with external IdPs (Okta, Azure AD, Google Workspace) and provides AWS access via federated single sign-on.

In cyber-resilience designs, IAM Identity Center plays two roles:

MPA approver substrate — predefined approvers for Multi-party approval are configured via Identity Center.
Session revocation — part of the Rebuild-Restore-Rotate framework's rotate leg; revoking active sessions during recovery ensures any active attacker sessions are terminated.

Role 1: MPA approver substrate¶

Verbatim from the canonicalising source:

"Configure Multi-party approval for restore. MPA, configured through IAM Identity Center, requires a predefined set of approvers before a restore proceeds." (Source: sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events)

Approvers live in Identity Center (typically backed by an external IdP), not in account-local IAM. This means:

Approver compromise requires IdP compromise, not just AWS account compromise.
Approver list is centrally managed and cannot be modified by a compromised AWS account principal.
Approver authentication uses the organisation's MFA / SSO policies, providing stronger guarantees than account-local IAM users.

Role 2: Session revocation¶

Verbatim:

"AWS Secrets Manager rotation, IAM Identity Center session revocation, AWS Certificate Manager renewal, and workload-specific rotation hooks are components most customers already have in some form. The cyber recovery capability is the ability to invoke that rotation comprehensively and verify that nothing was missed."

Session revocation is part of the rotate-or-re-issue leg of Rebuild-Restore-Rotate:

Active SSO sessions (web console, CLI access via SSO) are terminated.
Forces re-authentication, which ensures any attacker-held active session is dead.
Composes with credential rotation in Secrets Manager / KMS — both active sessions and stored secrets are replaced.

Architecture¶

Identity Center provides:

Identity store — built-in user directory or external IdP integration.
Permission sets — reusable IAM policy templates assigned to users/groups for AWS account access.
AWS account access — federated console / CLI / API access via STS-issued temporary credentials.
Application access — SSO into other applications (SaaS, custom) configured in Identity Center.

Composition with cyber-resilience patterns¶

patterns/mpa-gated-restore-authorization — Identity Center is the approver substrate.
concepts/rebuild-restore-rotate-framework — Identity Center session revocation is part of the rotate leg.
patterns/three-account-cyber-recovery-topology — Identity Center provides workforce access to the three accounts; permission sets configure who can do what in each.

Generalisation beyond AWS¶

Equivalent identity-center services:

Okta, Azure AD, Google Workspace — SaaS workforce IdPs that AWS Identity Center integrates with.
Auth0 — IdP with workforce capabilities.
On-prem — Active Directory + ADFS / Kerberos.

The structural property: centralised workforce identity with federated access to cloud accounts and applications.

Seen in¶

sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events — canonical wiki reference; first wiki canonicalisation as a dedicated system page; named as MPA-approver-substrate; named as session-revocation-substrate in the Rebuild-Restore-Rotate framework.

systems/aws-iam — sibling identity service (account-local IAM).
systems/aws-multi-party-approval — uses Identity Center as approver substrate.
concepts/cyber-resilience — the parent posture.
concepts/rebuild-restore-rotate-framework — session revocation is part of the rotate leg.
patterns/mpa-gated-restore-authorization — the canonical pattern.