Amazon Q Business - Identity Center Directory

Quiz

When you first set up IAM Identity Center, it uses its own directory by default. But if your organization uses a different identity provider (like Microsoft Active Directory or Okta), you should connect that to IAM Identity Center instead.

Objective

In this tutorial, you'll use IAM Identity Center's default directory to manage users and groups. You'll set up and test user access, and users will sign in through the AWS access portal. This tutorial is for those new to AWS or already using IAM for user management. In the next steps, you will create the following:

An administrative user named Nikki Wolf
A group named Admin team
A permission set named AdminAccess

Next, sign in and set a password for the admin user to make sure everything is set up correctly. After that, you can use this admin user to add more users, create permissions, and set up access to apps in IAM Identity Center.

Steps to Configure user access with the default IAM Identity Center directory

The following mentioned are step by step task to set the user access with the default IAM Identity Center directory.

Before you Begin

Firstly, sign in to the AWS Management Console. You can do either of the following for this:

New to AWS (root user) Sign in as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.
Already using AWS (IAM credentials) Sign in using your IAM credentials with administrative permissions.

Step 1: Add a user

Accomplish the following task to add a user:

In the IAM Identity Center navigation pane, choose Users, then select Add user.
On the Specify user details page, complete the following information:

Username: Create username that are easy to remember like nikkiw.
Password: Choose Send an email to this user with password setup instructions (Recommended).

This sends an email from Amazon Web Services with setup instructions, so add no-reply@signin.aws and no-reply@login.awsapps.com to your approved senders list to receive it.

Email address: Enter the user's email address, then confirm it by entering it again. Remember, each user needs a unique email address.
First name: Enter the first name for the user,like Nikki.
Last name: Enter the last name for the user, like Wolf.
Username: Enter a display name for the user. By default, it's their first and last name, but you can change it. This name will be visible in the sign-in portal and users list.
Complete the optional information if desired. It isnt used during this tutorial and you can change it later.

Choose Next. The Add user to groups page appears. We're going to create a group to assign administrative permissions to instead of giving them directly to Nikki. Choose Create group and A new browser tab opens to display the Create group page.

Follow the below mentioned steps:

Under Group details, in Group name enter a name for the group. We recommend a group name that identifies the role of the group, like Admin team.
Choose Create group.
Close the Groups browser tab to return to the Add user browser tab
In the Groups area, select the Refresh button. The Admin team group appears in the list. Select the checkbox next to Admin team, and then choose Next.
On the Review and add user page, confirm the following:

Primary information appears as you intended
Groups shows the user added to the group you created

If you Want to make changes, Click Edit. When everything is correct, click Add user. You'll see a message saying the user was added.

Next, you will add administrative permissions for the Admin team group so that Nikki has access to resources.

Step 2: Add administrative permissions

Accomplish the following task to add administrative permissions:

In the IAM Identity Center, go to the navigation pane, click 'Multi-account permissions', then select 'AWS accounts.
On the AWS accounts page, find your organization's structure. Check the box next to your management account, then click 'Assign users or groups'.
The Assign users and groups workflow displays. It consists of three steps:

For Step 1: Select users and groups choose the Admin team group you created. Then choose Next.
For Step 2, click 'Create permission set' to start a new process with 3 steps to create a permission set.

For Step 1: Select permission set type complete the following:

In Permission set type, choose Predefined permission set.
In Policy for predefined permission set, choose AdministratorAccess. Choose Next.

For Step 2, keep the default settings and click 'Next'. This will create a permission set named 'AdministratorAccess' with a 1-hour session duration. You can rename it if you want.
For Step 3, review the details, ensure it's using the 'AdministratorAccess' policy, then click 'Create'. A notification will confirm the permission set was created, and you can close the tab.

On the Assign users and groups browser tab, you are still on Step 2: Select permission sets from which you started the create permission set workflow.

In the Permissions sets area, choose the Refresh button. The AdministratorAccess permission set you created appears in the list. Select the check box for that permission set and then choose Next.

On the Step 3: Review and submit assignments page, Check that Admin team group and AdministratorAccess are selected, then click Create.

Wait for the configuration process to finish. You'll be taken back to the AWS accounts page with a notification that your account has been updated.

Congratulations!
You have successfully set up your first user, group, and permission set.

Next, you'll test Nikki's access by signing in to the AWS portal with their admin credentials and setting their password. Sign out of the console for now.

Step 3: Test user access

Now that Nikki is a user in your organization, they can access allowed resources. Let's verify this by signing in as Nikki and setting up their password. Open the email with password setup instructions sent to Nikki and follow the steps.

In the email, select the Accept invitation link to accept the invitation.

Note
The email also includes Nikki's user name and the AWS access portal URL that they will use to sign in to the organization. Record this information for future use.

You are taken to the New user sign up page where you can set Nikki's password.

After setting the password, you'll be taken to the Sign in page. Enter 'nikkiw' and click Next, then enter the password and click Sign in.
The AWS portal opens, showing your organization and apps. Choose your organization to see a list of AWS accounts, then pick an account to view the roles you can use to access its resources.

Each permission set has two management methods you can use, either Role or Access keys.

Role, for example AdministratorAccess - Opens the AWS Console Home.
Access keys - These are credentials you can use with the AWS CLI or SDK. They include info for using short-term credentials that refresh automatically or short-term access keys

Choose the Role link to sign in to the AWS Console Home.

You're now signed in and on the AWS Console Home page. Check the console to make sure you have the access you need.

Next steps

Now that you've created an administrative user in IAM Identity Center, you can:

Assign applications
Add other users
Assign users to accounts
Configure additional permission sets

Note You can give a user multiple permission sets. To keep things secure, create a permission set with limited access and assign it to your admin user. This way, you can access your AWS account with only the permissions you need.

After users accept the invitation and sign in, they'll only see the AWS accounts, roles, and apps they have access to.

Important We strongly recommend that you enable multi-factor authentication (MFA) for your users. For more information, see Multi-factor authentication for Identity Center users.

Print Page