IAM Identity Center¶
Managed from: Management account (org root)
Instance ID: ssoins-6684d7d75963e13d
Identity Store ID: d-9a6756bdcb
Primary Region: us-east-2 (US East — Ohio)
Access portal: https://d-9a6756bdcb.awsapps.com/start
Identity source: Microsoft Entra ID (SAML 2.0)
Overview¶
IAM Identity Center is the single source of truth for all human access across the three AWS accounts. No individual IAM users exist in NVS or NHC member accounts — all access is via Identity Center SSO using Microsoft 365 credentials.
Architecture¶
Microsoft Entra ID (Nova Virtual Solutions Inc tenant)
│
└── SAML 2.0 → IAM Identity Center (Management account, us-east-2)
│
├── Groups
│ ├── DevOps-Admins → full admin on NVS + NHC; billing on management
│ └── DevOps-ReadOnly → read-only across all accounts (auditing)
│
├── Permission Sets
│ ├── AdministratorAccess (8h session)
│ ├── Billing (4h session)
│ └── ReadOnlyAccess (4h session)
│
└── Account Assignments
├── Nova AWS Billing (508537815198) → DevOps-Admins (Billing)
├── Nova Virtual Solutions (234828143517) → DevOps-Admins (AdministratorAccess)
│ → DevOps-ReadOnly (ReadOnlyAccess)
└── Nova Home Care (794248400165) → DevOps-Admins (AdministratorAccess)
→ DevOps-ReadOnly (ReadOnlyAccess)
Access Rules¶
| Account | Group | Permission |
|---|---|---|
| Nova AWS Billing (management) | DevOps-Admins | Billing only — no workload access |
| Nova Virtual Solutions (NVS) | DevOps-Admins | Full admin |
| Nova Home Care (NHC) | DevOps-Admins | Full admin |
| All | DevOps-ReadOnly | Read-only (future auditors) |
Identity Provider Setup¶
Identity source is Microsoft Entra ID via SAML 2.0 (SAML-only, no SCIM).
| Field | Value |
|---|---|
| Entra ID Enterprise App | AWS IAM Identity Center (successor to AWS Single Sign-On) |
| Entity ID (SP) | https://us-east-2.signin.aws.amazon.com/platform/saml/d-9a6756bdcb |
| ACS URL | https://us-east-2.signin.aws/platform/saml/acs/434d482de5ceced7-edba-430e-9c2e-84b6805289b7 |
| IdP sign-in URL | https://login.microsoftonline.com/b593f382-5cdb-419d-b430-4d279dd160ef/saml2 |
SAML-only (no SCIM): MS365 Business Basic does not include Entra ID P1. Users must be added manually in both Entra ID (enterprise app assignment) and Identity Center (user record). The username in Identity Center must exactly match the Microsoft UPN (e.g.
paoloumali@novavirtualsolutions.com). SCIM can be enabled later if the plan is upgraded to Business Premium.
Console Access¶
All access goes through the SSO portal using Microsoft 365 credentials:
https://d-9a6756bdcb.awsapps.com/start
Root account login still works as a break-glass mechanism — it is not affected by Identity Center.
MFA¶
MFA is managed by Microsoft Entra ID (not Identity Center, since the identity source was switched to an external IdP). Enforce MFA via Entra ID Conditional Access or per-user MFA settings.
Adding a New User¶
Since SCIM is not enabled, adding a user requires two manual steps:
- Entra ID — Enterprise Applications → AWS IAM Identity Center → Users and groups → Add user
- Identity Center — IAM Identity Center → Users → Add user
- Username must match the user's Microsoft UPN exactly
- Add to the appropriate group (
DevOps-AdminsorDevOps-ReadOnly)
Root Account Policy¶
- Root accounts for all three accounts must have MFA enabled
- Root access keys must not exist (verify in IAM → Security credentials)
- Root is used only for break-glass scenarios
- Break-glass procedure: documented in Contingency Plan
Future: SCIM Provisioning¶
Upgrading to MS365 Business Premium (Entra ID P1) enables SCIM sync — users added to the Entra ID group automatically provision into Identity Center with no manual steps needed.
Identity Center → Settings → Provisioning → Enable automatic provisioning