# Organization and account instances of IAM Identity Center IAM Identity Center instances An instance is a single deployment of IAM Identity Center. There are two types of instances available for IAM Identity Center: *organization instances* and *account instances*. + Organization instance (recommended) An instance of IAM Identity Center that you enable in the AWS Organizations management account. Organization instances support all features of IAM Identity Center. We recommend that you deploy an organization instance rather than account instances to minimize the number of management points. + Account instance An instance of IAM Identity Center that is bound to a single AWS account, and that is visible only within the AWS account and AWS Region in which it is enabled. Use an account instance for simpler, single-account scenarios. You can enable an account instance from either of the following: + An AWS account that isn't managed by AWS Organizations + A member account in AWS Organizations ## AWS account types that can enable IAM Identity Center To enable IAM Identity Center, sign in to the AWS Management Console by using one of the following credentials, depending on the instance type you want to create: + **Your AWS Organizations management account (recommended)** – Required to create an [organization instance](organization-instances-identity-center.md) of IAM Identity Center. Use an organization instance for multi-account permissions and application assignments across the organization. + **Your AWS Organizations member account** – Use to create an [account instance](account-instances-identity-center.md) of IAM Identity Center to enable application assignments within that member account. One or more accounts with a member level instance can exist in an organization. + **A standalone AWS account** – Use to create an [organization instance](organization-instances-identity-center.md) or [account instance](account-instances-identity-center.md) of IAM Identity Center. The standalone AWS account isn't managed by AWS Organizations. You can associate only one instance of IAM Identity Center with a standalone AWS account and use that instance for application assignments within that standalone AWS account. Use the following table to compare the capabilities provided by the instance type: | Capability | Instance in the AWS Organizations management account (recommended) | Instance in a member account | Instance in a standalone AWS account | | --- | --- | --- | --- | | Manage users | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | | AWS access portal for single-sign on access to your AWS managed applications | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | | OAuth 2.0 (OIDC) customer managed applications | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png)Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png)Yes | | Multi-account permissions | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | | AWS access portal for single-sign on access to your AWS accounts | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | | SAML 2.0 customer managed applications | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | | Delegated administrator can manage instance | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | | Encryption at rest using a customer-managed KMS key | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | | Replicating IAM Identity Center to additional Regions | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-no.png) No | For more information about AWS managed applications and IAM Identity Center, see [AWS managed applications that you can use with IAM Identity Center](awsapps-that-work-with-identity-center.md). **Topics** + [ ## AWS account types that can enable IAM Identity Center ](#identity-center-instances-account-types) + [ # Organization instances of IAM Identity Center ](organization-instances-identity-center.md) + [ # Account instances of IAM Identity Center ](account-instances-identity-center.md) + [ # Delete your IAM Identity Center instance ](delete-config.md) # Organization instances of IAM Identity Center When you enable IAM Identity Center in conjunction with AWS Organizations, you are creating an organization instance of IAM Identity Center. Your organization instance must be enabled in your management account and you can centrally manage the access of users and groups with a single organization instance. You can have only one organization instance for each management account in AWS Organizations. If you enabled IAM Identity Center before November 15, 2023, you have an organization instance of IAM Identity Center. To enable an organization instance of IAM Identity Center, see [To enable an instance of IAM Identity Center](enable-identity-center.md#to-enable-identity-center-instance). ## When to use an organization instance An organization instance is the primary method of enabling IAM Identity Center and usually, an organization instance is recommended. Organization instances offer the following benefits: + **Support for all features of IAM Identity Center** – Including managing permissions for multiple AWS accounts in your organization, assigning access to customer managed applications, and multi-Region replication. + **Reduction of the number of management points** – An organization instance has a single management point, the management account. We recommend that you enable an organization instance, rather than an account instance, to reduce the number of management points. + **Central control of the creation of account instances** – You can control whether account instances can be created by member accounts in your organization as long as you haven't deployed an instance of IAM Identity Center to your organization in an opt-in Region (AWS Region that is disabled by default). For instructions on enabling an organization instance of IAM Identity Center, see [To enable an instance of IAM Identity Center](enable-identity-center.md#to-enable-identity-center-instance). # Account instances of IAM Identity Center With an account instance of IAM Identity Center, you can deploy supported AWS managed applications and OIDC-based customer managed applications. Account instances support isolated deployments of applications in a single AWS account, leveraging IAM Identity Center workforce identity and access portal features. Account instances are bound to a single AWS account and are used only to manage user and group access for supported applications in the same account and AWS Region. You are limited to one account instance per AWS account. You can create an account instance from either of the following: a member account in AWS Organizations or a standalone AWS account that isn't managed by AWS Organizations. For instructions on enabling an account instance of IAM Identity Center, see [To enable an instance of IAM Identity Center](enable-identity-center.md#to-enable-identity-center-instance) and choose the **Account** tab. ## When to use an account instance In most cases, an [organization instance](organization-instances-identity-center.md) is recommended. Use account instances only if one of the following scenarios applies: + You want to run a temporary trial of a supported AWS managed application to determine if the application suits your business needs. + You don’t have plans to adopt IAM Identity Center across your organization, but you want to support one or more AWS managed applications. + You have an organization instance of IAM Identity Center, but you want to deploy a supported AWS managed application to an isolated set of users that are distinct from users in your organization instance. + You do not control the AWS organization in which you operate. For example, a third-party controls the AWS organization that manages your AWS accounts. **Important** If you plan to use IAM Identity Center to support applications in multiple accounts, use an organization instance. Account instances do not support this use case. ## AWS managed applications that support account instances Supported AWS managed applications See [AWS managed applications that you can use with IAM Identity Center](awsapps-that-work-with-identity-center.md) to learn which AWS managed applications support account instances of IAM Identity Center. Verify the availability of account instance creation with your AWS managed application. ## Availability constraints for member accounts To deploy account instances of IAM Identity Center in AWS Organizations member accounts, one of the following conditions must be true: + There is no organization instance of IAM Identity Center in your organization. + There is an organization instance of IAM Identity Center in your organization and the instance administrator permits creation of account instances of IAM Identity Center (for organization instances created after November 15, 2023). + There is an organization instance of IAM Identity Center in your organization and the instance administrator manually enabled creation of account instances by member accounts in the organization (for organization instances created before November 15, 2023). For instructions, see [Permit account instance creation in member accounts](enable-account-instance-console.md). After one of the preceding conditions is met, all of the following conditions must be true: + Your administrator hasn’t created a [Service Control Policy](control-account-instance.md) that prevents member accounts from creating account instances. + You do not already have an instance of IAM Identity Center in this same account, regardless of AWS Region. + You're working in an AWS Region where IAM Identity Center is available. For information about Regions, see [IAM Identity Center Region data storage and operations](regions.md). ## Account instance considerations An account instance is designed for specialized use cases, and offers a subset of features available to an organization instance. Consider the following before creating an account instance: + Account instances do not support permission sets and therefore do not support access to AWS accounts. + You can’t convert or merge an account instance into an organization instance. + Only select [AWS managed applications](awsapps-that-work-with-identity-center.md) support account instances. + Use account instances for isolated users that will use applications in a single account only and for the lifetime of the applications used. + Applications that are attached to an account instance must remain attached to the account instance until you delete the application and its resources. + An account instance must remain in the AWS account where it is created. # Permit account instance creation in member accounts Permit account instance creation in member accounts If you enabled IAM Identity Center before November 15, 2023, you have an [organization instance](organization-instances-identity-center.md) of IAM Identity Center with the ability for member accounts to create account instances disabled by default. You can choose whether your member accounts can create account instances by enabling the account instance feature in the IAM Identity Center console. **To enable creation of account instances by member accounts in your organization** **Important** Enabling account instances of IAM Identity Center for member accounts is a one-time operation. This means that this operation cannot be reversed. Once enabled, you can limit the creation of account instances by creating a service control policy (SCP). For instructions, see [Control account instance creation with Services Control Policies](https://docs.aws.amazon.com/singlesignon/latest/userguide/control-account-instance.html). 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Settings**, and then choose the **Management** tab. 1. In the **Account instances of IAM Identity Center** section, choose **Enable account instances of IAM Identity Center**. 1. In the **Enable account instances of IAM Identity Center** dialog box, confirm that you want to allow member accounts in your organization to create account instances by choosing **Enable**. # Use Service Control Policies to control account instance creation SCPs for account instance creation The ability for member accounts to create account instances depends on when you enabled IAM Identity Center: + **Before November 2023** – You must [permit account instance creation in member accounts](enable-account-instance-console.md), which is an action that cannot be reversed. + **After November 15, 2023** – Member accounts can create account instances by default. In either case, you can use Service Control Policies (SCPs) to: + Prevent all member accounts from creating account instances. + Allow only specific member accounts to create account instances. ## Prevent account instances Use the following procedure to generate an SCP that prevents member accounts from creating account instances of IAM Identity Center. 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. On the **Dashboard**, in the **Central management** section, choose the **Prevent account instances** button. 1. In the **Attach SCP to prevent creation of new account instances** dialog box, an SCP is provided for you. Copy the SCP and choose the **Go to SCP dashboard** button. You'll be directed to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) to create the SCP or attach it as a statement to an existing SCP. SCPs are a feature of AWS Organizations. For instructions on attaching an SCP, see [Attaching and detaching service control policies](/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) in the *AWS Organizations User Guide.* ## Limit account instances Instead of preventing all account instance creation, this policy denies any attempt to create an account instance of IAM Identity Center for all AWS accounts except those explicitly listed in the *""* placeholder. **Example : Deny policy to limit account instance creation** **** ``` { "Version":"2012-10-17", "Statement" : [ { "Sid": "DenyMemberAccountInstances", "Effect": "Deny", "Action": "sso:CreateInstance", "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": [""] } } } ] } ``` + Replace [*""*] with the actual AWS account ID(s) that you want to allow to create an account instance of IAM Identity Center. + You can list multiple allowed account IDs in the array format: [*"111122223333", "444455556666"*]. + Attach this policy to your organization SCP to enforce centralized control over IAM Identity Center account instance creation. For instructions on attaching an SCP, see [Attaching and detaching service control policies](/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) in the *AWS Organizations User Guide.* # Delete your IAM Identity Center instance When an IAM Identity Center instance is deleted, all the data in that instance is deleted and cannot be recovered. The following table describes what data is deleted based on the directory type that is configured in IAM Identity Center. | What data gets deleted | Connected directory - AWS Managed Microsoft AD, AD Connector, or external identity provider | IAM Identity Center identity store | | --- | --- | --- | | All permission sets you have configured for AWS accounts | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | | All applications you have configured in IAM Identity Center | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | | All user assignments you have configured for AWS accounts and applications | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | | All users and groups in the directory or store | N/A | ![\[Yes\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/icon-yes.png) Yes | If you replicated your IAM Identity Center instance to additional Regions, you must remove those Regions before deleting the instance. Use the following procedure to delete your IAM Identity Center instance. **To delete your IAM Identity Center instance** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. In the left navigation pane, choose **Settings**. 1. On the **Settings** page, choose the **Management** tab. 1. In the **Delete IAM Identity Center configuration** section, choose **Delete**. 1. In the **Delete IAM Identity Center configuration** dialog, select each checkbox to acknowledge you understand that your data will be deleted. Type your IAM Identity Center instance in the text box, and then choose **Confirm**.