Enhancement | Implement Delegated Administration for AWS IAM Identity Center

[exequielrafaela]

Title

Implement Delegated Administration for AWS IAM Identity Center

Describe the Feature:

Implement the delegation of the AWS IAM Identity Center to the security account within our AWS Organizations setup. This practice is highly recommended for enhanced security and administration isolation, as per recent AWS best practices and client requests.

Expected Behavior

• The AWS IAM Identity Center (previously known as AWS SSO) should be administered from a separate AWS account designated for security or identity management.
• This setup should align with the guidelines provided in AWS's documentation on delegated administration for AWS IAM Identity Center: Getting started with AWS IAM Identity Center delegated administration

Use Case

This change is driven by:

• The need to align with AWS best practices, which now support the delegation of IAM Identity Center administration to enhance security and manageability.
• A specific client request, indicating a market demand and practical necessity for this configuration.

Describe Ideal Solution

The ideal solution would involve:

1. Configuring the security account as the delegated administrator for AWS IAM Identity Center as outlined in the AWS guide on delegated administration.
2. Ensuring all existing configurations and dependencies are updated to reflect this change without disrupting existing workflows.

Alternatives Considered

Continue managing IAM Identity Center from the main account, which lacks the security benefits of separation of duties and is against current AWS recommendations.

Additional Context

Recent updates from AWS now support this feature, which was previously unavailable. Transitioning to this model would bring our architecture in line with AWS's recommended security framework and respond directly to client-driven inquiries about implementing best security practices in cloud infrastructure management.