Skip to main content
  1. 🔰Posts/
  2. đŸ—‚ïžMy Trainings/
  3. AWS Trainings and Certifications/
  4. 🏅AWS Certified Solutions Architect - Associate/

Solutions Architect: Advanced Identity

📚 Part 14 of 17: "AWS Solution Architect" series.

·1398 words·7 mins

â„č Associate‑level extension of the Identity and Access management section from the AWS Cloud Practitioner series.

AWS Certifications Series »
AWS Cloud PractitionerAWS Solution Architect

AWS Organizations #

  • A global service for centrally managing multiple AWS accounts
  • The primary account is the management account; all others are member accounts
  • Member accounts can belong to only one organization
  • Supports consolidated billing with a single payment method and shared usage‑based discounts (EC2, S3, etc.)
  • Reserved Instances and Savings Plans discounts are shared across accounts
  • Provides APIs to automate account creation and management

© https://medium.com/@AnwarESS, @AnwarESS, medium.com

© Stéphane Maarek, DataCumulus

  • Encourages a multi‑account strategy instead of packing everything into one account with many VPCs
  • Lets you apply tagging standards for clear, centralised cost allocation
  • Enable CloudTrail across all accounts and centralise logs in a dedicated S3 logging account
  • Send CloudWatch Logs to a central logging account as well
  • Use cross‑account roles for centralised administration

SCP #

  • Strengthen security with Service Control Policies (SCPs) applied to OUs or individual accounts to restrict what IAM users and roles can do
  • SCPs don’t apply to the management account, which always retains full admin rights
  • Like IAM, SCPs require explicit allows from the root OU down to the target account - nothing is permitted by default

© Stéphane Maarek, DataCumulus

SCP’s do not apply to the management account - this is a safety feature preventing Organizations locking out from their accounts.

SCP Least Privilege #

Restricting unused AWS services with SCPs strengthens security and simplifies compliance. Start by explicitly denying services your organisation doesn’t need, which helps meet standards like PCI DSS.
{  
  "Version": "2012-10-17",  
  "Statement": [  
    {  
      "Sid": "DenyAllUnnecessaryServices",  
      "Effect": "Deny",  
      "NotjsoAction": [  
        "s3:*",  
        "lambda:*",  
          ...  
      ],  
      "Resource": "*"  
    }  
  ]  
}

Use the Service control policy examples page as a reference - it includes a GitHub repository with ready‑made SCP samples you can adapt.

More info: đŸ”„Service control policy examples

AWS Organizations - Tag Policies #

  • Enforces consistent tagging across all accounts in your AWS Organization
  • Defines allowed tag keys and values to maintain proper categorisation and support cost allocation and Attribute-based Access Control (ABAC)
  • Blocks non‑compliant tagging operations on specified services and resources (but doesn’t affect untagged resources)
  • Produces reports showing compliant and non‑compliant resources
  • Can integrate with EventBridge to detect and react to tagging violations

IAM Conditions #

© Stéphane Maarek, DataCumulus

© Stéphane Maarek, DataCumulus

IAM for S3 #

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "s3:ListBucket"
        ]
        Resource = [
          "arn:aws:s3:::test"
        ]
      },
      {
        Effect = "Allow"
        Action = [
          "s3:GetObject",
          "s3:PutObject",
          "s3:DeleteObject"
        ]
        Resource = [
          "arn:aws:s3:::test/*"
        ]
      },      

Resource Policies & aws:PrincipalOrgID #

aws:PrincipalOrgID can be used in any resource policies to restrict access to accounts that are member of an AWS Organization

© Stéphane Maarek, DataCumulus

IAM Roles vs Resource Based Policies #

  • Cross account:
    • attaching a resource-based policy to a resource (example: S3 bucket policy)
    • OR using a role as a proxy

© Stéphane Maarek, DataCumulus

When you assume a role (user, application or service), you give up your original permissions and take the permissions assigned to the role.

  • When using a resource-based policy, the principal doesn’t have to give up his permissions
  • Example: User in account A needs to scan a DynamoDB table in Account A and dump it in an S3 bucket in Account B.

More info: Identity-based policies and resource-based policies

IAM Permission Boundaries #

IAM Permission Boundaries are supported for users and roles (not groups). This is an advanced feature to use a managed policy to set the maximum permissions an IAM entity can get.

  • Let non‑admins perform delegated tasks (e.g., creating IAM users) within strict limits
  • Allow developers to self‑manage permissions without being able to escalate to admin
  • Useful for restricting a single user when full‑account controls like SCPs are too broad

More info: đŸ”„Permissions boundaries for IAM entities

IAM Policy evaluation logic #

When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI, that principal sends a request to AWS. When an AWS service receives the request, AWS completes several steps to determine whether to allow or deny the request.

© Stéphane Maarek, DataCumulus

More info: Policy evaluation logic

IAM Identity Center #

  • One login (single sign-on) for all your:
    • AWS accounts in AWS Organizations
    • Business cloud applications (e.g., Salesforce, Box, Microsoft 365, 
)
    • SAML2.0-enabled applications
    • EC2 Windows Instances
  • Identity providers:
    • Built-in identity store in IAM Identity Center
    • 3rd party: Active Directory (AD), OneLogin, Okta


© Stéphane Maarek, DataCumulus

© Stéphane Maarek, DataCumulus

AWS IAM Identity Center provides centralised, fine‑grained access control across your AWS Organization. You define permission sets to manage multi‑account access, assign users/groups to SAML 2.0 business apps, and use ABAC to grant AWS permissions dynamically based on user attributes (e.g., cost center, title, locale).

Define access once, then adjust permissions simply by updating user attributes.

More info: AWS IAM Identity Center

AWS Directory Services #

  • AWS Managed Microsoft AD
    • Create your own AD in AWS, manage users locally, supports MFA
    • Establish “trust” connections with your on premises AD

© Stéphane Maarek, DataCumulus

  • AD Connector
    • Directory Gateway (proxy) to redirect to on premises AD, supports MFA
    • Users are managed on the on-premises AD

© Stéphane Maarek, DataCumulus

  • Simple AD
    • AD-compatible managed directory on AWS
    • Cannot be joined with on-premises AD

AWS Control Tower #

Automates environment setup, applies and manages guardrails, detects and remediates policy violations, and provides a dashboard to monitor overall compliance.
  • Easy way to set up and govern a secure and compliant multi-account AWS environment based on best practices
  • AWS Control Tower uses AWS Organizations to create accounts

Guardrails #

  • Provides ongoing governance for your Control Tower environment (AWS Accounts)
  • Preventive Guardrail - using SCPs (e.g., Restrict Regions across all your accounts)
  • Detective Guardrail - using AWS Config (e.g., identify untagged resources)

© Stéphane Maarek, DataCumulus

Summary #

Active Directory feeds identities into IAM Identity Center, which then controls access across the AWS Organization and integrates with Control Tower’s landing zone.
flowchart TD subgraph CT["AWS Control Tower"] CT1["Automated landing zone setup"] CT2["Guardrails (SCPs + Config)"] CT3["Compliance & logging"] end subgraph ORG["AWS Organizations"] ORG1["Multi-account structure (OUs, accounts)"] ORG2["Consolidated billing"] ORG3["SCPs, Tag Policies, Backup Policies"] end subgraph IDSC["IAM Identity Center"] ID1["Centralised SSO"] ID2["Permission Sets for multi-account access"] ID3["ABAC using user attributes"] ID4["SAML 2.0 app access"] end subgraph AD["External Identity Provider"] AD1["Active Directory"] AD2["Azure AD / Entra ID"] AD3["Other IdPs (SAML/OIDC)"] end CT -->|uses| ORG ORG -->|provides structure to| IDSC CT -->|integrates with| IDSC AD -->|sync users & groups| IDSC

AWS Organizations #

The foundation for multi‑account AWS environments. It lets you centrally create, group, and manage accounts, apply SCPs, enforce tagging standards, and use consolidated billing with shared discounts. It provides the governance layer that everything else builds on.

AWS IAM Identity Center #

The central place for managing user identities and access across all accounts in your AWS Organization. It provides:

  • SSO into AWS accounts and business applications
  • Permission sets for consistent, multi‑account access
  • ABAC1 using user attributes for fine‑grained, dynamic permissions

Identity Center sits on top of Organizations and uses its account structure to assign access cleanly.

AWS Control Tower #

A higher‑level orchestration service that automates the setup and governance of a secure multi‑account environment. It provides:

  • Automated landing zone creation
  • Prebuilt guardrails (SCPs + Config rules)
  • Continuous compliance monitoring
  • Centralised logging and baseline security controls

Control Tower uses Organizations under the hood and integrates with IAM Identity Center for access management.

How they work together #

  • AWS Organizations provides the multi‑account structure, OUs, and policy boundaries.
  • IAM Identity Center provides unified identity and access across those accounts.
  • AWS Control Tower automates the creation, governance, and compliance of that entire setup using both Organizations and Identity Center as core building blocks.

» Sources « #

» References « #

Cloud Practitioner: Identity and Access management

» Disclaimer « #

This series draws heavily from Stephane Maarek’s Ultimate AWS Certified Solutions Architect Associate 2026 course on Udemy.

His content was instrumental in helping me pass the certification.

About the instructor
🌐 WebsiteđŸ“ș YouTube
đŸ’Œ LinkedIn𝕏 x.com

â„čShared for educational purposes only, no rights reserved.


  1. ABAC - Attribute Based Access Control. ↩︎