AWS IAM Identity Center

Configuring the AWS IAM Identity Center integration for Veza Lifecycle Management.

Overview

The Veza integration for AWS IAM Identity Center enables automated user lifecycle management, with support for user provisioning and de-provisioning, group membership management, and attribute synchronization across AWS organizations.

Action Type
Description
Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships and role assignments for identities

DEPROVISION_IDENTITY

Safely removes or disables access for identities

CREATE_ENTITLEMENT

Creates entitlements such as groups

SOURCE_OF_IDENTITY

AWS IAM Identity Center can act as a source system for identity lifecycle policies

This document includes steps to enable the AWS IAM Identity Center integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for AWS IAM Identity Center

Prerequisites

  1. You will need administrative access in Veza to configure the integration and appropriate permissions in AWS IAM Identity Center.

  2. Ensure you have an existing AWS integration in Veza or add a new one for use with Lifecycle Management.

  3. Verify your AWS integration has completed at least one successful extraction

  4. The AWS integration will need the additional required permissions for Identity Store operations:

    • identitystore:CreateUser - For user creation operations

    • identitystore:UpdateUser - For user attribute synchronization

    • identitystore:DeleteUser - For user deletion (note: AWS uses SCIM deprovisioning which disables rather than deletes)

    • identitystore:GetUserId - For user lookup operations

    • identitystore:CreateGroup - For group creation

    • identitystore:CreateGroupMembership - For group membership management

    • identitystore:DeleteGroupMembership - For removing group memberships

    • identitystore:ListGroups - For group discovery operations

    • identitystore:ListGroupMemberships - For membership enumeration

Important: AWS IAM Identity Center Lifecycle Management requires:

  • SCIM endpoint configuration in IAM Identity Center (automatic provisioning must be enabled)

  • The integration uses AWS's SCIM v2.0 API implementation over HTTPS

  • Authentication is handled through IAM policies and does not require separate SCIM bearer tokens

Configuration Steps

To enable the integration:

  1. In Veza, go to the Integrations overview

  2. Search for or create an AWS integration

  3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your AWS IAM Identity Center data remains current:

  1. Go to Veza Administration > System Settings

  2. In Pipeline > Extraction Interval, set your preferred interval

  3. Optionally, set a custom override for AWS in the Active Overrides section

To verify the health of the Lifecycle Management data source:

  1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

  2. Search for the integration and click the name to view details

  3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

AWS IAM Identity Center can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from AWS IAM Identity Center with changes propagated to connected systems.

AWS IAM Identity Center can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

  • Username serves as the unique identifier and cannot be changed after creation

  • Email addresses must be unique across the AWS IAM Identity Center instance

  • First name, last name, display name, and username are required attributes for user creation

The following attributes can be synchronized:

AWS IAM Identity Center User Attributes
Property
Required
Type
Description
Notes

username

Yes

String

Primary user identifier

Unique identifier

display_name

Yes

String

User's display name

Required for creation

first_name

Yes

String

Given name

Required for creation

last_name

Yes

String

Family name

Required for creation

email

No

String

User's email address

Unique if provided

department

No

String

Organizational department

division

No

String

Business division

title

No

String

Job title

Manage Relationships

Controls group memberships for users in AWS IAM Identity Center:

  • Add and remove group memberships for users

  • Synchronize group assignments based on source system changes

  • Support for both adding and removing relationships

  • Track membership changes for audit purposes

Deprovision Identity

When a user is deprovisioned in AWS IAM Identity Center:

  • User account is disabled (set to inactive) rather than deleted

  • All group memberships are automatically removed

  • User's permission set assignments are revoked

  • Account information is preserved for audit and compliance purposes

  • Users can be reactivated if needed by updating the Active attribute

Create Entitlement

  • Entity Types: AWS IAM Identity Center Groups

  • Assignee Types: AWS IAM Identity Center Users

  • Supports Relationship Removal: Yes

Within AWS IAM Identity Center, groups can be associated with:

  • Permission sets that grant access to AWS accounts and resources

  • AWS applications and third-party SAML applications

  • AWS account assignments for cross-account access

  • Custom access policies and roles

AWS IAM Identity Center Group Attributes
Property
Required
Type
Description

name

Yes

String

Group name identifier

Workflow Examples

Employee Onboarding

Automate the onboarding process for new employees:

  1. Identity Creation: Create AWS IAM Identity Center user account with attributes synchronized from HR system

  2. Group Assignment: Add user to department-specific groups based on their role and location

  3. Permission Sets: Automatically assign appropriate permission sets for AWS resource access

  4. Account Access: Grant access to specific AWS accounts based on job function

Role Change Management

Handle internal role changes and departmental transfers:

  1. Attribute Update: Synchronize updated employee information from HR system

  2. Group Reassignment: Remove user from previous department groups and add to new ones

  3. Permission Adjustment: Update permission set assignments to match new role requirements

Employee Offboarding

Securely remove access when employees leave:

  1. Account Deprovisioning: Disable the user account in AWS IAM Identity Center

  2. Group Removal: Remove all group memberships and permission set assignments

  3. Access Revocation: Ensure all AWS account access is immediately revoked

  4. Audit Trail: Maintain complete record of access removal for compliance purposes

Last updated

Was this helpful?