Access control with IAM Identity Center session tags
Security Blog
This article explains how to implement fine-grained access control using IAM Identity Center session tags with Microsoft Entra ID federation.
- Combine IAM Identity Center permission sets with session tags for dynamic attribute-based access control
- Session tags pass user attributes from external identity providers into AWS for context-aware permissions
- Configure SAML and SCIM integration between Microsoft Entra ID and IAM Identity Center
- Map Entra ID group membership to session tags using claim conditions
- Use session tags with AWS Glue usage profiles to enforce resource configuration policies
- Validate setup through AWS CloudTrail by inspecting AssumeRoleWithSAML events
- Extensible approach works with other services like AWS Systems Manager Session Manager
This solution enables organizations to manage secure, scalable access across multiple AWS accounts using centralized identity federation without managing individual IAM users.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Apr 2
2025
2025
IAM Identity Center extends sessions and TIP management capabilities for customers with Microsoft AD
Jan 26
2026
2026
IAM Identity Center now supports IPv6
Nov 11
2024
2024
AWS IAM Identity Center now supports search by permission set name
Nov 13
2025
2025
Securely accessing external accounts with AWS IAM Identity Center
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.