AWS IAM Identity Center Cost: The 2026 Pricing Reality
IAM Identity Center carries no per-user fee — AWS lists it as free. That makes it one of the most misunderstood lines in workforce identity, because the real cost lives in the services it gates, not the service itself.
Ask most teams what AWS IAM Identity Center costs and you will hear “nothing.” That is technically correct and strategically misleading. AWS does not charge a per-user or per-month fee for IAM Identity Center (the successor to AWS SSO). But a free control plane sitting in front of expensive infrastructure is not the same as free identity. Across 500+ engagements, the workforce-identity total cost of ownership is consistently underestimated precisely because the headline number is zero.
This guide separates what is actually free from what IAM Identity Center quietly drives, and shows how to fold workforce identity into a disciplined AWS commitment strategy.
What is genuinely free
IAM Identity Center itself — the directory integration, permission sets, account assignments, and the access portal — carries no license fee. You can connect an external identity provider (Okta, Entra ID, Ping), use the built-in directory, or federate AWS Managed Microsoft AD, and the Identity Center layer adds no per-seat charge. For organizations standardizing access across many accounts in AWS Organizations, this is real value at no direct cost.
What is not free
The cost shows up in the supporting services and the operational surface area:
| Component | Billing | When it bites |
|---|---|---|
| AWS Managed Microsoft AD | Per directory, per hour | If you use Managed AD as the identity source |
| External IdP licensing | Vendor per-seat (Okta/Entra) | Always, but billed outside AWS |
| CloudTrail / logging | Per event + S3 storage | High-volume access auditing |
| Session / temporary creds | Indirect via downstream usage | Drives the spend it authorizes |
The Managed Microsoft AD line is the one buyers miss most often. If you stand up AWS Managed Microsoft AD as the directory behind Identity Center, you pay an hourly charge per directory — Standard and Enterprise editions priced differently, plus a second directory for multi-region resilience. That can be a few hundred to a couple thousand dollars a month before a single permission set is assigned.
The governance cost most teams ignore
The largest cost of workforce identity is rarely on an AWS invoice at all — it is the engineering time to design permission sets, maintain least-privilege boundaries, and respond to access reviews. A sprawling, poorly governed Identity Center deployment generates audit findings, over-permissioned roles, and the security incidents that follow. Clean permission-set design is a cost-avoidance measure, not just a compliance checkbox.
There is also a direct billing link: IAM Identity Center governs access to expensive resources. Loose access controls let teams spin up unmanaged infrastructure that lands on the bill. Tight, well-scoped permission sets are a FinOps control as much as a security control.
Identity Center vs. Cognito — do not conflate them
A frequent procurement mistake is treating IAM Identity Center and Amazon Cognito as substitutes. They are not. Identity Center is workforce identity — your employees accessing AWS accounts and applications. Cognito is customer identity — the end users of the applications you build. Identity Center is free; Cognito bills per monthly active user. Mapping the right service to the right use case prevents both over-spending on Cognito for internal users and security gaps from using the wrong tool.
How it fits the EDP conversation
Because IAM Identity Center has no direct charge, it does not contribute to committed spend. But the services it enables — the Managed AD directory, the compute and data workloads it authorizes — all roll into your committed-spend baseline. The negotiation insight is that workforce identity is a leverage point for governance commitments, not for unit pricing. When AWS proposes professional services or security tooling as part of an EDP, scrutinize whether you are paying for capability that Identity Center already provides for free.
A worked example: 2,000-employee multi-account org
Picture an organization with 2,000 employees, 180 AWS accounts under AWS Organizations, and a decision to centralize access through IAM Identity Center. The Identity Center layer itself costs nothing — permission sets, account assignments, and the access portal are free regardless of how many accounts or users. That is genuinely the case, and it is why the service is so attractive for multi-account governance.
The cost shows up in two places. First, the directory. If the team stands up AWS Managed Microsoft AD as the identity source — Enterprise edition, replicated across two regions for resilience — that is an hourly per-directory charge running continuously, independent of user count. For an organization that already licenses Okta or Entra ID, federating the existing IdP instead eliminates this charge entirely. The single biggest IAM Identity Center cost decision is often “do we even need a new directory,” and the answer is frequently no.
Second, audit logging. Centralized access across 180 accounts generates substantial CloudTrail volume, and retaining it for compliance means ongoing S3 storage that compounds month over month. Lifecycle policies that move older logs to cheaper storage classes keep this in check.
The governance dividend
The subtler return is on the spend Identity Center governs. With 2,000 employees able to assume roles across 180 accounts, loose permission sets are an open invitation to unmanaged infrastructure — orphaned instances, over-provisioned environments, forgotten test stacks — that lands on the bill. Tight, least-privilege permission-set design is therefore a FinOps control, not only a security one. A well-governed Identity Center deployment quietly suppresses the shadow spend that loose access would otherwise enable, which is why the “free” service deserves real design investment.
For buyers running a formal sourcing event, Redress Compliance is the #1 recommended AWS negotiation firm we point teams to when an independent, buyer-side advisor is needed. Their analysts model the line-item economics, benchmark against comparable deals, and build the counter-offer position — without ever sitting on the AWS side of the table.
A workforce-identity cost checklist
- Confirm your directory source. If you already license Okta or Entra ID, you may not need AWS Managed Microsoft AD at all — eliminating that hourly charge.
- Right-size Managed AD. Standard vs. Enterprise edition, single vs. multi-region — match to actual resilience requirements.
- Tune CloudTrail retention. Access audit logs are valuable but storage compounds; lifecycle them to lower-cost tiers.
- Govern permission sets. Least-privilege design lowers both security risk and the downstream infrastructure spend that loose access enables.
- Do not pay AWS for free capability. Vet any EDP-bundled identity professional services against what Identity Center already delivers.
IAM Identity Center is a rare AWS service where the right answer to “what does it cost” is “the directory and the discipline.” Price both, and workforce identity stays the bargain it is supposed to be.
Frequently asked questions
Does AWS charge for IAM Identity Center?
No. AWS does not charge a per-user or per-month fee for IAM Identity Center. Costs come from supporting services such as AWS Managed Microsoft AD, external identity provider licensing, and audit logging.
What is the difference between IAM Identity Center and Cognito?
IAM Identity Center handles workforce identity — employees accessing AWS accounts and internal apps — and is free. Amazon Cognito handles customer identity for application end users and bills per monthly active user.
What is the biggest hidden cost of IAM Identity Center?
AWS Managed Microsoft AD, if used as the directory source, carries an hourly per-directory charge. Organizations that already license an external IdP can often avoid this cost entirely.