200 employees accessing 80 AWS accounts. Average employee needs 10 different permissions across 10 accounts. Create as IAM Users: 200 × 10 = 2,000 IAM Users. One employee resigns: visit 80 accounts, revoke 10 permissions each. Miss one, security breach. This operational burden was multi-account's biggest enemy.
In 2017, AWS launched AWS SSO to solve this. In 2022, renamed to IAM Identity Center. Pro exam: "multi-account SSO" or "employee SSO" keywords = 99% IDC is the answer.
Today we cover IAM Identity Center's structure, Permission Set mechanics, SCIM auto-sync, external IdP (Okta·Azure AD) integration, CLI v2 SSO, and Consolidated Billing effects