Skip to main content

Stack: AWS IAM Identity Center

Okta disaster recovery for AWS IAM Identity Center

AWS IAM Identity Center (formerly AWS SSO) is the modern way to federate AWS organizations through an external IdP. When Okta is the identity source, the Okta-side configuration — the SCIM feed, the SAML app, the attribute statement — is the recovery surface that matters. A bad attribute mapping change is what stands between your engineers and production at the worst possible moment.

Butterfly captures versioned, encrypted snapshots of the Okta configuration governing AWS IAM Identity Center — the federation app, the SCIM connection, the attribute statement that maps to permission sets, the assigned groups, and the sign-on policies. Restore preview shows the diff before any revert.

Book a 30-min demo with MickStart the free trial

What you get

How Butterfly fits AWS IAM Identity Center

AWS IAM Identity Center app is versioned

Every backup captures the Okta-side IAM Identity Center app integration — SAML signing certificate, attribute mapping, assigned groups, and sign-on policy.

SCIM connection to AWS IAM Identity Center is versioned

The Okta-to-AWS-SSO SCIM connection is captured per snapshot, including the user attribute mappings that drive permission-set selection.

Group rules drive permission-set assignment

Group rules are how most teams scale who-gets-which-AWS-permission-set. Butterfly versions every rule.

What goes wrong

Three incidents you have already seen variations of

Attribute mapping change rewrites permission-set assignment

An edit to the IAM Identity Center attribute statement rewrote the SAML claim that drives permission-set selection. Engineers signed in but landed in a read-only permission set in the wrong account. Restore preview surfaces the attribute diff.

SCIM connection paused — new hires never reach AWS

A scheduled credential rotation paused the IAM Identity Center SCIM connection. New hires showed up in Okta but never in AWS. Restore preview restores the connection state.

Group rule deletion drops production access

A directory cleanup removed a group rule feeding the aws-prod-engineers group. New hires onboarded without production access.

Honest scope

What Butterfly captures — and what it does not

In scope

The Okta-side configuration governing AWS IAM Identity Center: the AWS IAM Identity Center SAML app integration, the SCIM connection, attribute mappings (especially the permission-set selector attribute), assigned users and groups, group rules, sign-on policies, and Workflows automations.

Out of scope

We do not back up AWS IAM Identity Center permission sets, the underlying IAM roles, the AWS Organizations structure, or any AWS-side state. AWS-side recovery is owned by AWS Backup / AWS Config / Terraform.

Plans

Free, Standard, or Business

Free

$0 / forever

  • 1 Okta connection
  • 7-day retention
  • 1 total backup
  • No credit card

Standard

$1 / user / month — $99 minimum

  • 2 Okta connections
  • 90-day retention
  • Restore preview + dry-run
  • Audit Pack PDF (framework-filterable)

Business

$2 / user / month — $299 minimum

  • Unlimited Okta connections
  • Unlimited retention
  • Continuity (warm standby)
  • Priority restore support

Pricing reference: /upgrade. Provider coverage today: Okta, Okta Workflows, Auth0.

Regulatory shape

Compliance and audit angle

SOC 2 CC6 / CC7 (logical access + system operations), ISO 27001 A.5.16 (identity management), and PCI DSS Requirement 7 (need-to-know access) all apply to privileged cloud-infrastructure identity continuity.

Butterfly's own SOC 2 Type II work is in progress; current status lives in the Trust Center.

Frequently asked

FAQ

Does Butterfly back up AWS IAM permission sets?

No. Butterfly backs up the Okta-side IAM Identity Center configuration. AWS-side permission sets and roles are handled by AWS Backup / Terraform.

Can we revert just the SCIM connection?

Yes. Restore preview lets you pick the scope before committing.

How is this different from your AWS infrastructure page?

This page is specific to IAM Identity Center as the federation product. The AWS infrastructure page covers the broader operational picture of running AWS with Okta-governed identity.

Recover your Okta org in minutes, not hours

Talk to Mick (the founder) for a 30-minute demo, or start the free trial. No credit card for the free tier.

Book a 30-min demo with MickStart the free trial

More stacks

Okta DR for other stacks

AWS infrastructureDatabricksSnowflakeSalesforceHubSpotMicrosoft 365Google WorkspaceGitHub EnterpriseSlackJira SoftwareNotionZoomDatadog1Password BusinessGitHub + Okta SSOSalesforce + Okta SSOAtlassian stackFinancial servicesHealthcare provider

Trust posture, subprocessors, and security details: Trust Center.