Multi-layer AWS IAM architecture integrating Microsoft Entra ID federation, AWS IAM Identity Center SSO, and least-privilege RBAC across a multi-account AWS Organizations structure. Identity flows from centralized Entra ID through conditional access and MFA, then federates via IAM Identity Center to permission sets and role-based access controls in workload accounts. Seven distinct personas—3D Artist, Developer, Network Administrator, Security Auditor, FinOps Analyst, ReadOnly Viewer, and Cloud Administrator—each receive granular, time-bound access to compute, storage, and monitoring resources via STS temporary credentials. This architecture demonstrates zero-trust principles, audit compliance through CloudTrail and Security Hub, and separation of duties across management, security, shared services, and production workload accounts. Fork this diagram to customize permission matrices, add additional personas, or adapt the federation model for your organization's identity provider. The design supports rendering farms, CI/CD pipelines, and centralized security monitoring while enforcing least-privilege access at every layer.