# Step 1: Choose a deployment option Before you can subscribe users, you'll need to decide which AWS account or accounts you'll be working in. You'll need to make three key decisions: + **Decision 1: Where to enable IAM Identity Center** – For more information about IAM Identity Center, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*. + **Decision 2: Where to create the Amazon Q Developer profile** – For more information about the profile, see [What is the Amazon Q Developer profile?](subscribe-understanding-profile.md). + **Decision 3: Where to subscribe workforce users** – For more information about subscriptions, see [Amazon Q Developer Pro subscriptions](q-admin-setup-subscribe-general.md). Your specific combination of these three decisions constitutes your *deployment option*. Deployment options are described in the following table. Pick an option before moving on to [Step 2: Subscribe workforce users to Amazon Q Developer Pro](subscribe-users.md). The table uses the following terms: + *Standalone account* — An AWS account that is *not* part of an organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). + *Management account* — An AWS account that is part of an organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). It is the ultimate owner of the organization, and is responsible for paying all charges accrued by the accounts in its organization. + *Member account* — An AWS account, other than the management account, that is part of an organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). | Deployment option | Description | Advantages | Disadvantages | | --- | --- | --- | --- | | **Deployment option 1 (easiest)**: Deploy in a standalone account | Use this option if you're an end user and you want to subscribe yourself (and optionally, a small team of users) to quickly evaluate the features of Amazon Q. With this deployment option, in your **standalone** account, you: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/deployment-options.html) | **Good for demos**. You can try out Pro tier features for yourself without having to do an enterprise-wide implementation. **More features than personal accounts (Builder IDs)**. For more information, see [Limitations of Builder IDs](getting-started-builderid.md#builder-id-limitations). | **Fewer features** Because IAM Identity Center is enabled in a standalone account, it is considered to be an *account instance*, which has fewer features than organization instances1. | | **Deployment option 2**: Deploy in management and member accounts | Use this option if you're an administrator of multiple users. With this deployment option: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/deployment-options.html) | **More features**. Because IAM Identity Center is installed in a management account, it is considered to be an *organization instance*, which has more features than account instances2. **Distributed management**. Subscription management tasks are distributed across member accounts, which is a best practice. | **Complexity**. Requires coordination across accounts by multiple administrators. **Account restrictions**. You can subscribe users in a maximum of 20 accounts per AWS Region, per organization managed by [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html). If your user base is spread across more than 20 accounts in the same Region under one organization, choose another option. | | **Deployment option 3**: Deploy in a member account only | Use this option if you're an adminstrator of multiple users. With this deployment option, in a **member** account, you: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/deployment-options.html) | **Quick setup**. Individual member account administrators can deploy without waiting or needing approval for an enterprise-wide implementation. **Flexibility for complex organizations**. Use this option when you don't have a unified identity provider or identity store containing the entire user base that you want to subscribe to the Pro tier. | **Fewer features**. Because IAM Identity Center is enabled in a member account, it is considered to be an *account instance*, which has fewer features than organization instances1. | | **Deployment option 4**: Deploy in a management account only | Use this option if you're an adminstrator of multiple users. With this deployment option, in the **management** account, you: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/deployment-options.html) For detailed instructions, see [Subscribe users to Amazon Q Developer Pro in a management account](subscribe-management.md). | **More features**. Because IAM Identity Center is installed in a management account, it is considered to be an *organization instance*, which has more features than account instances2. | **Does not comply with best practices**. Because users are subscribed in the management account, and because of a limitation in Amazon Q Developer where [delegated administration](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html) is not supported, management account administrators must handle subscription management tasks. You cannot follow the [recommended practice](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html#delegated-admin-best-practices) of delegating tasks to member accounts. | 1 Account instances support fewer features than organization instances. For example, account instances don't support permission sets, which means that users cannot use their Pro tier subscriptions [in the AWS Management Console, and on AWS apps and websites](q-on-aws.md). For a list of the limitations of account instances, see [Account instance considerations](https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html#about-account-instance) in the *AWS IAM Identity Center User Guide*. 2 Organization instances offer a broader range of features compared to account instances, encompassing all IAM Identity Center capabilities. For a list of features supported by organization instances, see [When to use an organization instance](https://docs.aws.amazon.com/singlesignon/latest/userguide/organization-instances-identity-center.html#when-to-use-organization-instance) in the *AWS IAM Identity Center User Guide*.