Policy assignment using Permission set vs Identity and Resource

0

I have been reading about policy evaluations including Identity and Resource based policies. I am wondering i should use Identity Center permission set to grant permissions instead? Even though we need to use IAM policy to create customer managed policy and assign it to permission set but the evaluations of policies won't involve Identity and Resource policies, right? https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

profile picture
Lottie
질문됨 7달 전318회 조회
2개 답변
2
수락된 답변

When using AWS Identity Center to manage access, you still work with IAM policies by attaching them to permission sets. Here's the key:

  • AWS Identity Center permission sets include IAM policies (both AWS managed and customer managed) to grant permissions.
  • Policy evaluations in AWS consider all applicable policies, including those assigned through Identity Center permission sets and directly attached IAM policies (both identity-based and resource-based).

Using Identity Center and its permission sets doesn't bypass the evaluation of IAM policies; it's a way to manage and streamline access across your AWS environment more efficiently.

profile picture
전문가
답변함 7달 전
profile picture
전문가
검토됨 6달 전
2

I would consider using both of the approaches you describe to meet different requirements.

AWS IAM Identity Center permissions sets will provide you with a scalable approach to managing SSO-based roles that can be deployed across the organization. This would be useful in granting internal users general access to resources within your AWS account. For example, you might choose to allow an administrator group read-only access to Amazon S3 buckets in your account.

You could then use resource-based or identity-based policies to further restrict access to specific resources beyond what the permissions set allows. For example, you might add a resource-based policy to a particular Amazon S3 bucket in your account that prevents administrators from reading objects within.

AWS
mwdehn
답변함 7달 전
  • Another poilicy type is Delegated Admnistrator - to allow multiple accounts access to certain AWS services

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인