AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

IAM Identity Center - what does reprovision accounts mean

0

The permissions on a role in a child account managed by IAM Identity Center in our management account has incorrect permissions. We have a message in the Identity Center that says 2 AWS accounts are using an outdated version of this permission set. When I click Update, I'm given another screen that has the text, To update this permission set in the AWS accounts that you selected, we are reprovisioning the accounts.. This is absolutely terrifying. I want to update these policies, and I think this is what I want to do, but the wording has be very concerned. I don't want to "reprovision" my account if "reprovision" means to recreate it somehow. What does it mean by "reprovision"?

주제
보안, 신원 및 규정 준수
태그
AWS IAM 자격 증명 센터
언어
English
hodor
질문됨 2년 전919회 조회
1개 답변
2
수락된 답변

Background

The warning "permission set uses outdated permissions" happens because either the managed policy or custom policy attached to the permission set might have deprecated permissions. Sometimes AWS needs to add a new permission to an existing policy, such as when a new service is introduced. Adding a new permission to an existing policy does not disrupt or remove any feature or ability. However, AWS might choose to create a new policy when the needed changes could impact customers, if they were applied to an existing policy.

For example, removing permissions from an existing policy could break the permissions of any IAM entity or application that depended upon it, potentially disrupting a critical operation. Therefore, when such a change is required, AWS creates a completely new policy with the required changes and makes it available to customers. The old policy is then marked deprecated. A deprecated managed policy appears with a warning icon next to it in the Policies list in the IAM console. The same applies here to permission sets as well, since you can attach managed IAM policies to those permission sets.

Now, this is where the re-provisioning of the AWS accounts comes into play. Re-provisioning is a process where if any changes are made to a permission set (deprecated policies etc) or to the account, then you will have to propagate those changes to the account/s by re-provisioning it. This is why you see the warning 'Requires reapplying permission set'.

Query

Coming to your query, in the context of the message received "To update this permission set in the AWS accounts that you selected, we are reprovisioning the accounts..", the action of reprovisioning the permission sets will only reprovision and update the policies associated to the AWS accounts. It will update the permission's policy and there is no recreation of account. It's just reprovisioning of the permission sets(along with updated policy) to the accounts, which are associated with the permission sets.

Hope above shared information helps. Thank you

profile pictureAWS
지원 엔지니어
Varun
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠