By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Customer Managed Policies (CMPs) attached to AWS SSO Permission Set

0

Hi AWS, I got stuck in a weird situation where I see a couple of customer managed policies are attached to AWS SSO permission set which was not possible until early 2022 AFAIK. The other issue I observed is when I open the policies in the SSO account the policies are coming up with the default structure without any IAM permissions but when I go into the specific AWS account I found the policies attached as per the account and all the permissions are present which should not be the case as SSO allows you to manage everything via a centralized account.

Having said that I want to know if the feature of attaching customer managed policies is available for SSO how to do that and also why I am seeing the policies attached per account instead of the centralized account.

  • Arjun Goel
    5 months ago

    I have one more question related to this i.e. is it possible to reference a new CMP to the existing permission set?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS IAM Identity Center
Language
English
profile picture
Arjun Goel
asked 5 months ago279 views
2 Answers
0

The support for customer managed policies by identity center was released July 2022.

One thing that might have confused you is, Identity Center (SSO) "allows you to manage everything via a centralized account", but it does not provision those customer managed policies for you. You need to make sure that the policy referred to from the permission set actually exists and they are the same across the different accounts that you assign your user/groups to.

Yes you can add/remove customer managed polices to/from permission sets and have identity center to update the permission sets (they end up as roles) across the accounts. (again, update of permission set, not the customer managed policy)

AWS
Xuejun Li
answered 5 months ago
  • Arjun Goel
    5 months ago

    Yeah exactly that sounds confusing and still I have a doubt that what purpose CMP(s) is solving as SSO is used to manage everything from a centralized account (master account). Can you please elaborate it more if possible?

0

I got the answer for this. The feature of attaching Customer Managed Policies (CMPs) to AWS SSO permission set was introduced in Amazon Reinvent 2022. It provides a way to manage your IAM permissions without letting you disturbed all the member accounts access using SSOInlinePolicy. Steps to attach a CMP to permission set are:

  1. Create a CMPs with consistent names in your target accounts i.e. each CMP needs to have the same name.
  2. Create a permission set that references the CMP that you created.
  3. Assign users to the permission set in accounts where you created CMPs.
  4. Test your assignments.
profile picture
Arjun Goel
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content