2 Answers
- Newest
- Most votes
- Most comments
1
For IAM Identity Center, you'll want to create Permission Sets which are templates that define the policies users will receive. You should also look at aws:RequestedRegion
for a relevant context key to use in policies.
The API permissions apply to both console and programmatic access, however the key you're using is an EC2 one so it wouldn't necessarily apply to all services.
BTW, you might want to look at Service Control Policies if these users are logging in to linked accounts, there a very relevant example in the docs.
1
To attach a customer-managed policy to a permission set, you need to first create the policy with the same name in all of the accounts to which the permission set will be attached.
answered a year ago
Relevant content
- asked a year ago
- asked a year ago
- asked 7 months ago
- asked 9 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
Thank you for the details here. I'll take a deeper look at Service Control Policies, as this seems to be an intended use case for AWS Organizations (I am new to this tool, as well).
For clarity's sake, I want to note that I had created the Permission Set as a requirement of the process and tied the IAM policy
RegionRestrict
to it, and this is the Permission Set I attempted to attach to each User that resulted in error.I solved this by applying a Service Control Policy to my AWS Organization rather than via the IAM Identity Center. Thanks for your help!