- Newest
- Most votes
- Most comments
The roles created in each account via AWS ID Center will be immutable within the target account console (With the nomenclature SSO*) so you won't be able to attach AWS managed or customer policies at the account level so you'll have centralized role policy assignment. For AWS Customer Managed Policies within AWS ID Center, there won't be a validation that the policy exists in the target account but when a permission set is assigned to an account that assignment will fail since you need to ensure that the custom policy exists in the target account. For AWS Managed Policies, these are ARN's assigned to the permission sets. As stated by Gary, you'll need to have an IaC process in place to centrally distribute policies to various account. For the customer managed policies you may require different levels of access between non-prod and prod so in your design you'll need to make sure you have a way of separating the two if required.
To address the risks of bad actors making changes to AWS customer managed policies, you'll need to review your design to identity which types of roles/users can make updates to these customer managed policies. Normally if you have an IaC CI/CD process in place that role will need to have permissions to make changes to accounts so that's one vector. The second vector will be administrative accounts that can make changes to IAM policies or if you have guardrails in place that only certain roles can make changes within customer's organization.
This is always the case. Even with identity centre. Said permissions is always controlled in the target account.
In identity centre when you create a permission set, all it does under the hood is it creates a role in the target account along with the permissions/policy on the role. It trusts the management account for role assumption. The management account is a central point of authentication and management of permissions in sub accounts. The permissions for users in sub accounts are still created in the actual target accounts.
After logging into ident centre and you select an account, you assume a role in the account of choice and therefore all the permissions come from IAM still.
A way to keep it consistent could be is to use some IaC such as terraform or cloud formation.
Relevant content
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago