Proper Administrator Procedure in IAM Identity Center?

0

Hi, I'm an AWS administrator trying to transfer from the old IAM user approach to the new IAM Identity Center approach.

In the past, user Bob was attached to user group 'Developers' and then I gave Developers access to 'S3FullAccess' In the new system, user Bob is attached to group 'Developers' to an account 'Developers' and then attach a permissions set with 'S3FullAccess' to that account.

My question is, why is there this abstraction to accounts and why do they need their own email? Am I expected to make a new email per group of users in AWS? This just seems like a redundancy.

My exact business case is that I'm trying to create a group of admins (from which there's already the management account we've been using) and then a group of developers (which have a different current UserGroup (without a separate email)) with least-privileged access to a few services for an application we're building, and then also a group for our web developers that maintain our website through AWS. I'd rather corral them in AWS internally without external email accounts as the old IAM currently does, and I don't understand the usefulness of abstracting them to accounts. Am I missing something? Is there another way to do this, or is there usefulness I'm not seeing?

To accomplish my current function with IAM Identity Center I need to have a management account (the first user), an application development account (account A), and a website development account (account B) correct?

1 Answer
1

Hello there,

Allow me address these questions individually.

"Why is there this abstraction to accounts and why do they need their own email?"

IAM Identity Center and IAM differ in how user management is configured. For IAM, you are able to create a user and assign them to a group and give the group permissions. For IAM Identity Center, users are created using a username and email [1]. IAM Identity Center utilizes (Secuiruty Assertion Markup Language) SAML [2] to authenticate into an application. Most SAML based applications, use email as an attribute for federation. When you create users in IAM Identity Center, each user should have their own username and email.

"Am I expected to make a new email per group of users in AWS?"

No, an email does not need to be associated with a group, only a user. With IAM Identity Center you are able to manage access to AWS account through provisioning permission sets to a user or group [3]. Permission Sets allow you to manage policies and permission through user/groups within multiple accounts in your organization. Permission sets include AWS IAM managed policies, and you can also be custom made[4].

Taking your use case into account, you create a number of users each with their own usernames and emails. Then, you create a group in IAM Identity Center that gives admin permissions. You can then create another user and assign them a permission set directly which offers Developers or Web developers permissions. Alternatively, you assign the create user to a group which has the Developers or Web developers permission set attached to group. For more information, see below.

Account assignments for AWS IAM Identity Center are a combination of the AWS account, permission set, and assigned users/groups. Therefore, in order to attach a permission set to an account, you will need to select the users/groups that will be able to access that account via the permission set. To view or modify user/group and permission set combinations follow these steps:

  1. Navigate to the AWS accounts page in the AWS Identity Center console
  2. Click on an account name you wish provision permission sets in.
  3. Under the "users and groups" tab, you can see all identities and the permission sets they have access to.
  4. Choose can add users or groups from this page using the buttons on the right side.
  5. Select permission sets and new users or groups.
  6. Save changes to provision permission sets.
  7. Repeat steps 1-6 to add additional permission sets for a user or group in an account (or by selecting the user or group in an account and modifying the permission set associations).

For more information on this process, see reference [5].

"To accomplish my current function with IAM Identity Center I need to have a management account (the first user), an application development account (account A), and a website development account (account B) correct?"

Not quite, that is one way you can achieve your goal. If you have multiple accounts set up and attached to an organization, you can create permission sets and assign them to accounts and give your users access to those accounts [6]. Another way you can achieve you use case is by having a group called Admins which have the AdministatorAccess permission set. A group called developers which has a custom permission set which allows S3FullAccess. Then finally a group called Web Developers which has a custom permission set including the needed IAM policies. From there you can add your Identity Center users into those groups or assign permission sets to them individually. Please note that this all can be done within one account. For more information I have provided links below.

Feel free to reach back out if you need additional clarification.

AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions