By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Policy assignment using Permission set vs Identity and Resource

0

I have been reading about policy evaluations including Identity and Resource based policies. I am wondering i should use Identity Center permission set to grant permissions instead? Even though we need to use IAM policy to create customer managed policy and assign it to permission set but the evaluations of policies won't involve Identity and Resource policies, right? https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Topics
Security, Identity, & Compliance
Tags
IAM Policies
Language
English
profile picture
Lottie
asked 2 months ago129 views
2 Answers
2
Accepted Answer

When using AWS Identity Center to manage access, you still work with IAM policies by attaching them to permission sets. Here's the key:

  • AWS Identity Center permission sets include IAM policies (both AWS managed and customer managed) to grant permissions.
  • Policy evaluations in AWS consider all applicable policies, including those assigned through Identity Center permission sets and directly attached IAM policies (both identity-based and resource-based).

Using Identity Center and its permission sets doesn't bypass the evaluation of IAM policies; it's a way to manage and streamline access across your AWS environment more efficiently.

profile picture
EXPERT
Osvaldo Marte
answered 2 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
2

I would consider using both of the approaches you describe to meet different requirements.

AWS IAM Identity Center permissions sets will provide you with a scalable approach to managing SSO-based roles that can be deployed across the organization. This would be useful in granting internal users general access to resources within your AWS account. For example, you might choose to allow an administrator group read-only access to Amazon S3 buckets in your account.

You could then use resource-based or identity-based policies to further restrict access to specific resources beyond what the permissions set allows. For example, you might add a resource-based policy to a particular Amazon S3 bucket in your account that prevents administrators from reading objects within.

AWS
mwdehn
answered 2 months ago
  • Lottie
    2 months ago

    Another poilicy type is Delegated Admnistrator - to allow multiple accounts access to certain AWS services

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content