IAM Identity Center - what does reprovision accounts mean


The permissions on a role in a child account managed by IAM Identity Center in our management account has incorrect permissions. We have a message in the Identity Center that says 2 AWS accounts are using an outdated version of this permission set. When I click Update, I'm given another screen that has the text, To update this permission set in the AWS accounts that you selected, we are reprovisioning the accounts.. This is absolutely terrifying. I want to update these policies, and I think this is what I want to do, but the wording has be very concerned. I don't want to "reprovision" my account if "reprovision" means to recreate it somehow. What does it mean by "reprovision"?

asked 2 years ago1044 views
1 Answer
Accepted Answer


The warning "permission set uses outdated permissions" happens because either the managed policy or custom policy attached to the permission set might have deprecated permissions. Sometimes AWS needs to add a new permission to an existing policy, such as when a new service is introduced. Adding a new permission to an existing policy does not disrupt or remove any feature or ability. However, AWS might choose to create a new policy when the needed changes could impact customers, if they were applied to an existing policy.

For example, removing permissions from an existing policy could break the permissions of any IAM entity or application that depended upon it, potentially disrupting a critical operation. Therefore, when such a change is required, AWS creates a completely new policy with the required changes and makes it available to customers. The old policy is then marked deprecated. A deprecated managed policy appears with a warning icon next to it in the Policies list in the IAM console. The same applies here to permission sets as well, since you can attach managed IAM policies to those permission sets.

Now, this is where the re-provisioning of the AWS accounts comes into play. Re-provisioning is a process where if any changes are made to a permission set (deprecated policies etc) or to the account, then you will have to propagate those changes to the account/s by re-provisioning it. This is why you see the warning 'Requires reapplying permission set'.


Coming to your query, in the context of the message received "To update this permission set in the AWS accounts that you selected, we are reprovisioning the accounts..", the action of reprovisioning the permission sets will only reprovision and update the policies associated to the AWS accounts. It will update the permission's policy and there is no recreation of account. It's just reprovisioning of the permission sets(along with updated policy) to the accounts, which are associated with the permission sets.

Hope above shared information helps. Thank you

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions