How to control per user per account permissions with IAM identity center?


I am struggling with IAM Identity center. I want to make sure user Y can only assume power user role when accessing account Z. It is not clear to me how I can achieve that when all permissions sets are assigned on an account level and not a user level.

I have the following permissions sets assigned to an account Enter image description here The console says that I can assigned permissions to a group Enter image description here But when I start assigning permissions sets, they are assigned to ACCOUNTS only. So there is no way to say user X can only be PowerUser but not Administrator when accessing the account Y Enter image description here

Here is the stack overflow questions (that doesn't have an answer)

1 Answer

Hi, you should understand the two core components of the AWS IAM Identity Center service.

Core Components

Permission Set

A permission set is a template you create and maintain that defines a collection of one or more IAM policies. Permission sets simplify the assignment of AWS account access for users and groups in your organization. You can think that a permission set is a reusable role with proper permissions, which can be used in several AWS accounts in the same AWS Organization.

Account Assignment

An account assignment is the task of assigning a permission set for a specific AWS account to multiple users or groups.


You can create an account assignment for the PowerUser permission set of the AWS account to user X.


answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions