How to limit permission to AWS SSO user

I have full access to AWS services and resources of a member account, and I can't administer IAM Identity Center from this member account. I used IAM to create IAM user and group for other users. Now we migrate IAM users to AWS SSO, all SSO users have 2 options(ReadOnly or PowerUser), how am I limit or assign SSO user permissions?

Topics

Security, Identity, & Compliance

Tags

Security, Identity, & Compliance AWS IAM Identity Center

Language

English

JohnXue

asked 9 months ago466 views

2 Answers

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Accepted Answer

Hello.
You must operate with an IAM Identity Center administrative account and assign the necessary permissions.
https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html

Alternatively, IAM Identity Center administration can be delegated to a specific member account.
In that case, it will be possible to operate the IAM Identity Center from a delegated member account and assign privileges.
https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html

EXPERT

Riku_Kobayashi

answered 9 months ago

EXPERT

Gary Mclean

reviewed 9 months ago

EXPERT

Didier_Durand

reviewed 9 months ago

Riku_Kobayashi EXPERT
9 months ago

I can't set policies for SSO users like in IAM anymore, right?

It cannot be operated from the IAM screen. Attach IAM policies in the IAM Identity Center permission set.

May I grant ReadOnly to all SSO users, create IAM role, let SSO user assume role when they need?

Do you want to set a set of permissions for a user with a ReadOnly policy? SSO users can be assigned multiple sets of privileges. For example, if an SSO user is assigned the ReadOnly permission set and the PowerUser permission set, the user can switch between the two permission sets when necessary.

Thanks Riku. 1 I can't set policies for SSO users like in IAM anymore, right? 2 May I grant ReadOnly to all SSO users, create IAM role, let SSO user assume role when they need?

JohnXue

answered 9 months ago

Relevant content

In Multi-Account setup, how to grant Service Catalog Portfolio access to IAM Identity center users in different account?
Accepted Answer
Anand R
asked 5 months ago
Access IAM Identity Center details from member account with CLI | An error occurred (ResourceNotFoundException) when calling the DescribeGroup operation: IdentityStore not present for IdentityStoreId
Kim
asked 16 days ago
How to Effectively prevent Full Authority Access to Member Accounts in case of Management Account being compromised
HumbleLearner
asked a month ago
IAM identity center and Okta SSO
rePost-User-7578834
asked a year ago
How do I remove a member account from an organization in AWS Organizations when I can't sign in to the member account?
AWS OFFICIALUpdated a year ago
Why can't I access my member account?
AWS OFFICIALUpdated 7 months ago
How can I use SCPs and tag policies to prevent users in my AWS Organizations member accounts from creating resources?
AWS OFFICIALUpdated 2 years ago
How can I grant access to Cost Explorer for an IAM user with a member account of an AWS Organizations?
AWS OFFICIALUpdated 2 years ago
How to Rotate your External IdP Certificates in AWS IAM Identity Center (successor to AWS Single Sign-On) with Zero Downtime
EXPERT
Matt-B
published a year ago
How to enable Amazon EKS Pod Identity and assign role to Service account running workloads
EXPERT
Arun Nagpal
published 4 months ago