We are being asked to move to AWS SSO as a compliance issue, however I am running into some limitations with the creation of Permission Sets.
Why is there no option to add multiple (or any) user managed policies?
AWS managed policies do not provide the secure, granular permissions required for a robust setup, yet the only other option is to add a single, json, inline policy (i.e. I can't even refer to the ARN of one user managed policy for this).
Our infrastructure is defined in Terraform and, as an example, we currently have an IAM role that has 2 user managed policies attached (the policies are necessarily defined in separate repos and cannot be combined whilst retaining their granularity).
With IAM Roles I can attach both of these policies, but not with Permission Sets, even though a Permission Set will create an IAM Role when it’s attached to an account.
Is there a security based reason for this, or is the SSO simply limited?
AWS 官方已更新 1 年前
To clarify, I have tried in Terraform to do things like add a user managed policy instead of an AWS one, in case it was a limitation of the console that I could get around, however nothing has worked. I have managed to now merge the two user managed policies using the source/ override options in Terraform when bringing in the policy as a data source. I would still like to know however if there is a reason for the limitations in SSO.