# Manage AWS accounts with permission sets Permission sets A permission set is a template that you create and maintain that defines a collection of one or more [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html). Permission sets simplify the assignment of AWS account access for users and groups in your organization. For example, you can create a *Database Admin* permission set that includes policies for administering AWS RDS, DynamoDB, and Aurora services, and use that single permission set to grant access to a list of target AWS accounts within your [AWS Organization](https://aws.amazon.com/organizations/) for your database administrators. IAM Identity Center assigns access to a user or group in one or more AWS accounts with permission sets. When you assign a permission set, IAM Identity Center creates corresponding IAM Identity Center-controlled IAM roles in each account, and attaches the policies specified in the permission set to those roles. IAM Identity Center manages the role, and allows the authorized users you’ve defined to assume the role, by using the IAM Identity Center User Portal or AWS CLI.  As you modify the permission set, IAM Identity Center ensures that the corresponding IAM policies and roles are updated accordingly. You can add [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies), [customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies), [inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies), and [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) to your permission sets. You can also assign an AWS managed policy or a customer managed policy as a [permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). To create a permission set, see [Create, manage, and delete permission sets](permissionsets.md). ## Create a permission set that applies least-privilege permissions To follow the best practice of applying least-privilege permissions, after you create an administrative permission set, you create a more restrictive permission set and assign it to one or more users. The permission sets created in the previous procedure provide a starting point for you to assess the amount of access to resources your users need. To switch to least privilege permissions, you can run IAM Access Analyzer to monitor principals with AWS managed policies. After learning which permissions they are using, then you can write a custom policy or generate a policy with only the required permissions for your team. With IAM Identity Center, you can assign multiple permission sets to the same user. Your administrative user should also be assigned additional, more restrictive, permission sets. That way, they can access your AWS account with only the permissions that required, rather than always using their administrative permissions. For example, if you're a developer, after you create your administrative user in IAM Identity Center, you can create a new permission set that grants `PowerUserAccess` permissions, and then assign that permission set to yourself. Unlike the administrative permission set, which uses `AdministratorAccess` permissions, the `PowerUserAccess ` permission set doesn't allow management of IAM users and groups. When you sign into the AWS access portal to access your AWS account, you can choose `PowerUserAccess` rather than the `AdministratorAccess` to perform development tasks in the account. Keep the following considerations in mind: + **To get started quickly with creating a more restrictive permission set, use a predefined permission set rather than a custom permission set.** With a predefined permission set, which uses [predefined permissions](permissionsetpredefined.md), you choose a single AWS managed policy from a list of available policies. Each policy grants a specific level of access to AWS services and resources or permissions for a common job function. For information about each of these policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html). + **You can configure the session duration for a permission set to control the length of time that a user is signed into an AWS account.** When users federate into their AWS account and use the AWS Management Console or the AWS Command Line Interface (AWS CLI), IAM Identity Center uses the session duration setting on the permission set to control the duration of the session. By default, the value for **Session duration**, which determines the length of time that a user can be signed into an AWS account before AWS signs the user out of the session, is set to one hour. You can specify a maximum value of 12 hours. For more information, see [Set session duration for AWS accounts](howtosessionduration.md). + **You can also configure the AWS access portal session duration to control the length of time that a workforce user is signed into the portal.** By default, the value for **Maximum session duration**, which determines the length of time that a workforce user can be signed in to the AWS access portal before they must re-authenticate, is eight hours. You can specify a maximum value of 90 days. For more information, see [Configure the session duration in IAM Identity Center](configure-user-session.md). + **When you sign into the AWS access portal, choose the role that provides least-privilege permissions. ** Each permission set that you create and assign to your user appears as an available role in the AWS access portal. When you sign in to the portal as that user, choose the role that corresponds to the most restrictive permission set that you can use to perform tasks in the account, rather than `AdministratorAccess`. + **You can add other users to IAM Identity Center and assign existing or new permission sets to those users.** For information, see, [Assign user or group access to AWS accounts](assignusers.md). **Topics** + [ ## Create a permission set that applies least-privilege permissions ](#get-started-create-permission-set-to-grant-least-privilege-permissions) + [ # Predefined permissions for AWS managed policies ](permissionsetpredefined.md) + [ # Custom permissions for AWS managed and customer managed policies ](permissionsetcustom.md) + [ # Create, manage, and delete permission sets ](permissionsets.md) + [ # Configure permission set properties ](permproperties.md) # Predefined permissions for AWS managed policies Predefined permissions You can create a predefined permission set with AWS managed policies. When you create a permission set with predefined permissions, you choose one policy from a list of AWS managed policies. Within the available policies, you can choose from **Common permission policies** and **Job function policies**. **Common permission policies** Choose from a list of AWS managed policies that make it possible to access resources in your entire AWS account. You can add one of the following policies: + AdministratorAccess + PowerUserAccess + ReadOnlyAccess + ViewOnlyAccess **Job function policies** Choose from a list of AWS managed policies that make it possible to access resources in your AWS account that might be relevant to a job within your organization. You can add one of the following policies: + Billing + DataScientist + DatabaseAdministrator + NetworkAdministrator + SecurityAudit + SupportUser + SystemAdministrator For detailed descriptions of the available common permission policies and job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *AWS Identity and Access Management user guide*. For instructions on how to create a permission set, see [Create, manage, and delete permission sets](permissionsets.md). # Custom permissions for AWS managed and customer managed policies Custom permissions You can create a permission set with **Custom permissions**, combining any of the AWS managed and customer managed policies that you have in AWS Identity and Access Management (IAM) along with inline policies. You can also include permissions boundary, setting the maximum possible permissions that other policies can grant to users of your permission set. For instructions on how to create a permission set, see [Create, manage, and delete permission sets](permissionsets.md). **Policy types that you can attach to your permission set** **Topics** + [ ## Inline policies ](#permissionsetsinlineconcept) + [ ## AWS managed policies ](#permissionsetsampconcept) + [ ## Customer managed policies ](#permissionsetscmpconcept) + [ ## Permissions boundaries ](#permissionsetsboundaryconcept) ## Inline policies You can attach an *inline policy* to a permission set. An inline policy is a block of text formatted as an IAM policy that you add directly to your permission set. You can paste in a policy, or generate a new one with the policy creation tool in the IAM Identity Center console when you create a new permission set. You can also create IAM policies with the [AWS Policy Generator](https://awspolicygen.s3.amazonaws.com/policygen.html). When you deploy a permission set with an inline policy, IAM Identity Center creates an IAM policy in the AWS accounts where you assign your permission set. IAM Identity Center creates the policy when you assign the permission set to the account. The policy is then attached to the IAM role in your AWS account that your user assumes. When you create an inline policy and assign your permission set, IAM Identity Center configures the policies in your AWS accounts for you. When you build your permission set with [Customer managed policies](#permissionsetscmpconcept), you must create the policies in your AWS accounts yourself before you assign the permission set. ## AWS managed policies You can attach *AWS managed policies* to your permission set. AWS managed policies are IAM policies that AWS maintains. In contrast, [Customer managed policies](#permissionsetscmpconcept) are IAM policies in your account that you create and maintain. AWS managed policies address common least privilege use cases in your AWS account. You can assign an AWS managed policy as permissions for the role that IAM Identity Center creates, or as a [permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). AWS maintains [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) that assign job-specific access permissions to your AWS resources. You can add one job-function policy when you choose to use **Predefined permissions** with your permission set. When you choose **Custom permissions**, you can add more than one job-function policy. Your AWS account also contains a large number of AWS managed IAM policies for specific AWS services and combinations of AWS services. When you create a permission set with **Custom permissions**, you can choose from many additional AWS managed policies to assign to your permission set. AWS populates every AWS account with AWS managed policies. To deploy a permission set with AWS managed policies, you do not need to first create a policy in your AWS accounts. When you build your permission set with [Customer managed policies](#permissionsetscmpconcept), you must create the policies in your AWS accounts yourself before you assign the permission set. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the IAM User Guide. ## Customer managed policies You can attach *customer managed policies* to your permission set. Customer managed policies are IAM policies in your account that you create and maintain. In contrast, [AWS managed policies](#permissionsetsampconcept) are IAM policies in your account that AWS maintains. You can assign a customer managed policy as permissions for the role that IAM Identity Center creates, or as a [permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). When you create a permission set with a customer managed policy, you must create an IAM policy with the same name and path in each AWS account where IAM Identity Center assigns your permission set. If you are specifying a custom path, make sure to specify the same path in each AWS account. For more information, see [Friendly names and paths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) in the *IAM User Guide*. IAM Identity Center attaches the IAM policy to the IAM role that it creates in your AWS account. As a best practice, apply the same permissions to the policy in each account where you assign the permission set. For more information, see [Use IAM policies in permission sets](howtocmp.md). **Note** When a customer managed policy is attached to a permission set, the name of the policy is not case sensitive. For more information, see [Customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) in the IAM User Guide. ## Permissions boundaries You can attach a *permissions boundary* to your permission set. A permissions boundary is an AWS managed or customer managed IAM policy that sets the maximum permissions that an identity-based policy can grant to an IAM principal. When you apply a permissions boundary, your [Inline policies](#permissionsetsinlineconcept), [Customer managed policies](#permissionsetscmpconcept), and [AWS managed policies](#permissionsetsampconcept) cannot grant any permissions that exceed the permissions that your permissions boundary grants. A permissions boundary doesn't grant any permissions, but instead makes it so that IAM ignores all permissions beyond the boundary. When you create a permission set with a customer managed policy as a permissions boundary, you must create an IAM policy with the same name in each AWS account where IAM Identity Center assigns your permission set. IAM Identity Center attaches the IAM policy as a permissions boundary to the IAM role that it creates in your AWS account . For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the IAM User Guide. # Create, manage, and delete permission sets Permission sets define the level of access that users and groups have to an AWS account. Permission sets are stored in IAM Identity Center and can be provisioned to one or more AWS accounts. You can assign more than one permission set to a user. For more information about permission sets and how they are used in IAM Identity Center, see [Manage AWS accounts with permission sets](permissionsetsconcept.md). **Note** You can search and sort permission sets by name in the IAM Identity Center console. Keep the following considerations in mind when creating permissions sets: + **Organization instance** To use permission sets, you'll need to use an Organization instance of IAM Identity Center. For more information, see [Organization and account instances of IAM Identity Center](identity-center-instances.md). + **Start with a predefined permission set** With a predefined permission set, which uses [predefined permissions](permissionsetpredefined.md), you choose a single AWS managed policy from a list of available policies. Each policy grants a specific level of access to AWS services and resources or permissions for a common job function. For information about each of these policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html). After you have collected usage data you can refine the permission set to be more restrictive. + **Limit management session duration to reasonable work periods** When users federate into their AWS account and use the AWS Management Console or the AWS Command Line Interface (AWS CLI), IAM Identity Center uses the session duration setting on the permission set to control the duration of the session. When the user session reaches the session duration they are signed out of the console and asked to sign in again. As a security best practice, we recommend that you do not set the session duration length longer than is needed to perform the role. By default, the value for **Session duration** is one hour. You can specify a maximum value of 12 hours. For more information, see [Set session duration for AWS accounts](howtosessionduration.md). + **Limit workforce user portal session duration** Workforce users use portal sessions to choose roles and access applications. By default, the value for **Maximum session duration**, which determines the length of time that a workforce user can be signed in to the AWS access portal before they must re-authenticate, is eight hours. You can specify a maximum value of 90 days. For more information, see [Configure the session duration in IAM Identity Center](configure-user-session.md). + **Use the role that provides least-privilege permissions ** Each permission set that you create and assign to your user appears as an available role in the AWS access portal. When you sign in to the portal as that user, choose the role that corresponds to the most restrictive permission set that you can use to perform tasks in the account, rather than `AdministratorAccess`. Test your permission sets to verify they provide the necessary access before sending the user invitation. **Note** You can also use [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SSO.html) to create and assign permission sets and assign users to those permission sets. **Topics** + [ # Create a permission set ](howtocreatepermissionset.md) + [ # View and change a permission set ](howtoviewandchangepermissionset.md) + [ # Delegate permission set administration ](permissionsetdelegation.md) + [ # Use IAM policies in permission sets ](howtocmp.md) + [ # Remove permission sets in IAM Identity Center ](howtoremovepermissionset.md) + [ # Delete permission sets in IAM Identity Center ](howtodeletepermissionset.md) # Create a permission set Use this procedure to create a predefined permission set that uses a single AWS managed policy, or a custom permission set that uses up to 10 AWS managed or customer managed policies and an inline policy. You can request an adjustment to the maximum number of 10 policies in the [Service Quotas console](https://console.aws.amazon.com/servicequotas) for IAM. You can create a permission set in the IAM Identity Center console. **Note** To use permission sets, you'll need to use an Organization instance of IAM Identity Center. For more information, see [Organization and account instances of IAM Identity Center](identity-center-instances.md). **To create a permission set** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Under **Multi-account permissions**, choose **Permission sets**. 1. Choose **Create permission set**. 1. On the **Select permission set type** page, under **Permission set type**, select a permission set type. 1. Choose one or more policies that you want to use for the permission set, based on the permission set type: + **Predefined permission set** 1. Under **Policy for predefined permission set**, select one of the IAM **Job function policies** or **Common permission policies** in the list, and then choose **Next**. For more information, see [AWS managed policies for job functions](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) and [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *AWS Identity and Access Management User Guide*. 1. Go to Step 6 to complete the **Specify permission set details** page. + **Custom permission set** 1. Choose **Next**. 1. On the **Specify policies and permission boundary** page, choose the types of IAM policies that you want to apply to your new permission set. By default, you can add any combination of up to 10 **AWS managed policies** and **Customer managed policies** to your permission set. This quota is set by IAM. To raise it, request an increase to the IAM quota *Managed policies attached to an IAM role* in the Service Quotas console in each AWS account where you want to assign the permission set. + Expand **AWS managed policies** to add policies from IAM that AWS builds and maintains. For more information, see [AWS managed policies](permissionsetcustom.md#permissionsetsampconcept). 1. Search for and choose **AWS managed policies** that you want to apply to your users in the permission set. 1. If you want to add another type of policy, choose its container and make your selection. Choose **Next** when you've chosen all the policies that you want to apply. Go to Step 6 to complete the **Specify permission set details** page. + Expand **Customer managed policies** to add policies from IAM that you build and maintain. For more information, see [Customer managed policies](permissionsetcustom.md#permissionsetscmpconcept). 1. Choose **Attach policies** and enter the name of a policy that you want to add to your permission set. In each account where you want to assign the permission set, create a policy with the name you entered. As a best practice, assign the same permissions to the policy in each account. 1. Choose **Attach more** to add another policy. 1. If you want to add another type of policy, choose its container and make your selection. Choose **Next** when you've chosen all the policies that you want to apply. Go to Step 6 to complete the **Specify permission set details** page. + Expand **Inline policy** to add custom JSON-formatted policy text. Inline policies do not correspond to existing IAM resources. To create an inline policy, enter custom policy language in the provided form. IAM Identity Center adds the policy to the IAM resources that it creates in your member accounts. For more information, see [Inline policies](permissionsetcustom.md#permissionsetsinlineconcept). 1. Add your desired actions and resources within the interactive editor to your inline policy. Additional statements can be added with **Add new statement**. 1. If you want to add another type of policy, choose its container and make your selection. Choose **Next** when you've chosen all the policies that you want to apply. Go to Step 6 to complete the **Specify permission set details** page. + Expand **Permissions boundary** to add an AWS managed or customer managed IAM policy as the maximum permissions that your other policies in the permission set can assign. For more information, see [Permissions boundaries](permissionsetcustom.md#permissionsetsboundaryconcept). 1. Choose **Use a permissions boundary to control the maximum permissions**. 1. Choose **AWS managed policy** to set a policy from IAM that *AWS* builds and maintains as your permissions boundary. Chose **Customer managed policies** to set a policy from IAM that *you* build and maintain as your permissions boundary. 1. If you want to add another type of policy, choose its container and make your selection. Choose **Next** when you've chosen all the policies that you want to apply. Go to Step 6 to complete the **Specify permission set details** page. 1. On the **Specify permission set details** page, do the following: 1. Under **Permission set name**, type a name to identify this permission set in IAM Identity Center. The name that you specify for this permission set appears in the AWS access portal as an available role. Users sign into the AWS access portal, choose an AWS account, and then choose the role. **Note** Permission set names must be unique within your IAM Identity Center instance. 1. (Optional) You can also type a description. The description appears in the IAM Identity Center console only, not the AWS access portal. 1. (Optional) Specify the value for **Session duration**. This value determines the length of time that a user can be logged on before the console logs them out of their session. For more information, see [Set session duration for AWS accounts](howtosessionduration.md). 1. (Optional) Specify the value for **Relay state**. This value is used in the federation process to redirect users within the account. For more information, see [Set relay state for quick access to the AWS Management Console](howtopermrelaystate.md). **Note** The relay state URL must be within the AWS Management Console. For example: **https://console.aws.amazon.com/ec2/** 1. Expand **Tags (optional)**, choose **Add tag**, and then specify values for **Key** and **Value (optional)**. For information about tags, see [Tagging AWS IAM Identity Center resources](tagging.md). 1. Choose **Next**. 1. On the **Review and create** page, review the selections that you made, and then choose **Create**. 1. By default, when you create a permission set, the permission set isn't provisioned (used in any AWS accounts). To provision a permission set in an AWS account, you must assign IAM Identity Center access to users and groups in the account, and then apply the permission set to those users and groups. For more information, see [Assign user or group access to AWS accounts](assignusers.md). # View and change a permission set You can use permission sets to grant users access to AWS accounts. You can view and change a permission set with the AWS IAM Identity Center console. You can search and sort permission sets by name in the IAM Identity Center console. For more information about permission sets and how they are used in IAM Identity Center, see [Manage AWS accounts with permission sets](permissionsetsconcept.md). Permission sets are not required to manage user access to applications. **Note** To use permission sets, you'll need to use an Organization instance of IAM Identity Center. For more information, see [Organization and account instances of IAM Identity Center](identity-center-instances.md). ## View permission set assignments Use this procedure to view applied permission set in the AWS IAM Identity Center console. ------ #### [ All AWS accounts where a permission set is provisioned ] To view all the assignments for a permission set, use the following procedure: 1. Sign in to the AWS Management Console and open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). 1. Under **Multi-account permissions**, choose ** Permission sets**. 1. On the **Permission sets** page, select the permission set you want to view. 1. Once on the selected permission sets page, under the **Accounts** tab, you can see the accounts where the permission set is used. You can select the account to see how the permission set is provisioned within the account. You can [delete](howtoremovepermissionset.md), edit, and attach policies to the permission set. ------ #### [ All permission sets for an AWS account ] To view all the assignments for a permission set, use the following procedure: 1. Sign in to the AWS Management Console and open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). 1. Under **Multi-account permissions**, choose **AWS accounts**. Select the account for which you want to view the provisioned permission sets. 1. Once on the selected AWS account page, under the **Permission sets** tab, you can view the different permission set assigned to the selected AWS account. You can select the permission set hyperlink to learn more about the permission set. ------ #### [ All applied permission sets to users and groups ] To view all the permission sets assigned to users or groups, use the following procedure: 1. Sign in to the AWS Management Console and open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). 1. Select either Users or Groups under **Dashboard** to view IAM Identity Center users or groups. 1. Once on the **Users** page, select the user for whom you want to see applied permission sets. Next, select the **AWS accounts** tab and the AWS account under the **AWS account access** section. You’ll be able to see the applied permission sets and AWS account for the selected user. 1. Once on the **Groups** page, select the group you want to view applied permission sets. Next, select the **AWS accounts** tab and the AWS account under the **AWS account access** section. You’ll be able to see the applied permission sets and AWS account for the selected group. ------ ## Change a permission set Use this procedure to change a [permission set](permissionsetsconcept.md) with the IAM Identity Center console. You can add or remove permission sets from users or groups. 1. Sign in to the AWS Management Console and open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). 1. Under **Multi-account permissions**, choose ** AWS accounts**. 1. On the **AWS account** page, a tree view list of your organization appears. Select the name of the AWS account from which you want to change the permission set. 1. On the **Overview** page of the AWS account, under **Assigned Users and Groups**, select the username or group name of the permission set you want to change. Then choose **Change permission sets**. 1. Make the desired changes to the permission set and then choose **Save changes**. 1. Navigate to the **Permission sets** tab and select the recently changed permission set and choose **Update**. 1. On the **Update permissions** page, choose ** Update**. # Delegate permission set administration IAM Identity Center enables you to delegate management of permission sets and assignments in accounts by creating [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) that reference the [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) of IAM Identity Center resources. For example, you can create policies that enable different administrators to manage assignments in specified accounts for permission sets with specific tags. **Note** To use permission sets, you'll need to use an Organization instance of IAM Identity Center. For more information, see [Organization and account instances of IAM Identity Center](identity-center-instances.md). You can use either of the following methods to create these types of policies. + (Recommended) Create [permission sets](permissionsets.md) in IAM Identity Center, each with a different policy, and assign the permission sets to different users or groups. This enables you to manage administrative permissions for users who sign in using your chosen [IAM Identity Center identity source](manage-your-identity-source.md). + Create custom policies in IAM, and then attach them to IAM roles that your administrators assume. For information about roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) to get their assigned IAM Identity Center administrative permissions. **Important** IAM Identity Center resource ARNs are case sensitive. The following shows the proper case for referencing the IAM Identity Center permission set and account resource types. | Resource Types | ARN | Context Keys | | --- | --- | --- | | PermissionSet | arn:\$1\$1Partition\$1:sso:::permissionSet/\$1\$1InstanceId\$1/\$1\$1PermissionSetId\$1 | aws:ResourceTag/\$1\$1TagKey\$1 | | Account | arn:\$1\$1Partition\$1:sso:::account/\$1\$1AccountId\$1 | Not Applicable | # Use IAM policies in permission sets Use IAM policies In [Create a permission set](howtocreatepermissionset.md), you learned how to add policies, including customer managed policies and permissions boundaries, to a permission set. When you add customer managed policies and permissions to a permission set, IAM Identity Center doesn't create a policy in any AWS accounts. You must instead create those policies in advance in each account where you want to assign your permission set, and match them to the name and path specifications of your permission set. When you assign a permission set to an AWS account in your organization, IAM Identity Center creates an [AWS Identity and Access Management (IAM) role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) and attaches your [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) to that role. **Considerations** + To use permission sets, you'll need to use an Organization instance of IAM Identity Center. For more information, see [Organization and account instances of IAM Identity Center](identity-center-instances.md). + Before you assign your permission set with IAM policies, you must prepare your member account. The name of an IAM policy in your member account must be a match to the name of the policy in your management account. IAM Identity Center fails to assign the permission set if the policy doesn't exist in your member account. **Note** When a customer managed policy is attached to a permission set, the name of the policy is not case sensitive. + The permissions that the policy grants do not have to be an exact match between accounts. # Assign an IAM policy to a permission set 1. Create an IAM policy in each of the AWS accounts where you want to assign the permission set. 1. Assign permissions to the IAM policy. You can assign different permissions in different accounts. For a consistent experience, configure and maintain identical permissions in each policy. You can use automation resources like AWS CloudFormation StackSets to create copies of an IAM policy with the same name and permissions in each member account. For more information about CloudFormation StackSets, see [Working with AWS CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) in the *AWS CloudFormation User guide*. 1. Create a permission set in your management account and add your IAM policy under **Customer managed policies** or **Permissions boundary**. For more details about how to create a permission set, See [Create a permission set](howtocreatepermissionset.md). 1. Add any inline policies, AWS managed policies, or additional IAM policies that you have prepared. 1. Create and assign your permission set. # Remove permission sets in IAM Identity Center Remove permission sets You can remove a permission set from IAM Identity Center users and groups in the IAM Identity Center console. You can also remove a permission set from an AWS account. For more information about permission sets and how they are used in IAM Identity Center, see [Manage AWS accounts with permission sets](permissionsetsconcept.md). **Note** To use permission sets, you'll need to use an Organization instance of IAM Identity Center. For more information, see [Organization and account instances of IAM Identity Center](identity-center-instances.md). ------ #### [ Remove permission set from a user ] **Remove permission set from a user** Use this procedure to remove a permission set from a user with the IAM Identity Center console. 1. Sign in to the AWS Management Console and open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). 1. Under **IAM Identity Center**, select **Users**. 1. Select the username of the user you want to remove a permission set from. 1. On the user details page, select the **AWS accounts** tab. Under **AWS account access**, select your AWS account. 1. In the right pane, the applied permissions for the selected user appears. Select the permission set you want to remove. Under **Account Access details**, select **Remove**. 1. A dialog box appears asking if you want to remove this permission set. Select **Remove**. ![\[AWS accounts tab for an IAM Identity Center user in the IAM Identity Center console.\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/remove-permission-set-tutorial.png) ------ #### [ Remove permission set from a group ] **Remove permission set from a group** Use this procedure to remove a permission set from a group with the IAM Identity Center console. 1. Sign in to the AWS Management Console and open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). 1. Under **Multi-account permissions**, select **AWS accounts**. Select the link to your management account. ![\[AWS accounts tab in the IAM Identity Center console.\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/sso-aws-accounts-tab.png) 1. Under the **Assigned users and groups** tab, select the group you want to remove the permission set from and then select **Change permission set**. 1. On the **Change permission sets** page, clear the permission set you want to remove and then select **Save changes**. ------ #### [ Remove permission set from an AWS account ] Use this procedure to remove a permission set from the AWS account with the IAM Identity Center console. 1. Sign in to the AWS Management Console and open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). 1. Under **Multi-account permissions**, select **AWS accounts**. Select the name of the AWS account from which you want to remove the permission set. 1. On the **Overview** page of the AWS account, choose the **Permission sets** tab. Select the permission set you want to remove. Then select **Remove**. 1. In the **Remove permission set** dialog box, confirm that the correct permission set is selected, type **Delete** to confirm removal, and then choose **Remove access**. ------ # Delete permission sets in IAM Identity Center Delete permission sets Before you can delete a permission set from IAM Identity Center, you should [remove](howtoremovepermissionset.md) it from all AWS accounts that use the permission set. To check existing user and group access, see [View and change a permission set](howtoviewandchangepermissionset.md). **Considerations** + To use permission sets, you'll need to use an Organization instance of IAM Identity Center. For more information, see [Organization and account instances of IAM Identity Center](identity-center-instances.md). + If you want to revoke an active permission set session, see [View and end active sessions for your workforce users](end-active-sessions.md). + You should remove permission sets and applications assignments from users or groups you want to delete before deleting them. Otherwise, you'll have unassigned and unused permission sets and applications in IAM Identity Center. Use the following procedure to delete one or more permission sets so that they can no longer be used by any AWS account in the organization. **Important** All users and groups that have been assigned this permission set, regardless of what AWS account is using it, will no longer be able to sign in. To check existing user and group access, see [View and change a permission set](howtoviewandchangepermissionset.md). **To delete a permission set from an AWS account** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Under **Multi-account permissions**, choose **Permission sets**. 1. Select the permission set that you want to delete, and then choose **Delete**. 1. In the **Delete permission set** dialog box, type the name of the permission set to confirm deletion, and then choose **Delete**. The name is case-sensitive. # Configure permission set properties In IAM Identity Center, administrators can complete the following configuration and management tasks to control user access and session duration. | Task | Learn more | | --- | --- | | Administrators can set the maximum duration for user sessions when accessing AWS resources through IAM Identity Center. | [Set session duration for AWS accounts](howtosessionduration.md) | | Administrators can customize the landing page users see after successfully authenticating through IAM Identity Center. | [Set relay state for quick access to the AWS Management Console](howtopermrelaystate.md) | | Ensure users no longer have access to AWS resources when their permissions are revoked. | [Use a Deny policy to revoke active user permissions](prereqs-revoking-user-permissions.md) | # Set session duration for AWS accounts For each [permission set](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html), you can specify a session duration to control the length of time that a user can be signed in to an AWS account. When the specified duration elapses, AWS signs the user out of the session. When you create a new permission set, the session duration is set to 1 hour (in seconds) by default. The minimum session duration is 1 hour, and can be set to a maximum of 12 hours. IAM Identity Center automatically creates IAM roles in each assigned account for each permission set, and configures these roles with a maximum session duration of 12 hours. When users federate into their AWS account console or when the AWS Command Line Interface (AWS CLI) is used, IAM Identity Center uses the session duration setting on the permission set to control the duration of the session. By default, IAM roles generated by IAM Identity Center for permission sets can only be assumed by IAM Identity Center users, which ensures that the session duration specified in the IAM Identity Center permission set is enforced. **Important** As a security best practice, we recommend that you do not set the session duration length longer than is needed to perform the role. After you create a permission set, you can update it to apply a new session duration. Use the following procedure to modify the session duration length for a permission set. **To set the session duration** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Under **Multi-account permissions**, choose **Permission sets**. 1. Choose the name of the permission set for which you want to change the session duration. 1. On the details page for the permission set, to the right of the **General settings** section heading, choose **Edit**. 1. On the **Edit general permission set settings** page, choose a new value for **Session duration**. 1. If the permission set is provisioned in any AWS accounts, the names of the accounts appear under **AWS accounts to reprovision automatically**. After the session duration value for the permission set is updated, all AWS accounts that use the permission set are reprovisioned. This means that the new value for this setting is applied to all AWS accounts that use the permission set. 1. Choose **Save changes**. 1. At the top of the **AWS accounts** page, a notification appears. + If the permission set is provisioned in one or more AWS accounts, the notification confirms that the AWS accounts were reprovisioned successfully, and the updated permission set was applied to the accounts. + If the permission set isn't provisioned in an AWS account, the notification confirms that the settings for the permission set were updated. # Set relay state for quick access to the AWS Management Console Set relay state By default, when a user signs into the AWS access portal, chooses an account, and then chooses the role that AWS creates from the assigned permission set, IAM Identity Center redirects the user’s browser to the AWS Management Console. You can change this behavior by setting the relay state to a different console URL. Setting the relay state enables you to provide the user with quick access to the console that is most appropriate for their role. For example, you can set the relay state to the Amazon EC2 console URL (**https://console.aws.amazon.com/ec2/**) to redirect the user to that console when they choose the Amazon EC2 administrator role. During the redirection to the default URL or relay state URL, IAM Identity Center routes the user’s browser to the console endpoint in the last AWS Region used by the user. For example, if a user ended their last console session in the Europe (Stockholm) Region (eu-north-1), the user is redirected to the Amazon EC2 console in that Region. ![\[Workflow diagram for setting relay state in the AWS Management Console.\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/permission_sets_relay_state_newest.png) To configure IAM Identity Center to redirect the user to a console in a specific AWS Region, include the Region specification as part of the URL. For example, to redirect the user to the Amazon EC2 console in the US East (Ohio) Region (us-east-2), specify the URL for the Amazon EC2 console in that Region (**https://us-east-2.console.aws.amazon.com/ec2/**). If you enabled IAM Identity Center in the US West (Oregon) Region (us-west-2) Region and you want to direct the user to that Region, specify **https://us-west-2.console.aws.amazon.com**. ## Configure the relay state Use the following procedure to configure the relay state URL for a permission set. 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Under **Multi-account permissions**, choose **Permission sets**. 1. Choose the name of the permission set for which you want to set the new relay state URL. 1. On the details page for the permission set, to the right of the **General settings** section heading, choose **Edit**. 1. On the **Edit general permission set settings** page, under **Relay state**, type a console URL for any of the AWS services. For example: **https://console.aws.amazon.com/ec2/** **Note** The relay state URL must be within the AWS Management Console. 1. If the permission set is provisioned in any AWS accounts, the names of the accounts appear under **AWS accounts to reprovision automatically**. After the relay state URL for the permission set is updated, all AWS accounts that use the permission set are reprovisioned. This means that the new value for this setting is applied to all AWS accounts that use the permission set. 1. Choose **Save changes**. 1. At the top of the **AWS Organization** page, a notification appears. + If the permission set is provisioned in one or more AWS accounts, the notification confirms that the AWS accounts were reprovisioned successfully, and the updated permission set was applied to the accounts. + If the permission set isn't provisioned in an AWS account, the notification confirms that the settings for the permission set were updated. **Note** You can automate this process by using the AWS API, an AWS SDK, or the AWS Command Line Interface(AWS CLI). For more information, see: The `CreatePermissionSet` or `UpdatePermissionSet` actions in the [IAM Identity Center API Reference](https://docs.aws.amazon.com/singlesignon/latest/APIReference/welcome.html) The `create-permission-set` or `update-permission-set` commands in the [https://docs.aws.amazon.com/cli/latest/reference/sso-admin/index.html#cli-aws-sso-admin](https://docs.aws.amazon.com/cli/latest/reference/sso-admin/index.html#cli-aws-sso-admin) section of the *AWS CLI Command Reference*. # Use a Deny policy to revoke active user permissions You might need to revoke an IAM Identity Center user’s access to AWS accounts while the user is actively using a permission set. You can remove their ability to use their active IAM role sessions by implementing a Deny policy for an unspecified user in advance, then when needed, you can update the Deny policy to specify the user whose access you want to block. This topic explains how to create a Deny policy and considerations for how to deploy the policy. ## Prepare to revoke an active IAM role session created by a permission set You can prevent the user from taking actions with an IAM role they are actively using by applying a deny all policy for a specific user through the use of a Service Control Policy You can also prevent a user from using any permission set until you change their password, which removes a bad actor actively misusing stolen credentials. If you need to deny access broadly and prevent a user from re-entering a permission set or accessing other permission sets, you might also remove all user access, stop the active AWS access portal session, and disable the user sign-in. See [View and end active sessions for your workforce users](end-active-sessions.md) to learn how to use the Deny policy in conjunction with additional actions for broader access revocation. ### Deny policy You can use a Deny policy with a condition that matches to the user’s `UserID` from the IAM Identity Center identity store to prevent further actions by an IAM role that the user is actively using. Using this policy avoids impact to other users who might be using the same permission set when you deploy the Deny policy. This policy uses the placeholder user ID, *`Add user ID here`*, for `"identitystore:userId"` that you’ll update with the user ID for which you want to revoke access. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "*" ], "Resource": "*", "Condition": { "StringEquals": { "identitystore:userId": "Add user ID here" } } } ] } ``` ------ Although you could use another condition key such as `“aws:userId”`, `“identitystore:userId”` is certain because it is a globally unique value that is associated with one person. Using `“aws:userId”` in the condition can be affected by how user attributes are synchronized from your source of identities and can change if the user’s username or email address changes. From the IAM Identity Center console, you can find a user’s `identitystore:userId` by navigating to **Users**, searching for the user by name, expanding the **General information** section and copying the User ID. It's also convenient to stop a user’s AWS access portal session and disable their sign-in access in the same section while searching for the User ID. You can automate the process to create a Deny policy by obtaining the user’s User ID through querying the identity store APIs. ### Deploying the deny policy You can use a placeholder user ID that isn't valid, such as `Add user ID here`, to deploy the Deny policy in advance using a Service Control Policy (SCP) that you attach to the AWS accounts users might have access to. This is the recommended approach for its ease and speed of impact. When you revoke a user’s access with the Deny policy, you'll edit the policy to replace the placeholder user ID with the user ID of the person whose access you want to revoke. This prevents the user from taking any actions with any permission set in every account that you attach the SCP. It blocks the user’s actions even if they use their active AWS access portal session to navigate to different accounts and assume different roles. With the user’s access fully blocked by the SCP, you can then disable their ability to sign in, revoke their assignments, and stop their AWS access portal session if needed. As an alternative to using SCPs, you can also include the Deny policy in the inline policy of permission sets and in customer managed policies that are used by the permission sets the user can access. If you must revoke access for more than one person, you can use a list of values in the condition block, such as: ``` "Condition": { "StringEquals": { "identitystore:userId": [" user1 userId", "user2 userId"...] } } ``` **Important** Regardless of the method(s) you use, you must take any other corrective actions and keep the user’s user ID in the policy for at least 12 hours. After that time, any roles the user has assumed expire and you can then remove their user ID from the Deny policy.