Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Policy assignment using Permission set vs Identity and Resource

0

I have been reading about policy evaluations including Identity and Resource based policies. I am wondering i should use Identity Center permission set to grant permissions instead? Even though we need to use IAM policy to create customer managed policy and assign it to permission set but the evaluations of policies won't involve Identity and Resource policies, right? https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Temas
Seguridad, identidad y cumplimiento
Etiquetas
Políticas de IAM
Idioma
English
profile picture
Lottie
preguntada hace 4 meses178 visualizaciones
2 Respuestas
2
Respuesta aceptada

When using AWS Identity Center to manage access, you still work with IAM policies by attaching them to permission sets. Here's the key:

  • AWS Identity Center permission sets include IAM policies (both AWS managed and customer managed) to grant permissions.
  • Policy evaluations in AWS consider all applicable policies, including those assigned through Identity Center permission sets and directly attached IAM policies (both identity-based and resource-based).

Using Identity Center and its permission sets doesn't bypass the evaluation of IAM policies; it's a way to manage and streamline access across your AWS environment more efficiently.

profile picture
EXPERTO
Osvaldo Marte
respondido hace 4 meses
profile picture
EXPERTO
Oleksii Bebych
revisado hace 3 meses
2

I would consider using both of the approaches you describe to meet different requirements.

AWS IAM Identity Center permissions sets will provide you with a scalable approach to managing SSO-based roles that can be deployed across the organization. This would be useful in granting internal users general access to resources within your AWS account. For example, you might choose to allow an administrator group read-only access to Amazon S3 buckets in your account.

You could then use resource-based or identity-based policies to further restrict access to specific resources beyond what the permissions set allows. For example, you might add a resource-based policy to a particular Amazon S3 bucket in your account that prevents administrators from reading objects within.

AWS
mwdehn
respondido hace 4 meses
  • Lottie
    hace 4 meses

    Another poilicy type is Delegated Admnistrator - to allow multiple accounts access to certain AWS services

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante