Policy assignment using Permission set vs Identity and Resource
I have been reading about policy evaluations including Identity and Resource based policies. I am wondering i should use Identity Center permission set to grant permissions instead? Even though we need to use IAM policy to create customer managed policy and assign it to permission set but the evaluations of policies won't involve Identity and Resource policies, right? https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
- 新しい順
- 投票が多い順
- コメントが多い順
When using AWS Identity Center to manage access, you still work with IAM policies by attaching them to permission sets. Here's the key:
- AWS Identity Center permission sets include IAM policies (both AWS managed and customer managed) to grant permissions.
- Policy evaluations in AWS consider all applicable policies, including those assigned through Identity Center permission sets and directly attached IAM policies (both identity-based and resource-based).
Using Identity Center and its permission sets doesn't bypass the evaluation of IAM policies; it's a way to manage and streamline access across your AWS environment more efficiently.
I would consider using both of the approaches you describe to meet different requirements.
AWS IAM Identity Center permissions sets will provide you with a scalable approach to managing SSO-based roles that can be deployed across the organization. This would be useful in granting internal users general access to resources within your AWS account. For example, you might choose to allow an administrator group read-only access to Amazon S3 buckets in your account.
You could then use resource-based or identity-based policies to further restrict access to specific resources beyond what the permissions set allows. For example, you might add a resource-based policy to a particular Amazon S3 bucket in your account that prevents administrators from reading objects within.
Another poilicy type is Delegated Admnistrator - to allow multiple accounts access to certain AWS services