Customer Managed Policies (CMPs) attached to AWS SSO Permission Set
Hi AWS, I got stuck in a weird situation where I see a couple of customer managed policies are attached to AWS SSO permission set which was not possible until early 2022 AFAIK. The other issue I observed is when I open the policies in the SSO account the policies are coming up with the default structure without any IAM permissions but when I go into the specific AWS account I found the policies attached as per the account and all the permissions are present which should not be the case as SSO allows you to manage everything via a centralized account.
Having said that I want to know if the feature of attaching customer managed policies is available for SSO how to do that and also why I am seeing the policies attached per account instead of the centralized account.
- 최신
- 최다 투표
- 가장 많은 댓글
The support for customer managed policies by identity center was released July 2022.
One thing that might have confused you is, Identity Center (SSO) "allows you to manage everything via a centralized account", but it does not provision those customer managed policies for you. You need to make sure that the policy referred to from the permission set actually exists and they are the same across the different accounts that you assign your user/groups to.
Yes you can add/remove customer managed polices to/from permission sets and have identity center to update the permission sets (they end up as roles) across the accounts. (again, update of permission set, not the customer managed policy)
Yeah exactly that sounds confusing and still I have a doubt that what purpose CMP(s) is solving as SSO is used to manage everything from a centralized account (master account). Can you please elaborate it more if possible?
I got the answer for this. The feature of attaching Customer Managed Policies (CMPs) to AWS SSO permission set was introduced in Amazon Reinvent 2022. It provides a way to manage your IAM permissions without letting you disturbed all the member accounts access using SSOInlinePolicy. Steps to attach a CMP to permission set are:
- Create a CMPs with consistent names in your target accounts i.e. each CMP needs to have the same name.
- Create a permission set that references the CMP that you created.
- Assign users to the permission set in accounts where you created CMPs.
- Test your assignments.
관련 콘텐츠
AWS 공식업데이트됨 4년 전- AWS 공식업데이트됨 일 년 전
I have one more question related to this i.e. is it possible to reference a new CMP to the existing permission set?