How to control per user per account permissions with IAM identity center?


I am struggling with IAM Identity center. I want to make sure user Y can only assume power user role when accessing account Z. It is not clear to me how I can achieve that when all permissions sets are assigned on an account level and not a user level.

I have the following permissions sets assigned to an account Enter image description here The console says that I can assigned permissions to a group Enter image description here But when I start assigning permissions sets, they are assigned to ACCOUNTS only. So there is no way to say user X can only be PowerUser but not Administrator when accessing the account Y Enter image description here

Here is the stack overflow questions (that doesn't have an answer)

1 Answer

Hi, you should understand the two core components of the AWS IAM Identity Center service.

Core Components

Permission Set

A permission set is a template you create and maintain that defines a collection of one or more IAM policies. Permission sets simplify the assignment of AWS account access for users and groups in your organization. You can think that a permission set is a reusable role with proper permissions, which can be used in several AWS accounts in the same AWS Organization.

Account Assignment

An account assignment is the task of assigning a permission set for a specific AWS account to multiple users or groups.


You can create an account assignment for the PowerUser permission set of the AWS account to user X.


profile picture
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions