Create a permission set for job functions - AWS IAM Identity Center

Create a permission set for job functions

Permission sets are stored in IAM Identity Center and define the level of access that users and groups have to an AWS account. The first permission set you create is the administrative permission set. If you completed one of the IAM Identity Center Identity source tutorials you already created your administrative permission set. Use this procedure to create permission sets as described in the AWS managed policies for job functions topic in the IAM User Guide.

  1. Do either of the following to sign in to the AWS Management Console.

    • New to AWS (root user) – Sign in as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    • Already using AWS (IAM credentials) – Sign in using your IAM credentials with administrative permissions.

  2. Open the IAM Identity Center console.

  3. In the IAM Identity Center navigation pane, under Multi-account permissions, choose Permission sets.

  4. Choose Create permission set.

    1. On the Select permission set type page, in the Permission set type section, choose Predefined permission set.

    2. In the Policy for predefined permission set section, choose one of the following:

      • AdministratorAccess

      • Billing

      • DatabaseAdministrator

      • DataScientist

      • NetworkAdministrator

      • PowerUserAccess

      • ReadOnlyAccess

      • SecurityAudit

      • SupportUser

      • SystemAdministrator

      • ViewOnlyAccess

  5. On the Specify permission set details page, keep the default settings and choose Next. The default setting limits your session to one hour.

  6. On the Review and create page, confirm the following:

    1. For Step 1: Select permission set type, displays the type of permission set you chose.

    2. For Step 2: Define permission set details, displays the name of the permission set you chose.

    3. Choose Create.

Create a permission set that applies least-privilege permissions

To follow the best practice of applying least-privilege permissions, after you create an administrative permission set, you create a more restrictive permission set and assign it to one or more users. The permission sets created in the previous procedure provide a starting point for you to assess the amount of access to resources your users need. To switch to least privilege permissions, you can run IAM Access Analyzer to monitor principals with AWS managed policies. After learning which permissions they're using, then you can write a custom policy or generate a policy with only the required permissions for your team.

With IAM Identity Center, you can assign multiple permission sets to the same user. Your administrative user should also be assigned additional, more restrictive, permission sets. That way, they can access your AWS account with only the permissions that required, rather than always using their administrative permissions.

For example, if you're a developer, after you create your administrative user in IAM Identity Center, you can create a new permission set that grants PowerUserAccess permissions, and then assign that permission set to yourself. Unlike the administrative permission set, which uses AdministratorAccess permissions, the PowerUserAccess permission set doesn't allow management of IAM users and groups. When you sign into the AWS access portal to access your AWS account, you can choose PowerUserAccess rather than the AdministratorAccess to perform development tasks in the account.

Keep the following considerations in mind:

  • To get started quickly with creating a more restrictive permission set, use a predefined permission set rather than a custom permission set.

    With a predefined permission set, which uses predefined permissions, you choose a single AWS managed policy from a list of available policies. Each policy grants a specific level of access to AWS services and resources or permissions for a common job function. For information about each of these policies, see AWS managed policies for job functions.

  • You can configure the session duration for a permission set to control the length of time that a user is signed into an AWS account.

    When users federate into their AWS account and use the AWS Management Console or the AWS Command Line Interface (AWS CLI), IAM Identity Center uses the session duration setting on the permission set to control the duration of the session. By default, the value for Session duration, which determines the length of time that a user can be signed into an AWS account before AWS signs the user out of the session, is set to one hour. You can specify a maximum value of 12 hours. For more information, see Set session duration for AWS accounts.

  • You can also configure the AWS access portal session duration to control the length of time that a workforce user is signed into the portal.

    By default, the value for Maximum session duration, which determines the length of time that a workforce user can be signed in to the AWS access portal before they must re-authenticate, is eight hours. You can specify a maximum value of 90 days. For more information, see Configure the session duration of the AWS access portal and IAM Identity Center integrated applications.

  • When you sign into the AWS access portal, choose the role that provides least-privilege permissions.

    Each permission set that you create and assign to your user appears as an available role in the AWS access portal. When you sign in to the portal as that user, choose the role that corresponds to the most restrictive permission set that you can use to perform tasks in the account, rather than AdministratorAccess.

  • You can add other users to IAM Identity Center and assign existing or new permission sets to those users.

    For information, see, Assign AWS account access for groups.