Managing access to AWS accounts through AWS IAM Identity Center

AWS Identity Center is a service that allows you to manage and control user access to AWS accounts or applications. The user identities and groups can be provisioned from an external Identity Provider, like Okta or Keycloak, or managed directly within IAM Identity Center.

Disclaimer: Do not take the information here as a good or best practice. The purpose of this site is to post my learnings in somewhat real-time.

For the purposes of this post we will only care about managing access to existing AWS accounts, and assume the users and/or groups are already present. This will serve as a reminder for me on what order of operations to each perform tasks.

TL;DR

1. Create permission set(s) if they do not already already exist.
2. Enter the AWS account overview from the IAM Identity Center console and assign users or groups
3. Select the desired users and/or groups and assign them one or more permission sets.

Job done.

Permission Sets

To manage access to AWS accounts, you must have an organization instance of IAM Identity Center. Permissions are defined through policies attached to a permission set which can be used by users and groups. AWS describes permission sets as:

Permission sets define the level of access that users and groups in IAM Identity Center have to an AWS account. You can assign more than one permission set to a user. To ensure least privilege access to AWS accounts, users in IAM Identity Center with multiple permission sets on an AWS account must pick a specific permission set when selecting the account and then return to the AWS access portal to pick a different set when necessary Learn more

To create a permission set navigate to the Permission sets section in the left panel and click Create permission set. You can choose from a “Predfined permission set” or create a “Custom permission set”. After selecting the permission set type, you can specify the name, and session duration before creating.

Allow users and groups into an AWS account

Once you have created a permission set and have your users and groups in IAM Identity Center, click on AWS accounts in the left panel, and select the AWS account which you wish to permit a user or group into. Once selected click Assign users or groups and choose your users and groups. From there you can then select one or more permission sets you want these users to be able to use to access this AWS account. Once you have reviewed the configration Submit and wait for the changes to apply.

Once complete, you will be redirected to the AWS account view with your assigned users and groups and their permission sets.

Users can now use the AWS access portal URL to authenticate and access their AWS accounts. Specific permission sets can be selected under each AWS account. The AWS access portal URL (`https://{identity-store-id}.awsapps.com/start) can be found on the IAM Identity Center console Dashboard.

Verification tasks

Given an AWS account find which users and groups have access

Navigate to the AWS account overview by clicking on AWS accounts in the left panel and select the AWS account. From there you can see which users and groups have access to this account and which permission sets they can use.

Given a user or group find which AWS account they are assigned to

Navigate to Users or Group from the left panel and select your user or group. From the details page click on the AWS accounts to seee a list of AWS Accounts the user or group has access to. Click on the account will list the permissions sets the user or group can use to access the AWS account.

Given a permission set find which AWS account they are assingned to

Navigate to Permission sets from the left panel and select the permission set. From the details page select Accounts and a list of accounts will be visible. You cannot find which users and groups can use this permission set, this can only be done by click on each AWS account to list the users and groups.