How to use customer managed policies in AWS IAM Identity Center for advanced use cases
Are you looking for a simpler way to manage permissions across all your AWS accounts? Perhaps you federate your identity provider (IdP) to each account and divide permissions and authorization between cloud and identity teams, but want a simpler administrative model. Maybe you use AWS IAM Identity Center (successor to AWS Single Sign-On) but are running out of room in your permission set policies; or need a way to keep the role models you have while tailoring the policies in each account to reference their specific resources. Or perhaps you are considering IAM Identity Center as an alternative to per-account federation, but need a way to reuse the customer managed policies that you have already created. Great news! Now you can use customer managed policies (CMPs) and permissions boundaries (PBs) to help with these more advanced situations.
<p>In this blog post, we explain how you can use CMPS and PBs with IAM Identity Center to address these considerations. We describe how IAM Identity Center works, how these types of policies work with IAM Identity Center, and how to best use CMPs and PBs with IAM Identity Center. We also show you how to configure and use CMPs in your IAM Identity Center deployment.</p>
<h2>IAM Identity Center background</h2>
<p>With IAM Identity Center, you can centrally manage access to multiple <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html" rel="noopener noreferrer" target="_blank">AWS accounts</a> and business applications, while providing your workplace users a single sign-on experience with your choice of identity system. Rather than manage identity in each account individually, IAM Identity Center provides one place to connect an existing IdP, Microsoft Active Directory Domain Services (AD DS), or workforce users that you create directly in AWS. Because IAM Identity Center integrates with <a href="https://aws.amazon.com/organizations/" rel="noopener noreferrer" target="_blank">AWS Organizations</a>, it also provides a central place to define your <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html" rel="noopener noreferrer" target="_blank">roles</a>, assign them to your users and groups, and give your users a portal where they can access their assigned accounts.</p>
<p>With AWS Identity Center, you manage access to accounts by creating and assigning <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html" target="_blank" rel="noopener noreferrer">permission sets</a>. These are <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener noreferrer">AWS Identity and Access Management (IAM)</a> role templates that define (among other things) which policies to include in a role. If you’re just getting started, you can attach <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies" target="_blank" rel="noopener noreferrer">AWS managed policies</a> to the permission set. These policies, created by AWS service teams, enable you to get started without having to learn how to author <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html" target="_blank" rel="noopener noreferrer">IAM policies</a> in <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html" target="_blank" rel="noopener noreferrer">JSON</a>. </p>
<p>For more advanced cases, where you are unable to express policies sufficiently using inline policies, you can create a custom policy in the permission set. When you assign a permission set to users or groups in a specified account, IAM Identity Center creates a role from the template and then controls single sign-on access to the role. During role creation, IAM Identity Center attaches any specified AWS managed policies, and adds any custom policy to the role as an <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies" target="_blank" rel="noopener noreferrer">inline policy</a>. These custom policies must be within the 10,240 character <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html" target="_blank" rel="noopener noreferrer">IAM quota</a> of inline policies.</p>
<p>IAM provides two other types of custom policies that increase flexibility when managing access in AWS accounts. Customer managed policies (CMPs) are standalone policies that you create and can attach to roles in your AWS accounts to grant or deny access to AWS resources. Permissions boundaries (PBs) provide an advanced feature that specifies the maximum permissions that a role can have. For both CMPs and PBs, you create the custom policy in your account and then attach it to roles. IAM Identity Center now supports attaching both of these to permission sets so you can handle cases where AWS Managed Policies and inline policies may not be enough.</p>
<h2>How CMPs and PBs work with IAM Identity Center</h2>
<p>Although you can create IAM users to manage access to AWS accounts and resources, AWS recommends that you use roles instead of IAM users for this purpose. Roles act as an identity (sometimes called an <em>IAM principal</em>), and you assign permissions (<em>identity-based policies</em>) to the role. If you use the <a href="https://aws.amazon.com/console/" target="_blank" rel="noopener noreferrer">AWS Management Console</a> or the <a href="https://aws.amazon.com/cli/" target="_blank" rel="noopener noreferrer">AWS Command Line Interface</a> to assume a role, you get the permissions of the role that you assumed. With its simpler way to maintain your users and groups in one AWS location and its ability to centrally manage and assign roles, AWS recommends that you use IAM Identity Center to manage access to your AWS accounts.</p>
<p>With this new IAM Identity Center release, you have the option to specify the names of CMPs and one PB in your permission set (<em>role definition</em>). Doing so modifies how IAM Identity Center provisions roles into accounts. When you assign a user or group to a permission set, IAM Identity Center checks the target account to verify that all specified CMPs and the PB are present. If they are all present, IAM Identity Center creates the role in the account and attaches the specified policies. If any of the specified CMPs or the PB are missing, IAM Identity Center fails the role creation.</p>
<p>This all sounds simple enough, but there are important implications to consider.</p>
<p>If you modify the permission set, IAM Identity Center updates the corresponding roles in all accounts to which you assigned the permission set. What is different when using CMPs and PBs is that IAM Identity Center is uninvolved in the creation or maintenance of the CMPs or PBs. It’s your responsibility to make sure that the CMPs and PBs are created and managed in all of the accounts to which you assign permission sets that use the CMPs and PBs. This means that you must be careful in how you name, create, and maintain these policies in your accounts, to avoid unintended consequences. For example, if you do not apply changes to CMPs consistently across all your accounts, the behavior of an IAM Identity Center created role will vary between accounts.</p>
<h3>What CMPs do for you</h3>
<p>By using CMPs with permission sets, you gain four main benefits:</p>
<ol>
<li>If you <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html" target="_blank" rel="noopener noreferrer">federate to your accounts directly</a> and have CMPs already, you can reuse your CMPs with permission sets in IAM Identity Center. We describe exceptions later in this post.</li>
<li>If you are running out of space in your permission set inline policies, you can add permission sets to increase the aggregate size of your policies.</li>
<li>Policies often need to refer to account-specific resources by Amazon Resource Name (ARN). Designing an inline policy that does this correctly across all your accounts can be challenging and, in some cases, may not be possible. By specifying a CMP in a permission set, you can tailor the CMPs in each of your accounts to reference the resources of the account. When IAM Identity Center creates the role and attaches the CMPs of the account, the policies used by the IAM Identity Center–generated role are now specific to the account. We highlight this example later in this post.</li>
<li>You get the benefit of a central location to define your roles, which gives you visibility of all the policies that are in use across the accounts where you assigned permission sets. This enables you to have a list of CMP and PB names that you should monitor for change across your accounts. This helps you ensure that you are maintaining your policies correctly.</li>
</ol>
<h3>Considerations and best practices</h3>
<p><strong>Start simple, avoid complex</strong> – If you’re just starting out, try using AWS managed policies first. With managed policies, you don’t need to know <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html" target="_blank" rel="noopener noreferrer">JSON policy</a> to get started. If you need more advanced policies, start by creating <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html" target="_blank" rel="noopener noreferrer">identity-based inline custom policies</a> in the permission set. These policies are provisioned as inline policies, and they will be identical in all your accounts. If you need larger policies or more advanced capabilities, use <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies" target="_blank" rel="noopener noreferrer">CMPs</a> as your next option. In most cases, you can accomplish what you need with inline and customer managed policies. When you can’t achieve your objective using CMPs, use <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html" target="_blank" rel="noopener noreferrer">PBs</a>. For information about intended use cases for PBs, see the blog post <a href="https://aws.amazon.com/blogs/security/when-and-where-to-use-iam-permissions-boundaries/" target="_blank" rel="noopener noreferrer">When and where to use IAM permissions boundaries</a>.</p>
<p><strong>Permissions boundaries don’t constrain IAM Identity Center admins who create permission sets</strong> – IAM Identity Center administrators (your staff) that you authorize to create permission sets can create inline policies and attach CMPs and PBs to permission sets, without restrictions. Permissions boundary policies set the maximum permissions of a role and the maximum permissions that the role can grant within an account through IAM only. For example, PBs can set the maximum permissions of a role that uses IAM to create other roles for use by code or services. However, a PB doesn’t set maximum permissions of the IAM Identity Center permission set creator. What does that mean? Suppose you created an IAM Identity Center Admin permission set that has a PB attached, and you assigned it to John Doe. John Doe can then sign in to IAM Identity Center and modify permission sets with any policy, regardless of what you put in the PB. The PB doesn’t restrict the policies that John Doe can put into a permission set.</p>
<p>In short, use PBs only for roles that need to create IAM roles for use by code or services. Don’t use PBs for permission sets that authorize IAM Identity Center admins who create permission sets.</p>
<p><strong>Create and use a policy naming plan</strong> – IAM Identity Center doesn’t consider the content of a named policy that you attach to a permission set. If you assign a permission set in multiple accounts, make sure that all referenced policies have the same intent. Failure to do this will result in unexpected and inconsistent role behavior between different accounts. Imagine a CMP named “S3” that grants S3 read access in account A, and another CMP named “S3” that grants S3 administrative permissions over all S3 buckets in account B. A permission set that attaches the S3 policy and is assigned in accounts A and B will be confusing at best, because the level access is quite different in each of the accounts. It’s better to have more specific names, such as “S3Reader” and “S3Admin,” for your policies and ensure they are identical except for the account-specific resource ARNs.</p>
<p><strong>Use automation to provision policies in accounts</strong> – Using tools such as <a href="https://aws.amazon.com/cloudformation/" target="_blank" rel="noopener noreferrer">AWS CloudFormation</a> stacksets, or other infrastructure-as-code tools, can help ensure that naming and policies are consistent across your accounts. It also helps reduce the potential for administrators to modify policies in undesirable ways.</p>
<p><strong>Policies must match the capabilities of IAM Identity Center</strong> – Although IAM Identity Center supports most IAM semantics, there are exceptions:</p>
<ol>
<li>If you use an identity provider as your identity source, IAM Identity Center passes only <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac-policies.html" target="_blank" rel="noopener noreferrer">PrincipalTag</a> attributes that come through SAML assertions to IAM. IAM Identity Center doesn’t process or forward other SAML assertions to IAM. If you have CMPs or PBs that rely on other information from SAML assertions, they won’t work. For example, IAM Identity Center doesn’t provide multi-factor authentication (MFA) context keys or <a href="https://aws.amazon.com/blogs/security/how-to-integrate-aws-sts-sourceidentity-with-your-identity-provider/" target="_blank" rel="noopener noreferrer">SourceIdentity</a>.</li>
<li>Resource policies that reference role names or tags as part of trust policies don’t work with IAM Identity Center. You can use resource policies that use attribute-based access control (ABAC). IAM Identity Center role names are not static, and you can’t tag the roles that IAM Identity Center creates from its permission sets.</li>
</ol>
<h2>How to use CMPs with permission sets</h2>
<p>Now that you understand permission sets and how they work with CMPs and PBs, let’s take a look at how you can configure a permission set to use CMPs.</p>
<p>In this example, we show you how to use one or more permission sets that attach a CMP that enables <a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener noreferrer">Amazon CloudWatch</a> operations to the log group of specified accounts. Specifically, the <span>AllowCloudWatch_permission</span> set attaches a CMP named <span>AllowCloudWatchForOperations</span>. When we assign the permission set in two separate accounts, the assigned users can perform CloudWatch operations against the log groups of the assigned account only. Because the CloudWatch operations policies are in CMPs rather than inline policies, the log groups can be account specific, and you can reuse the CMPs in other permission sets if you want to have CloudWatch operations available through multiple permission sets.</p>
<blockquote>
<p><strong>Note</strong>: For this blog post, we demonstrate using CMPs by utilizing the IAM Management Console to create policies and assignments. We recommend that after you learn how to do this, you create your policies through automation for production environments. For example, use <a href="https://aws.amazon.com/cloudformation/" target="_blank" rel="noopener noreferrer">AWS CloudFormation</a>. The intent of this example is to demonstrate how you can have a policy in two separate accounts that refer to different resources; something that is harder to accomplish using inline policies. The use case itself is not that advanced, but the use of CMPs to have different resources referenced in each account is a more advanced idea. We kept this simple to make it easier to focus on the feature than the use case.</p>
</blockquote>
<h3>Prerequisites</h3>
<p>In this example, we assume that you know how to use the AWS Management Console, create accounts, navigate between accounts, and create customer managed policies. You also need administrative privileges to enable IAM Identity Center and to create policies in your accounts.</p>
<p>Before you begin, <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/step1.html" target="_blank" rel="noopener noreferrer">enable IAM Identity Center</a> in your AWS Organizations management account in an <a href="https://aws.amazon.com/about-aws/global-infrastructure/regions_az/" target="_blank" rel="noopener noreferrer">AWS Region</a> of your choice. You need to <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html" target="_blank" rel="noopener noreferrer">create at least two accounts</a> within your AWS Organization. In this example, the account names are member-account and member-account-1. After you set up the accounts, you can optionally <a href="https://aws.amazon.com/blogs/security/getting-started-with-aws-sso-delegated-administration/" target="_blank" rel="noopener noreferrer">configure IAM Identity Center for administration in a delegated member account</a>.</p>
<h3>Configure an IAM Identity Center permission set to use a CMP</h3>
<p>Follow these four procedures to use a CMP with a permission set:</p>
<ol>
<li>Create CMPs with consistent names in your target accounts</li>
<li>Create a permission set that references the CMP that you created</li>
<li>Assign groups or users to the permission set in accounts where you created CMPs</li>
<li>Test your assignments</li>
</ol>
<h4 id="step_1">Step 1: Create CMPs with consistent names in your target accounts</h4>
<p>In this step, you create a customer managed policy named <span>AllowCloudWatchForOperations</span> in two member accounts. The policy allows your cloud operations users to access a predefined CloudWatch log group in the account.</p>
<p><strong>To create CMPs in your target accounts</strong></p>
<ol>
<li>Sign into AWS.<br><blockquote>
<p><strong>Note:</strong> You can sign in to IAM Identity Center if you have existing permission sets that enable you to create policies in member accounts. Alternatively, you can sign in using <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html" target="_blank" rel="noopener noreferrer">IAM federation</a> or as an <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html" target="_blank" rel="noopener noreferrer">IAM user</a> that has access to roles that enable you to navigate to other accounts where you can create policies. Your sign-in should also give you access to a role that can administer IAM Identity Center permission sets.</p>
</blockquote> </li>
<li>Navigate to an AWS Organizations member account.<br><blockquote>
<p><strong>Note:</strong> If you signed in through IAM Identity Center, use the user portal page to navigate to the account and role. If you signed in by using IAM federation or as an IAM user, choose your sign-in name that is displayed in the upper right corner of the AWS Management Console and then choose switch role, as shown in Figure 1.</p>
</blockquote>
<div id="attachment_26509" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-26509" src="https://infracom.com.sg/wp-content/uploads/2022/08/image1-1.png" alt="Figure 1: Switch role for IAM user or IAM federation" width="466" height="462" class="size-full wp-image-26509">
<p id="caption-attachment-26509" class="wp-caption-text">Figure 1: Switch role for IAM user or IAM federation</p>
</div> </li>
<li>Open the <a href="https://console.aws.amazon.com/iam/home" target="_blank" rel="noopener noreferrer">IAM console</a>.</li>
<li>In the navigation pane, choose <strong>Policies</strong>.</li>
<li>In the upper right of the page, choose <strong>Create policy</strong>.</li>
<li>On the <strong>Create Policy</strong> page, choose the <strong>JSON</strong> tab.</li>
<li>Paste the following policy into the JSON text box. Replace <span><account-id></span> with the ID of the account in which the policy is created.<br><blockquote>
<p><strong>Tip</strong>: To copy your account number, choose your sign-in name that is displayed in the upper right corner of the AWS Management Console, and then choose the copy icon next to the account ID, as shown in Figure 2.</p>
</blockquote>
<div id="attachment_26510" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-26510" src="https://infracom.com.sg/wp-content/uploads/2022/08/image2-1.png" alt="Figure 2: Copy account number" width="458" height="446" class="size-full wp-image-26510">
<p id="caption-attachment-26510" class="wp-caption-text">Figure 2: Copy account number</p>
</div>
<div class="hide-language">
<pre><code class="lang-text">{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-east-1:<span><account-id></span>:log-group:OperationsLogGroup:*"
},
{
"Action": [
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-east-1:<span><account-id></span>:log-group::log-stream:*"
}
]
}
<li>Choose <strong>Next:Tags</strong>, and then choose <strong>Next:Review</strong>.</li>
<li>On the <strong>Create Policy/Review Policy</strong> page, in the <strong>Name </strong>field, enter <span>AllowCloudWatchForOperations</span>. This is the name that you will use when you attach the CMP to the permission set in the next procedure (Step 2).</li>
<li>Repeat steps 1 through 7 in at least one other member account. Be sure to replace the <span><account-id></span> element in the policy with the account ID of each account where you create the policy. The only difference between the policies in each account is the <span><account-id></span> in the policy.</li>
<h4 id="step_2">Step 2: Create a permission set that references the CMP that you created</h4>
At this point, you have at least two member accounts containing the same policy with the same policy name. However, the <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html" target="_blank" rel="noopener noreferrer">ResourceARN</a> in each policy refers to log groups that belong to the respective accounts. In this step, you create a permission set and attach the policy to the permission set. Importantly, you attach only the name of the policy to the permission set. The actual attachment of the policy to the role that IAM Identity Center creates, happens when you assign the permission set to a user or group in <a href="https://aws.amazon.com/blogs/security/how-to-use-customer-managed-policies-in-aws-single-sign-on-for-advanced-use-cases/#step_3">Step 3</a>.</p>
<p><strong>To create a permission set that references the CMP</strong></p>
<ol>
<li>Sign in to the Organizations management account or the IAM Identity Center delegated administration account.</li>
<li>Open the <a href="https://console.aws.amazon.com/singlesignon/home" target="_blank" rel="noopener noreferrer"><strong>IAM Identity Center</strong> console</a>.</li>
<li>In the navigation pane, choose <strong>Permission Sets</strong>.</li>
<li>On the <strong>Select Permission set type</strong> screen, select <strong>Custom permission Set</strong> and choose <strong>Next</strong>.
<div id="attachment_26655" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-26655" src="https://infracom.com.sg/wp-content/uploads/2022/08/New-IdC-1.jpg" alt="Figure 3: Select custom permission set" width="700" class="size-full wp-image-26655" />
<p id="caption-attachment-26655" class="wp-caption-text">Figure 3: Select custom permission set</p>
</div> </li>
<li>On the <strong>Specify policies and permissions boundary</strong> page, expand the <strong>Customer managed policies</strong> option, and choose <strong>Attach policies.</strong>
<div id="attachment_26656" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-26656" src="https://infracom.com.sg/wp-content/uploads/2022/08/New-IdC-2.jpg" alt="Figure 4: Specify policies and permissions boundary" width="700" class="size-full wp-image-26656" />
<p id="caption-attachment-26656" class="wp-caption-text">Figure 4: Specify policies and permissions boundary</p>
</div> </li>
<li>For <strong>Policy names</strong>, enter the name of the policy. This name must match the name of the policy that you created in <a href="https://aws.amazon.com/blogs/security/how-to-use-customer-managed-policies-in-aws-single-sign-on-for-advanced-use-cases/#step_1">Step 1</a>. In our example, the name is <span>AllowCloudWatchForOperations</span>. Choose <strong>Next</strong>.</li>
<li>On the <strong>Permission set details</strong> page, enter a name for your permission set. In this example, use <span>AllowCloudWatch_PermissionSet</span>. You can alspecify additional details for your permission sets, such as session duration and <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/howtopermrelaystate.html" target="_blank" rel="noopener noreferrer">relay state</a> (these are a link to a specific AWS Management Console page of your choice).
<div id="attachment_26513" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-26513" src="https://infracom.com.sg/wp-content/uploads/2022/08/image5-1024x687-1.png" alt="Figure 5: Permission set details" width="760" class="size-large wp-image-26513" />
<p id="caption-attachment-26513" class="wp-caption-text">Figure 5: Permission set details</p>
</div> </li>
<li>Choose <strong>Next</strong>, and then choose <strong>Create</strong>.</li>
</ol>
<h4 id="step_3">Step 3: Assign groups or users to the permission set in accounts where you created your CMPs</h4>
<p>In the preceding steps, you created a customer managed policy in two or more member accounts, and a permission set with the customer managed policy attached. In this step, you assign users to the permission set in your accounts.</p>
<p><strong>To assign groups or users to the permission set</strong></p>
<ol>
<li>Sign in to the Organizations management account or the IAM Identity Center delegated administration account.</li>
<li>Open the <a href="https://console.aws.amazon.com/singlesignon/home" target="_blank" rel="noopener noreferrer"><strong>IAM Identity Center</strong> console</a>.</li>
<li>In the navigation pane, choose <strong>AWS accounts</strong>.
<div id="attachment_26657" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-26657" src="https://infracom.com.sg/wp-content/uploads/2022/08/New-IdC-3.jpg" alt="Figure 6: AWS account" width="700" class="size-full wp-image-26657" />
<p id="caption-attachment-26657" class="wp-caption-text">Figure 6: AWS account</p>
</div> </li>
<li>For testing purposes, in the <strong>AWS Organization</strong> section, select all the accounts where you created the customer managed policy. This means that any users or groups that you assign during the process will have access to the <span>AllowCloudWatch_PermissionSet</span> role in each account. Then, on the top right, choose <strong>Assign users or groups</strong>.</li>
<li>Choose the <strong>Users </strong>or <strong>Groups</strong> tab and then select the users or groups that you want to assign to the permission set. You can select multiple users and multiple groups in this step. For this example, we recommend that you select a single user for which you have credentials, so that you can sign in as that user to test the setup later. After selecting the users or groups that you want to assign, choose <strong>Next</strong>.
<div id="attachment_26658" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-26658" src="https://infracom.com.sg/wp-content/uploads/2022/08/New-IdC-4.jpg" alt="Figure 7: Assign users and groups to AWS accounts" width="700" class="size-full wp-image-26658" />
<p id="caption-attachment-26658" class="wp-caption-text">Figure 7: Assign users and groups to AWS accounts</p>
</div> </li>
<li>Select the permission set that you created in <a href="https://aws.amazon.com/blogs/security/how-to-use-customer-managed-policies-in-aws-single-sign-on-for-advanced-use-cases/#step_2">Step 2</a> and choose <strong>Next</strong>.</li>
<li>Review the users and groups that you are assigning and choose <strong>Submit</strong>.</li>
<li>You will see a message that IAM Identity Center is configuring the accounts. In this step, IAM Identity Center creates roles in each of the accounts that you selected. It does this for each account, so it looks in the account for the CMP that you specified in the permission set. If the name of the CMP that you specified in the permission set matches the name that you provided when creating the CMP, IAM Identity Center creates a role from the permission set. If the names don’t match or if the CMP isn’t present in the account to which you assigned the permission set, you see an error message associated with that account. After successful submission, you will see the following message: <strong>We reprovisioned your AWS accounts successfully and applied the updated permission set to the accounts</strong>.</li>
</ol>
<h4 id="step_4">Step 4: Test your assignments</h4>
<p>Congratulations! You have successfully created CMPs in multiple AWS accounts, created a permission set and attached the CMPs by name, and assigned the permission set to users and groups in the accounts. Now it’s time to test the results.</p>
<p><strong>To test your assignments</strong></p>
<ol>
<li>Go to the <a href="https://console.aws.amazon.com/singlesignon/home" target="_blank" rel="noopener noreferrer"><strong>IAM Identity Center</strong> console</a>.</li>
<li>Navigate to the <strong>Settings</strong> page.</li>
<li>Copy the user portal URL, and then paste the user portal URL into your browser.</li>
<li>At the sign-in prompt, sign in as one of the users that you assigned to the permission set.</li>
<li>The IAM Identity Center user portal shows the accounts and roles that you can access. In the example shown in Figure 8, the user has access to the AllowCloudWatch_PermissionSet created in two accounts.
<div id="attachment_26519" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-26519" src="https://infracom.com.sg/wp-content/uploads/2022/08/image8.png" alt="Figure 8: User portal" width="760" class="size-full wp-image-26519" />
<p id="caption-attachment-26519" class="wp-caption-text">Figure 8: User portal</p>
</div> <p>If you choose <span>AllowCloudWatch_PermissionSet</span> in the member-account, you will have access to the CloudWatch log group in the member-account account. If you choose the role in <span>member-account-1</span>, you will have access to CloudWatch Log group in <span>member-account-1</span>.</p> </li>
<li>Test the access by choosing <strong>Management Console</strong> for the <span>AllowCloudWatch_PermissionSet</span> in the <span>member-account</span>.</li>
<li>Open the <a href="https://console.aws.amazon.com/cloudwatch/home" target="_blank" rel="noopener noreferrer"><strong>CloudWatch</strong> console</a>.</li>
<li>In the navigation pane, choose <strong>Log groups</strong>. You should be able to access log groups, as shown in Figure 9.
<div id="attachment_26520" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-26520" src="https://infracom.com.sg/wp-content/uploads/2022/08/image9-1024x250-1.png" alt="Figure 9: CloudWatch log groups" width="760" class="size-large wp-image-26520" />
<p id="caption-attachment-26520" class="wp-caption-text">Figure 9: CloudWatch log groups</p>
</div> </li>
<li>Open the <a href="https://console.aws.amazon.com/iam/home" target="_blank" rel="noopener noreferrer"><strong>IAM</strong> console</a>. You shouldn’t have permissions to see the details on this console, as shown in figure 10. This is because <span>AllowCloudWatch_PermissionSet</span> only provided CloudWatch log access.
<div id="attachment_26521" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-26521" src="https://infracom.com.sg/wp-content/uploads/2022/08/image10-1024x442-1.png" alt="Figure 10: Blocked access to the IAM console" width="760" class="size-large wp-image-26521" />
<p id="caption-attachment-26521" class="wp-caption-text">Figure 10: Blocked access to the IAM console</p>
</div> </li>
<li>Return to the IAM Identity Center user portal.</li>
<li>Repeat steps 4 through 8 using member-account-1<strong>.</strong></li>
</ol>
<h2>Answers to key questions</h2>
<p><strong>What happens if I delete a CMP or PB that is attached to a role that IAM Identity Center created?</strong><br />IAM prevents you from deleting policies that are attached to IAM roles.</p>
<p><strong>How can I delete a CMP or PB that is attached to a role that IAM Identity Center created?</strong><br />Remove the CMP or PB reference from all your permission sets. Then re-provision the roles in your accounts. This detaches the CMP or PB from IAM Identity Center–created roles. If the policies are unused by other IAM roles in your account or by IAM users, you can delete the policy.</p>
<p><strong>What happens if I modify a CMP or PB that is attached to an IAM Identity Center provisioned role?</strong><br />The IAM Identity Center role picks up the policy change the next time that someone assumes the role.</p>
<h2>Conclusion</h2>
<p>In this post, you learned how <a href="https://aws.amazon.com/iam/identity-center/" target="_blank" rel="noopener noreferrer">IAM Identity Center</a> works with customer managed policies and permissions boundaries that you create in your AWS accounts. You learned different ways that this capability can help you, and some of the key considerations and best practices to succeed in your deployments. That includes the principle of starting simple and avoiding unnecessarily complex configurations. Remember these four principles:</p>
<ol>
<li>In most cases, you can accomplish everything you need by starting with custom (inline) policies.</li>
<li>Use customer managed policies for more advanced cases.</li>
<li>Use permissions boundary policies only when necessary.</li>
<li>Use <a href="https://aws.amazon.com/cloudformation/" target="_blank" rel="noopener noreferrer">CloudFormation</a> to manage your customer managed policies and permissions boundaries rather than having administrators deploy them manually in accounts.</li>
</ol>
<p>To learn more about this capability, see the <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html" target="_blank" rel="noopener noreferrer">IAM Identity Center User Guide</a>. If you have feedback about this post, submit comments in the <strong>Comments</strong> section below. If you have questions about this post, start a new thread on the <a href="https://repost.aws/tags/TAO7Z4bI5hQVWMiYFs34QhIA?forumID=76" target="_blank" rel="noopener noreferrer">AWS IAM re:Post</a> or <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p>
<p><strong>Want more AWS Security news? Follow us on </strong><a href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer"><strong>Twitter</strong></a>.
<!-- '"` -->