When using IAM Identity Center, there are scenarios where you might want to reuse existing IAM permission policies in your permission sets, such as:
Customer Managed Policies (CMP) support with permission sets addresses these requirements. In this guide, you’ll walk through a scenario where CMPs can be used to address specific requirements.
ℹ️ Information: Customer Managed Policies allow you to maintain consistent roles across accounts while still having the flexibility to reference account-specific resources in your policies.
⚠️ Warning: Before assigning permission sets with IAM policies, you must prepare your member account. The name of the IAM policy in the member account must match case-sensitively with the name of the policy in the management account. IAM Identity Center cannot assign the permission set if the policy doesn’t exist in the member account. The permissions granted by the policy don’t necessarily need to match exactly between accounts.
Consider a scenario where an operator group needs access to different member accounts, and their access to those accounts should be limited to specific AWS CloudWatch log groups within those accounts. This requirement can be addressed with Customer Managed Policies (CMPs) where an operatorAccess
policy can be created in each AWS account, with the actual policies and permissions/authorizations only allowing CloudWatch operations to be performed on the specified account’s log groups. You can then create permission sets attached to the operatorAccess
CMP that permit CloudWatch operations on the specified accounts’ log groups.
<account-id>
with the account ID for the account this policy is being created in{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-east-1:<account-id>:log-group:OperationsLogGroup:*"
},
{
"Action": [
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-east-1:<account-id>:log-group::log-stream:*"
}
]
}
operatorAccess
🔒 Security Note: When creating policies, always follow the principle of least privilege by granting only the permissions necessary to perform the required tasks.
Navigate to the IAM Identity Center Console
Select the AWS Region recommended by the AWS Team if this is part of an AWS Event, or the Region you intend to configure the rules if you’re running this on your own
Click on Permission sets in the left menu and click the Create permission set button
On the Select permission set type page:
On the Specify policies page:
On the Specify permission set details page:
On the Review and create page:
💡 Pro Tip: Create a standard naming convention for your permission sets that indicates their purpose and level of access. This makes it easier to manage permissions at scale.
Let’s create a new Group named operations:
For this module, we’ll create a new user: operationsUser
Navigate to the IAM Identity Center Console
Select Users under the Workplace pool section and click Create User
On the Create User page:
On the Add users to groups - optional page:
On the Review and add user page:
A pop-up window will appear with a One-time password. Copy the information using the Copy button and save it for the verification step. Note the User portal URL, Username, and Password
ℹ️ Information: IAM Identity Center manages user identities separately from IAM users, providing a single place to create and manage user identities for your entire AWS organization.
Navigate to the IAM Identity Center Console, select AWS accounts
Select the account you want users to have access to
Click Assign users or groups
On the Assign users and Group to AccountName page:
On the Select permission sets page:
On the Review and submit page:
IAM Identity Center will associate the User group with the Permission set and assign it to the selected AWS Account. You’ll see a page with a green banner.
💡 Pro Tip: IAM Identity Center allows you to assign multiple permission sets to the same user or group, giving you flexibility in how you structure your access control.
Note: For a better experience, you should perform the following verification steps in private browsing mode or a different web browser
Log in to the AWS Portal using the User portal URL saved when creating operationsUser
Provide the username for the user previously created in this module
Provide the one-time password for the username
Set a new password for the user
After successful login, on the Identity Center portal page, select the Management console link for the operatorAccessPermissionSet role
After successfully logging into the Management Console, navigate to the CloudWatch Log groups page and confirm that you can list existing OperationsLogGroup log groups and successfully create new log streams in them
🔒 Security Note: Regularly review and audit your permission sets and group assignments to ensure users have the appropriate level of access to AWS resources.
This module demonstrates how AWS IAM Identity Center works with customer managed policies that you create in your AWS account. Although the module created a CMP and permission set and provided it in a single account, you can create CMPs with the same name in all member accounts and use the same operatorAccessPermissionSet permission set and provide it across all your member accounts.