Assign user or group access to Amazon Web Services accounts - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Assign user or group access to Amazon Web Services accounts

Use the following procedure to assign single sign-on access to users and groups in your connected directory and use permission sets to determine their level of access.

To check existing user and group access, see View and change a permission set.

Note

To simplify administration of access permissions, we recommended that you assign access directly to groups rather than to individual users. With groups you can grant or deny permissions to groups of users rather than having to apply those permissions to each individual. If a user moves to a different organization, you simply move that user to a different group and they automatically receive the permissions that are needed for the new organization.

To assign user or group access to Amazon Web Services accounts

  1. Open the IAM Identity Center console.

    Note

    Make sure that the IAM Identity Center console is using the Region where your Amazon Managed Microsoft AD directory is located before you move to the next step.

  2. In the navigation pane, under Multi-account permissions, choose Amazon Web Services accounts.

  3. On the Amazon Web Services accounts page, a tree view list of your organization displays. Select the checkbox next to the Amazon Web Services account to which you want to assign access. If you are setting up administrative access for IAM Identity Center, select the checkbox next to the management account .

    Note

    You can select up to 10 Amazon Web Services accounts at a time per permission set when you assign single sign-on access to users and groups. To assign more than 10 Amazon Web Services accounts to the same set of users and groups, repeat this procedure as required for the additional accounts. When prompted, select the same users, groups, and permission set.

  4. Choose Assign users or groups.

  5. For Step 1: Select users and groups, on the Assign users and groups to "Amazon-account-name" page, do the following:

    1. On the Users tab, select one or more users to whom to grant single sign-on access.

      To filter the results, start typing the name of the user that you want in the search box.

    2. On the Groups tab, select one or more groups to which to grant single sign-on access.

      To filter the results, start typing the name of the group that you want in the search box.

    3. To display the users and groups that you selected, choose the sideways triangle next to Selected users and groups.

    4. After you confirm that the correct users and groups are selected, choose Next.

  6. For Step 2: Select permission sets, on the Assign permission sets to "Amazon-account-name" page, do the following:

    1. Select one or more permission sets. If required, you can create and select new permission sets.

      • To select one or more existing permission sets, under Permission sets, select the permission sets that you want to apply to the users and groups that you selected in the previous step.

      • To create one or more new permission sets, choose Create permission set, and follow the steps in Create a permission set. After you create the permission sets that you want to apply, in the IAM Identity Center console, return to Amazon Web Services accounts and follow the instructions until you reach Step 2: Select permission sets. When you reach this step, select the new permission sets that you created, and proceed to the next step in this procedure.

    2. After you confirm that the correct permission sets are selected, choose Next.

  7. For Step 3: Review and Submit, on the Review and submit assignments to "Amazon-account-name" page, do the following:

    1. Review the selected users, groups, and permission sets.

    2. After you confirm that the correct users, groups, and permission sets are selected, choose Submit.

    Considerations

    • The user and group assignment process might take a few minutes to complete. Leave this page open until the process successfully completes.

    • Note

      You might need to grant users or groups permissions to operate in the Amazon Organizations management account. Because it is a highly privileged account, additional security restrictions require you to have the IAMFullAccess policy or equivalent permissions before you can set this up. These additional security restrictions are not required for any of the member accounts in your Amazon organization.

  8. If either of the following applies, follow the steps in Prompt users for MFA to enable MFA for IAM Identity Center:

    • You're using the default Identity Center directory as your identity source.

    • You're using an Amazon Managed Microsoft AD directory or a self-managed directory in Active Directory as your identity source and you're not using RADIUS MFA with Amazon Directory Service.

    Note

    If you're using an external identity provider, note that the external IdP, not IAM Identity Center, manages MFA settings. MFA in IAM Identity Center is not supported for use by external IdPs.

When you set up account access for the administrative user, IAM Identity Center creates a corresponding IAM role. This role, which is controlled by IAM Identity Center, is created in the relevant Amazon Web Services account, and the policies specified in the permission set are attached to the role.

Alternatively, you can use Amazon CloudFormation to create and assign permission sets and assign users to those permission sets. Users can then sign in to the Amazon access portal or use Amazon Command Line Interface (Amazon CLI) commands.