Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Custom permissions

You can create a permission set with Custom permissions, combining any of the Amazon managed and customer managed policies that you have in Amazon Identity and Access Management (IAM) along with inline policies. You can also include permissions boundary, setting the maximum possible permissions that other policies can grant to users of your permission set.

For instructions on how to create a permission set, see Create, manage, and delete permission sets.

Policy types that you can attach to your permission set

Inline policies

You can attach an inline policy to a permission set. An inline policy is a block of text formatted as an IAM policy that you add directly to your permission set. You can paste in a policy, or generate a new one with the policy creation tool in the IAM Identity Center console when you create a new permission set. You can also create IAM policies with the Amazon Policy Generator.

When you deploy a permission set with an inline policy, IAM Identity Center creates an IAM policy in the Amazon Web Services accounts where you assign your permission set. IAM Identity Center creates the policy when you assign the permission set to the account. The policy is then attached to the IAM role in your Amazon Web Services account that your user assumes.

When you create an inline policy and assign your permission set, IAM Identity Center configures the policies in your Amazon Web Services accounts for you. When you build your permission set with Customer managed policies, you must create the policies in your Amazon Web Services accounts yourself before you assign the permission set.

Amazon managed policies

You can attach Amazon managed policies to your permission set. Amazon managed policies are IAM policies that Amazon maintains. In contrast, Customer managed policies are IAM policies in your account that you create and maintain. Amazon managed policies address common least privilege use cases in your Amazon Web Services account. You can assign an Amazon managed policy as permissions for the role that IAM Identity Center creates, or as a permissions boundary.

Amazon maintains Amazon managed policies for job functions that assign job-specific access permissions to your Amazon resources. You can add one job-function policy when you choose to use Predefined permissions with your permission set. When you choose Custom permissions, you can add more than one job-function policy.

Your Amazon Web Services account also contains a large number of Amazon managed IAM policies for specific Amazon Web Services and combinations of Amazon Web Services. When you create a permission set with Custom permissions, you can choose from many additional Amazon managed policies to assign to your permission set.

Amazon populates every Amazon Web Services account with Amazon managed policies. To deploy a permission set with Amazon managed policies, you don't need to first create a policy in your Amazon Web Services accounts. When you build your permission set with Customer managed policies, you must create the policies in your Amazon Web Services accounts yourself before you assign the permission set.

For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.

Customer managed policies

You can attach customer managed policies to your permission set. Customer managed policies are IAM policies in your account that you create and maintain. In contrast, Amazon managed policies are IAM policies in your account that Amazon maintains. You can assign an customer managed policy as permissions for the role that IAM Identity Center creates, or as a permissions boundary.

When you create a permission set with a customer managed policy, you must create an IAM policy with the same name and path in each Amazon Web Services account where IAM Identity Center assigns your permission set. If you are specifying a custom path, make sure to specify the same path in each Amazon Web Services account. For more information, see Friendly names and paths in the IAM User Guide. IAM Identity Center attaches the IAM policy to the IAM role that it creates in your Amazon Web Services account. As a best practice, apply the same permissions to the policy in each account where you assign the permission set. For more information, see Use IAM policies in permission sets.

For more information, see Customer managed policies in the IAM User Guide.

Permissions boundaries

You can attach a permissions boundary to your permission set. A permissions boundary is an Amazon managed or customer managed IAM policy that sets the maximum permissions that an identity-based policy can grant to an IAM principal. When you apply a permissions boundary, your Inline policies, Customer managed policies, and Amazon managed policies can't grant any permissions that exceed the permissions that your permissions boundary grants. A permissions boundary doesn't grant any permissions, but instead makes it so that IAM ignores all permissions beyond the boundary.

When you create a permission set with a customer managed policy as a permissions boundary, you must create an IAM policy with the same name in each Amazon Web Services account where IAM Identity Center assigns your permission set. IAM Identity Center attaches the IAM policy as a permissions boundary to the IAM role that it creates in your Amazon Web Services account .

For more information, see Permissions boundaries for IAM entities in the IAM User Guide.