Create, manage, and delete permission sets - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create, manage, and delete permission sets

Permission sets define the level of access that users and groups have to an Amazon Web Services account. Permission sets are stored in IAM Identity Center and can be provisioned to one or more Amazon Web Services accounts. You can assign more than one permission set to a user. For more information about permission sets and how they are used in IAM Identity Center, see Permission sets.

Keep the following considerations in mind when creating permissions sets:

  • Start with a predefined permission set

    With a predefined permission set, which uses predefined permissions, you choose a single Amazon managed policy from a list of available policies. Each policy grants a specific level of access to Amazon services and resources or permissions for a common job function. For information about each of these policies, see Amazon managed policies for job functions. After you have collected usage data you can refine the permission set to be more restrictive.

  • Limit management session duration to reasonable work periods

    When users federate into their Amazon Web Services account and use the Amazon Management Console or the Amazon Command Line Interface (Amazon CLI), IAM Identity Center uses the session duration setting on the permission set to control the duration of the session. When the user session reaches the session duration they're signed out of the console and asked to sign in again. As a security best practice, we recommend that you don't set the session duration length longer than is needed to perform the role. By default, the value for Session duration is one hour. You can specify a maximum value of 12 hours. For more information, see Set session duration.

  • Limit workforce user portal session duration

    Workforce users use portal sessions to choose roles and access applications. By default, the value for Maximum session duration, which determines the length of time that a workforce user can be signed in to the Amazon access portal before they must re-authenticate, is eight hours. You can specify a maximum value of 90 days. For more information, see Configure the session duration of the Amazon Web Services access portal and IAM Identity Center integrated applications.

  • Use the role that provides least-privilege permissions

    Each permission set that you create and assign to your user appears as an available role in the Amazon access portal. When you sign in to the portal as that user, choose the role that corresponds to the most restrictive permission set that you can use to perform tasks in the account, rather than AdministratorAccess. Test your permission sets to verify they provide the necessary access before sending the user invitation.


You can also use Amazon CloudFormation to create and assign permission sets and assign users to those permission sets.