Manage Amazon Web Services accounts with permission sets - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Manage Amazon Web Services accounts with permission sets

A permission set is a template that you create and maintain that defines a collection of one or more IAM policies. Permission sets simplify the assignment of Amazon Web Services account access for users and groups in your organization. For example, you can create a Database Admin permission set that includes policies for administering Amazon RDS, DynamoDB, and Aurora services, and use that single permission set to grant access to a list of target Amazon Web Services accounts within your Amazon Organization for your database administrators.

IAM Identity Center assigns access to a user or group in one or more Amazon Web Services accounts with permission sets. When you assign a permission set, IAM Identity Center creates corresponding IAM Identity Center-controlled IAM roles in each account, and attaches the policies specified in the permission set to those roles. IAM Identity Center manages the role, and allows the authorized users you’ve defined to assume the role, by using the IAM Identity Center User Portal or Amazon CLI.  As you modify the permission set, IAM Identity Center ensures that the corresponding IAM policies and roles are updated accordingly.

You can add Amazon managed policies, customer managed policies, inline policies, and Amazon managed policies for job functions to your permission sets. You can also assign an Amazon managed policy or a customer managed policy as a permissions boundary.

To create a permission set, see Create, manage, and delete permission sets.

Topics