Assign Amazon Web Services account access for groups - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Assign Amazon Web Services account access for groups

After you've created an administrative user in IAM Identity Center and created additional permission sets that you can use to perform tasks with least-privileged permissions, you can provide access to your Amazon Web Services accounts to user groups.

We recommend that you assign access directly to groups rather than to individual users. For example, if you create groups and permission sets based on organizational units, if a user moves to a different organizational unit, you simply move that user to a different group and they automatically receive the permissions that are needed for the new organizational unit and lose the permissions of the previous organizational unit.

To assign user group access to Amazon Web Services accounts
  1. Open the IAM Identity Center console.


    If your identity source is Amazon Managed Microsoft AD make sure that the IAM Identity Center console is using the Region where your Amazon Managed Microsoft AD directory is located before you move to the next step.

  2. In the navigation pane, under Multi-account permissions, choose Amazon Web Services accounts.

  3. On the Amazon Web Services accounts page, a tree view list of your organization appears. Select the checkbox next to one or more Amazon Web Services accounts to which you want to assign single sign-on access.


    You can select up to 10 Amazon Web Services accounts per permission set.

  4. Choose Assign users or groups.

  5. For Step 1: Select users and groups, on the Assign users and groups to "Amazon-account-name" page, select the Groups tab, then choose one or more groups.

    To filter the results, start typing the name of the group that you want in the search box.

    To display the groups that you selected, choose the sideways triangle next to Selected users and groups.

    After you confirm that the correct groups are selected, choose Next.

  6. For Step 2: Select permission sets, on the Assign permission sets to "Amazon-account-name" page, select one or more permission sets


    If you didn't create the permission set you want before starting this procedure choose Create permission set, and follow the steps in Create a permission set. After you create the permission sets that you want to apply, in the IAM Identity Center console, return to Amazon Web Services accounts and follow the instructions until you reach Step 2: Select permission sets. When you reach this step, select the new permission sets that you created, and proceed to the next step in this procedure.

    After you confirm that the correct permission sets are selected, choose Next.

  7. For Step 3: Review and Submit, on the Review and submit assignments to "Amazon-account-name" page, do the following:

    1. Review the selected groups, and permission sets.

    2. After you confirm that the correct groups, and permission sets are selected, choose Submit.


      The group assignment process might take a few minutes to complete. Leave this page open until the process successfully completes.


      You might need to grant users or groups permissions to operate in the Amazon Organizations management account. Because it is a highly privileged account, additional security restrictions require you to have the IAMFullAccess policy or equivalent permissions before you can set this up. These additional security restrictions are not required for any of the member accounts in your Amazon organization.

Alternatively, you can use Amazon CloudFormation to create and assign permission sets and assign users to those permission sets. Users can then sign in to the Amazon access portal or use Amazon Command Line Interface (Amazon CLI) commands.