ACCT.04 – Assign permissions

Configure user permissions in the account by assigning policies to their IAM identity (user group or role). You can customize the permissions, or you can attach AWS managed policies, which are standalone policies designed by AWS to provide permissions for many common use cases. If you customize permissions, follow the security best practice of granting least privilege. Least privilege is the practice of granting the minimum set of permissions that each user needs to perform their tasks.

If you are using federated identities, users access the account by assuming an IAM role through the external identity provider. The IAM role defines what users authenticated by your organization's IdP are allowed to do in AWS. You apply custom or AWS managed policies to this role to configure permissions.

To assign permissions for federated identities

• If you are using IAM Identity Center, see Use IAM policies in permission sets (IAM Identity Center documentation).

  If you are using an external or third-party IdP, see Adding IAM identity permissions (IAM documentation).

If you are using IAM users, you can use user groups or roles to manage permissions for multiple IAM users. We recommend user groups for startups because they are easier to manage and less prone to misconfiguration that could pose security risks for your account. Assign users to user groups based on their job functions. Examples of user groups include application, data, networking, and Development Operations (DevOps) engineers. You can also divide the user types into smaller user groups based on decision-making authority, such as for senior or non-senior engineers.

To assign permissions for IAM users

1. Create IAM user groups (IAM documentation).

2. Attach an AWS managed policy to an IAM user group (IAM documentation).