Identity-based policy examples for AWS SSO
This topic provides examples of permissions policies that an account administrator can attach to AWS identities, including IAM users, groups, and roles, and AWS SSO users (as part of a custom permissions policy), for administration of AWS SSO.
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your AWS SSO resources. For more information, see Overview of managing access permissions to your AWS SSO resources.
The sections in this topic cover the following:
Custom policy examples
In this section, you can find examples of common use cases which require a custom IAM policy. The example policies below are identity-based policies, which do not specify the Principal element. This is because with an identity-based policy, you don't specify the principal who gets the permission. Instead, you attach the policy to the principal. When you attach an identity-based permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions. Identity-based policies can be created in IAM and are attached to users, groups, and/or roles, or can be applied to AWS SSO users as part of a custom permissions policy in an AWS SSO permission set.
Use these examples when crafting policies for your environment and make sure to test for both positive (“access granted”) and negative (“access denied”) test cases prior to deploying in your production deployment. For more information about testing IAM policies, see Testing IAM policies with the IAM policy simulator in the IAM User Guide.
Topics
- Example 1: Allow a user to view AWS SSO
- Example 2: Allow a user to manage permissions to AWS accounts in AWS SSO
- Example 3: Allow a user to manage applications in AWS SSO
- Example 4: Allow a user to manage users and groups in your AWS SSO directory
- Example 5: Allow a user to administer AWS SSO for specific permission sets, accounts, or OUs
Example 1: Allow a user to view AWS SSO
The following permissions policy grants read-only permissions to a user so they can view all of the settings and directory information configured within AWS SSO.
This example policy is provided purely for illustrative purposes. In a production environment, we recommend that you use the AWS Managed Policy for Read-Only access to AWS SSO.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ds:DescribeDirectories", "ds:DescribeTrusts", "iam:ListPolicies", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListRoots", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSetsProvisionedToAccount", "sso:ListAccountAssignments", "sso:ListAccountsForProvisionedPermissionSet", "sso:ListPermissionSetsProvisionedToAccount", "sso:ListPermissionSets", "sso:DescribePermissionSet", "sso:GetInlinePolicyForPermissionSet", "sso-directory:DescribeDirectory", "sso-directory:SearchUsers", "sso-directory:SearchGroups" ], "Resource": "*" } ] }
Example 2: Allow a user to manage permissions to AWS accounts in AWS SSO
The following permissions policy grants permissions to allow a user to create, manage and deploy permission sets for your AWS accounts.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:AttachManagedPolicyToPermissionSet", "sso:CreateAccountAssignment", "sso:CreatePermissionSet", "sso:DeleteAccountAssignment", "sso:DeleteInlinePolicyFromPermissionSet", "sso:DeletePermissionSet", "sso:DetachManagedPolicyFromPermissionSet", "sso:ProvisionPermissionSet", "sso:PutInlinePolicyToPermissionSet", "sso:UpdatePermissionSet" ], "Resource": "*" }, { "Sid": "IAMListPermissions", "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListPolicies" ], "Resource": "*" }, { "Sid": "AccessToSSOProvisionedRoles", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:PutRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*" }, { "Effect": "Allow", "Action": [ "iam:GetSAMLProvider" ], "Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE" } ] }
The additional permissions listed under the "Sid": "IAMListPermissions",
and "Sid": "AccessToSSOProvisiondRoles" sections are required only to enable
the user to create assignments in the AWS Organizations management account.
Example 3: Allow a user to manage applications in AWS SSO
The following permissions policy grants permissions to allow a user to view and configure applications in AWS SSO, including pre-integrated SaaS applications from within the AWS SSO catalog.
The sso:AssociateProfile operation used in the policy example below is
required for management of user and group assignments to applications. It also allows a
user to assign users and groups to AWS accounts, using existing permission sets. If a user
needs to manage AWS account access within AWS SSO, and requires permissions necessary to
manage permission sets, see Example 2: Allow a user to manage
permissions to AWS accounts in AWS SSO.
As of October 2020, many of these operations are available only through the AWS console. This example policy includes “read” actions such as list, get, and search, which are relevant to the error-free operation of the console for this case.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:AssociateProfile", "sso:CreateApplicationInstance", "sso:ImportApplicationInstanceServiceProviderMetadata", "sso:DeleteApplicationInstance", "sso:DeleteProfile", "sso:DisassociateProfile", "sso:GetApplicationTemplate", "sso:UpdateApplicationInstanceServiceProviderConfiguration", "sso:UpdateApplicationInstanceDisplayData", "sso:DeleteManagedApplicationInstance", "sso:UpdateApplicationInstanceStatus", "sso:GetManagedApplicationInstance", "sso:UpdateManagedApplicationInstanceStatus", "sso:CreateManagedApplicationInstance", "sso:UpdateApplicationInstanceSecurityConfiguration", "sso:UpdateApplicationInstanceResponseConfiguration", "sso:GetApplicationInstance", "sso:CreateApplicationInstanceCertificate", "sso:UpdateApplicationInstanceResponseSchemaConfiguration", "sso:UpdateApplicationInstanceActiveCertificate", "sso:DeleteApplicationInstanceCertificate", "sso:ListApplicationInstanceCertificates", "sso:ListApplicationTemplates", "sso:ListApplications", "sso:ListApplicationInstances", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:ListProfileAssociations", "sso:ListInstances", "sso:GetProfile", "sso:GetSSOStatus", "sso:GetSsoConfiguration", "sso-directory:DescribeDirectory", "sso-directory:DescribeUsers", "sso-directory:ListMembersInGroup", "sso-directory:SearchGroups", "sso-directory:SearchUsers" ], "Resource": "*" } ] }
Example 4: Allow a user to manage users and groups in your AWS SSO directory
The following permissions policy grants permissions to allow a user to create, view, modify, and delete users and groups in AWS SSO.
Note that in some cases direct modifications to users and groups in AWS SSO are restricted. For example, when Active Directory, or an external identity provider with Automatic Provisioning enabled, is selected as the identity source.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sso-directory:ListGroupsForUser", "sso-directory:DisableUser", "sso-directory:EnableUser", "sso-directory:SearchGroups", "sso-directory:DeleteGroup", "sso-directory:AddMemberToGroup", "sso-directory:DescribeDirectory", "sso-directory:UpdateUser", "sso-directory:ListMembersInGroup", "sso-directory:CreateUser", "sso-directory:DescribeGroups", "sso-directory:SearchUsers", "sso:ListDirectoryAssociations", "sso-directory:RemoveMemberFromGroup", "sso-directory:DeleteUser", "sso-directory:DescribeUsers", "sso-directory:UpdateGroup", "sso-directory:CreateGroup" ], "Resource": "*" } ] }
Example 5: Allow a user to administer AWS SSO for specific permission sets, accounts, or OUs
As your team grows, an AWS SSO administrator may want to consider implementing a delegation model that enables AWS account and application administrators to manage their users SSO access to their resources. Using this model and the example policies below, permissions can be delegated for administering AWS accounts, permission sets, or OUs. Once any of these policies have been created, that same policy can be selected anytime the same permissions need to be delegated to other administrative users.
Account-based delegation
The following policy grants permissions that allow an administrator to delegate access
for each of the AWS accounts noted under Resource.
{ "Sid":"DelegateAccountsAdminAccess", "Effect":"Allow", "Action":[ "sso:ProvisionPermissionSet", "sso:CreateAccountAssignment", "sso:DeleteInlinePolicyFromPermissionSet", "sso:UpdateInstanceAccessControlAttributeConfiguration", "sso:PutInlinePolicyToPermissionSet", "sso:DeleteAccountAssignment", "sso:DetachManagedPolicyFromPermissionSet", "sso:DeletePermissionSet", "sso:AttachManagedPolicyToPermissionSet", "sso:CreatePermissionSet", "sso:UpdatePermissionSet", "sso:CreateInstanceAccessControlAttributeConfiguration", "sso:DeleteInstanceAccessControlAttributeConfiguration" ], "Resource":[ "arn:aws:sso:::account/112233445566", "arn:aws:sso:::account/223344556677", "arn:aws:sso:::account/334455667788" ] }
Permission-based delegation
The following permissions policy grants permissions that allow an administrator to
delegate access for a given AWS SSO instance ID ARN (in this case, ssoins-1111111111) or permission set ARN (ssoins-1111111111/ps-112233abcdef123).
For more information about finding the ARNs associated with an AWS SSO instance ID or
permission set, see Identify your permission set and AWS SSO Instance IDs
{ "Sid":"DelegatePermissionsAdminAccess", "Effect":"Allow", "Action":[ "sso:ProvisionPermissionSet", "sso:CreateAccountAssignment", "sso:DeleteInlinePolicyFromPermissionSet", "sso:UpdateInstanceAccessControlAttributeConfiguration", "sso:PutInlinePolicyToPermissionSet", "sso:DeleteAccountAssignment", "sso:DetachManagedPolicyFromPermissionSet", "sso:DeletePermissionSet", "sso:AttachManagedPolicyToPermissionSet", "sso:CreatePermissionSet", "sso:UpdatePermissionSet", "sso:CreateInstanceAccessControlAttributeConfiguration", "sso:DeleteInstanceAccessControlAttributeConfiguration", "sso:ProvisionApplicationInstanceForAWSAccount" ], "Resource":[ "arn:aws:sso:::instance/ssoins-1111111111", "arn:aws:sso:::permissionSet/ssoins-1111111111/ps-112233abcdef123" ] }
OU-based delegation
OU-based delegation requires two policy statements within the same permission set and the ability for Tagging AWS Single Sign-On resources.
The following permissions policy grants permissions that allow an administrator to
delegate access for an OU. In the first policy statement, we filter the permission
sets by both the Environment and OU tags. In the second policy statement, we filter the accounts that are tagged
for the Development OU.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"DelegateOUsAdminAccess", "Effect":"Allow", "Action":[ "sso:ProvisionPermissionSet", "sso:CreateAccountAssignment", "sso:DeleteInlinePolicyFromPermissionSet", "sso:UpdateInstanceAccessControlAttributeConfiguration", "sso:PutInlinePolicyToPermissionSet", "sso:DeleteAccountAssignment", "sso:DetachManagedPolicyFromPermissionSet", "sso:DeletePermissionSet", "sso:AttachManagedPolicyToPermissionSet", "sso:CreatePermissionSet", "sso:UpdatePermissionSet", "sso:CreateInstanceAccessControlAttributeConfiguration", "sso:DeleteInstanceAccessControlAttributeConfiguration", "sso:ProvisionApplicationInstanceForAWSAccount" ], "Resource":"arn:aws:sso:::permissionSet/*/*", "Condition":{ "StringEquals":{ "aws:ResourceTag/Environment":"Development", "aws:ResourceTag/OU":"Test" } } }, { "Sid":"Instance", "Effect":"Allow", "Action":[ "sso:ProvisionPermissionSet", "sso:CreateAccountAssignment", "sso:DeleteInlinePolicyFromPermissionSet", "sso:UpdateInstanceAccessControlAttributeConfiguration", "sso:PutInlinePolicyToPermissionSet", "sso:DeleteAccountAssignment", "sso:DetachManagedPolicyFromPermissionSet", "sso:DeletePermissionSet", "sso:AttachManagedPolicyToPermissionSet", "sso:CreatePermissionSet", "sso:UpdatePermissionSet", "sso:CreateInstanceAccessControlAttributeConfiguration", "sso:DeleteInstanceAccessControlAttributeConfiguration", "sso:ProvisionApplicationInstanceForAWSAccount" ], "Resource":[ "arn:aws:sso:::instance/ssoins-82593a6ed92c8920", "arn:aws:sso:::account/112233445566", "arn:aws:sso:::account/223344556677", "arn:aws:sso:::account/334455667788" ] } ] }
More information
To see an example walkthrough that covers how to delegate administration of user
identities in an IAM environment, see How to delegate management of identity in AWS Single Sign-On
Permissions required to use the AWS SSO console
For a user to work with the AWS SSO console without errors, additional permissions are required. If an IAM policy has been created that is more restrictive than the minimum required permissions, the console won't function as intended for users with that policy. The following example lists the set of permissions that may be needed to ensure error-free operation within the AWS SSO console.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:DescribeAccountAssignmentCreationStatus", "sso:DescribeAccountAssignmentDeletionStatus", "sso:DescribePermissionSet", "sso:DescribePermissionSetProvisioningStatus", "sso:DescribePermissionsPolicies", "sso:DescribeRegisteredRegions", "sso:GetApplicationInstance", "sso:GetApplicationTemplate", "sso:GetInlinePolicyForPermissionSet", "sso:GetManagedApplicationInstance", "sso:GetMfaDeviceManagementForDirectory", "sso:GetPermissionSet", "sso:GetPermissionsPolicy", "sso:GetProfile", "sso:GetSharedSsoConfiguration", "sso:GetSsoConfiguration", "sso:GetSSOStatus", "sso:GetTrust", "sso:ListAccountAssignmentCreationStatus", "sso:ListAccountAssignmentDeletionStatus", "sso:ListAccountAssignments", "sso:ListAccountsForProvisionedPermissionSet", "sso:ListApplicationInstanceCertificates", "sso:ListApplicationInstances", "sso:ListApplications", "sso:ListApplicationTemplates", "sso:ListDirectoryAssociations", "sso:ListInstances", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSetProvisioningStatus", "sso:ListPermissionSets", "sso:ListPermissionSetsProvisionedToAccount", "sso:ListProfileAssociations", "sso:ListProfiles", "sso:ListTagsForResource", "sso-directory:DescribeDirectory", "sso-directory:DescribeGroups", "sso-directory:DescribeUsers", "sso-directory:ListGroupsForUser", "sso-directory:ListMembersInGroup", "sso-directory:SearchGroups", "sso-directory:SearchUsers" ], "Resource": "*" } ] }
