AWS Single Sign-On
User Guide

Permission Sets

Permission sets define the level of access that users and groups have to an AWS account. Permission sets are stored in AWS SSO and provisioned to the AWS account as IAM roles. You can assign more than one permission set to a user. Users who have multiple permission sets must choose one when they sign in to the user portal. (Users will see these as IAM roles). For more information, see Permission Sets.

Create Permission Set

Use this procedure to create a permission set based on a custom permissions policy that you create, or on predefined AWS managed policies that exist in IAM, or both.

To create a permission set

  1. Open the AWS SSO console.

  2. Choose AWS accounts.

  3. Select the Permission sets tab.

  4. Choose Create permission set.

  5. In the Create new permission set dialog box, choose from one of the following options, and then follow the instructions provided under that option:

    • Use an existing job function policy

      1. Under Select job function policy, select one of the default IAM job function policies in the list. For more information, see AWS Managed Policies for Job Functions.

      2. Choose Create.

    • Create a custom permission set

      1. Under Create a custom permission set, type a name that will identify this permission set in AWS SSO. This name will also appear as an IAM role in the user portal for any users who have access to it.

      2. (Optional) You can also type a description. This description will only appear in the AWS SSO console and will not be visible to users in the user portal.

      3. (Optional) Specify the value for the relay state. This value is used in the federation process to redirect users within the account.

      4. Select either Attach AWS managed policies or Create a custom permissions policy. Or select both if you need to link more than one policy type to this permission set.

      5. If you chose Attach AWS managed policies, under Attach AWS Managed policies, select up to 10 job-related or service-specific AWS managed policies from the list.

      6. If you chose Create a custom permissions policy, under Create a custom permissions policy, paste in a policy document with your preferred permissions. For a list of example policies to use for delegating AWS SSO tasks, see Customer Managed Policy Examples.

        For more information about the access policy language, see Overview of Policies in the IAM User Guide. To test the effects of this policy before applying your changes, use the IAM policy simulator.

      7. Choose Create.

Delete Permission Sets

Use this procedure to delete one or more permission sets so that they can no longer be used by any AWS account in the organization.


All users and groups that have been assigned this permission set, regardless of what AWS account is using it, will no longer be able to sign in.

To delete a permissions set from an AWS account

  1. Open the AWS SSO console.

  2. Choose AWS accounts.

  3. Choose the Permission sets tab.

  4. Select the permission set you want to delete, and then choose Delete.

  5. In the Delete permission set dialog box, choose Delete.

Set Session Duration

For each permission set, you can specify a session duration to control the length of time that a user can be signed in to an AWS account. When the specified duration has elapsed, AWS logs the user out of the session. For AWS accounts, AWS SSO uses this setting to set the maximum session duration of the IAM role that you use to generate a user’s session. The session duration that you specify for a given permission set applies to both the AWS Management Console and the AWS Command Line Interface (CLI) session.

When you create a new permission set, it comes configured with the default session length of 1 hour (in seconds). The minimum session duration length is 1 hour and can be configured up to 12 hours.


As a security best practice, we recommend that you do not set the session duration length longer than is needed to perform the role.

Once a permission set has been created, you can later update it to apply a new session duration. When you reapply the permission set to your AWS accounts, the IAM role’s maximum session duration value is updated. Use the following procedure to modify the session duration length for a given permission set.

To set the session duration

  1. Open the AWS SSO console.

  2. Choose AWS accounts.

  3. Choose the Permission sets tab.

  4. Choose the name of the permission set that will have the new session duration.

  5. On the Permissions tab, next to Session duration, choose Edit.

  6. On the Edit session duration page, next to New session duration, choose a new session length value, and then choose Continue.

  7. Select the AWS accounts in the list that you want the new session duration value to apply to, and then choose Reapply permission set.