Assign AWS account access for groups
After you've created an administrative user in IAM Identity Center and created additional permission sets that you can use to perform tasks with least-privileged permissions, you can provide access to your AWS accounts to user groups.
We recommend that you assign access directly to groups rather than to individual users. For example, if you create groups and permission sets based on organizational units, if a user moves to a different organizational unit, you simply move that user to a different group and they automatically receive the permissions that are needed for the new organizational unit and lose the permissions of the previous organizational unit.
To assign user group access to AWS accounts
-
Open the IAM Identity Center console
. Note
If your identity source is AWS Managed Microsoft AD make sure that the IAM Identity Center console is using the Region where your AWS Managed Microsoft AD directory is located before you move to the next step.
-
In the navigation pane, under Multi-account permissions, choose AWS accounts.
-
On the AWS accounts page, a tree view list of your organization appears. Select the checkbox next to one or more AWS accounts to which you want to assign single sign-on access.
Note
You can select up to 10 AWS accounts per permission set.
-
Choose Assign users or groups.
-
For Step 1: Select users and groups, on the Assign users and groups to "
AWS-account-name
" page, select the Groups tab, then choose one or more groups.To filter the results, start typing the name of the group that you want in the search box.
To display the groups that you selected, choose the sideways triangle next to Selected users and groups.
After you confirm that the correct groups are selected, choose Next.
-
For Step 2: Select permission sets, on the Assign permission sets to "
AWS-account-name
" page, select one or more permission setsNote
If you didn't create the permission set you want before starting this procedure choose Create permission set, and follow the steps in Create a permission set. After you create the permission sets that you want to apply, in the IAM Identity Center console, return to AWS accounts and follow the instructions until you reach Step 2: Select permission sets. When you reach this step, select the new permission sets that you created, and proceed to the next step in this procedure.
After you confirm that the correct permission sets are selected, choose Next.
-
For Step 3: Review and Submit, on the Review and submit assignments to "
AWS-account-name
" page, do the following:-
Review the selected groups, and permission sets.
-
After you confirm that the correct groups, and permission sets are selected, choose Submit.
Important
The group assignment process might take a few minutes to complete. Leave this page open until the process successfully completes.
Note
You might need to grant users or groups permissions to operate in the AWS Organizations management account. Because it is a highly privileged account, additional security restrictions require you to have the IAMFullAccess
policy or equivalent permissions before you can set this up. These additional security restrictions are not required for any of the member accounts in your AWS organization.
-
Alternatively, you can use AWS CloudFormation to create and assign permission sets and assign users to those permission sets. Users can then sign in to the AWS access portal or use AWS Command Line Interface (AWS CLI) commands.