AWS IAM Identity Center Fine-grained Permissions & Assignments | Deep Dive.

 

Here’s a comprehensive deep dive on AWS IAM Identity Center Fine-Grained Permissions and Assignments.

View:

•        How permissions work,
•        How Permission are set,
•        Roles,
•        Assignments.

NB: 

All these map together to deliver granular access control across AWS accounts and applications.

 1. Overview

• AWS IAM Identity Center (successor to AWS SSO) centralizes authentication and authorization for multiple AWS accounts and applications.
• Fine-grained permissions and assignments in Identity Center are about decoupling identity, access policies, and resource boundaries so twtech can precisely control who can access what, where, and how.

2. Core Building Blocks

Concept	Description
User / Group	Imported from an Identity Source (e.g., AWS Directory Service, Active Directory, Okta, Azure AD, etc.).
Permission Set	A template of IAM policies that define what permissions are granted once a user assumes an IAM role in an AWS account.
Assignment	A mapping of User or Group → AWS Account → Permission Set. This creates a dedicated IAM Role in the target account.
IAM Role (SSO Role)	Automatically provisioned in each target AWS account. The trust policy allows the IAM Identity Center service to assume the role on behalf of authenticated users.

 3. Fine-Grained Permission Model

a. Permission Set Composition

A Permission Set can include:

• AWS Managed Policies (e.g., ReadOnlyAccess, AdministratorAccess)
• Customer Managed Policies
• Inline Policy JSON (custom fine-grained controls)

Example inline policy for fine-grained S3 access:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": ["s3:GetObject", "s3:ListBucket"],

      "Resource": [

        "arn:aws:s3:::twtechfinance-data",

        "arn:aws:s3:::twtechfinance-data/dev-ou/*"

      ]

    }

  ]

}

NB: This policy could be embedded inside a Permission Set assigned only to a specific group (e.g., FinanceViewers).

b. Scoped Assignments Across Accounts

Assignments can be fine-grained across accounts:

• Group DevOps → Account Prod → ReadOnlyAccess
• Group DevOps → Account Staging → PowerUserAccess
• User Alice → Account Sandbox → AdminAccess

Thus, each combination of (User/Group + Account + Permission Set) generates a distinct IAM role per assignment, allowing least privilege enforcement per context.

c. Attribute-Based Access Control (ABAC) Extension

When you connect an external IdP, you can pass user attributes (e.g., department, project, environment) as session tags.
IAM policy conditions can then reference those tags for dynamic fine-grained control.

Example policy:

{

  "Effect": "Allow",

  "Action": "s3:*",

  "Resource": "arn:aws:s3:::project-${aws:PrincipalTag/project}/*"

}

This grants access dynamically based on the user’s assigned project attribute — no need to create separate permission sets per project.

 4. Assignment Lifecycle and Propagation

1. Create a Permission Set in IAM Identity Center.
2. Assign it to a User/Group and AWS Account.
3. IAM Identity Center provisions:
• An IAM Role in the target AWS Account.
• An inline or attached managed policy based on the Permission Set.
4. User authenticates via IdP → IAM Identity Center → AWS STS.
5. STS issues temporary credentials for the specific SSO Role.

If an assignment is revoked, IAM Identity Center automatically removes the IAM Role and associated policies in that account.

 5. Policy Evaluation Flow

1. User signs in to the Identity Center portal via the IdP (SAML/OIDC).
2. IAM Identity Center fetches the user’s group memberships and assignments.
3. The user selects a target AWS account + permission set (role).
4. IAM Identity Center calls AWS STS to assume the role.
5. STS evaluates the trust policy of the IAM Role:
• Confirms the request came from the sso.amazonaws.com service principal.
• Checks if the user is authorized for that role.
6. STS issues temporary credentials scoped to that role’s policies.

 6. Advanced Features

Feature	Description
Account Assignment APIs	Automate assignment provisioning using sso-admin create-account-assignment.
Permission Set Provisioning Status	Track propagation across multiple accounts.
Delegated Administration	Allow an organization’s delegated admin account to manage Identity Center for all AWS accounts in the org.
Audit & Visibility	Use CloudTrail + Identity Center logs to monitor access and assignment changes.
Session Duration	Configure short-lived sessions per permission set (1–12 hours).

 

 7. Diagram: Fine-Grained Permissions & Assignments (Architecture Flow)

Flow:

1. External IdP authenticates the user (SAML/OIDC).
2. IAM Identity Center receives attributes and evaluates assignments.
3. IAM IC maps user/group to AWS Account and Permission Set.
4. Corresponding IAM Role is assumed via STS (Security Token Service).
5. Temporary credentials grant fine-grained access defined by inline/custom policies.