AWS IAM Identity Center Fine-Grained Permissions & Assignments | Overview.

AWS IAM Identity Center Fine-Grained Permissions & Assignments - Overview.

Scope:

• Intro,
• Permission Sets,
• Attribute-Based Access Control (ABAC),
• Account Assignments,
• Deep dive,
• Core Building Blocks,
• Fine-Grained Permission Model,
• Sample inline policy for fine-grained S3 access,
• Assignment Lifecycle and Propagation,
• Policy Evaluation Flow,
• Advanced Features & Description,
• Diagram of Fine-Grained Permissions & Assignments (Architecture Flow).

Intro:

• AWS IAM Identity Center provides two primary mechanisms for fine-grained permissions: 
• Permission Sets and Attribute-Based Access Control (ABAC). 
• These allow twtech to define precise access for users and groups across multiple AWS accounts from a central management console.

Permission Sets

Permission sets are templates that define a collection of IAM policies assigned to users or groups. 

• They can include AWS managed policies, customer managed policies (CMPs), and inline policies.
• When a permission set is assigned to an account, Identity Center automatically creates a corresponding IAM role in that account with the specified policies.
• Changes made to a permission set are automatically propagated to all accounts where it is assigned.
• Administrators can set session durations for each permission set to limit how long a user stays signed in (from 1 to 12 hours). 

Attribute-Based Access Control (ABAC) 

ABAC allows you to grant access based on user attributes (like department, team, or project) instead of creating unique permission sets for every role.

• Attributes can be sourced directly from the Identity Store or passed from an external Identity Provider (IdP) like Okta or Microsoft Entra ID via SAML.
• Permissions are defined once; access is then dynamically granted or revoked by updating user attributes in twtech corporate directory.
• This approach simplifies management as twtech organization scales, reducing the total number of permission sets needed. 

Account Assignments

Assignments link identities (users or groups) to specific AWS accounts using a permission set. 

• Access can be assigned at the account level or organizational unit (OU) level if using AWS Organizations.
• Best practice is to assign permissions to groups rather than individuals to streamline onboarding and offboarding.
• For large-scale environments, assignments can be managed as code using AWS CloudFormation or Terraform to ensure consistency and auditability.

NB: 

• All these map together to deliver granular access control across AWS accounts and applications.

 1. Deep dive

• AWS IAM Identity Center (successor to AWS SSO) centralizes authentication, authorization for multiple AWS accounts and applications.
• Fine-grained permissions and assignments in Identity Center are about decoupling identity, access policies, and resource boundaries so twtech can precisely control who can access what, where, and how.

2. Core Building Blocks

Concept	Description
User / Group	Imported from an Identity Source (e.g., AWS Directory Service, Active Directory, Okta, Azure AD, etc.).
Permission Set	A template of IAM policies that define what permissions are granted once a user assumes an IAM role in an AWS account.
Assignment	A mapping of User or Group → AWS Account → Permission Set. This creates a dedicated IAM Role in the target account.
IAM Role (SSO Role)	Automatically provisioned in each target AWS account. The trust policy allows the IAM Identity Center service to assume the role on behalf of authenticated users.

 3. Fine-Grained Permission Model

a. Permission Set Composition (A Permission Set can include):

• AWS Managed Policies (e.g., ReadOnlyAccess, AdministratorAccess)
• Customer Managed Policies
• Inline Policy JSON (custom fine-grained controls)

Sample inline policy for fine-grained S3 access:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": ["s3:GetObject", "s3:ListBucket"],

      "Resource": [

        "arn:aws:s3:::twtechfinance-data",

        "arn:aws:s3:::twtechfinance-data/dev-ou/*"

      ]

    }

  ]

}

# NB: 

• This policy could be embedded inside a Permission Set assigned only to a specific group (e.g., FinanceViewers).

b. Scoped Assignments Across Accounts

Assignments can be fine-grained across accounts:

• Group DevOps → Account Prod → ReadOnlyAccess
• Group DevOps → Account Staging → PowerUserAccess
• User twtech-jacy → Account Sandbox → AdminAccess

Thus:

•  Each combination of (User/Group + Account + Permission Set) generates a distinct IAM role per assignment, allowing least privilege enforcement per context.

c. Attribute-Based Access Control (ABAC) Extension

• When twtech connect an external IdP, it can pass user attributes (e.g., department, project, environment) as session tags.
• IAM policy conditions can then reference those tags for dynamic fine-grained control.

Sample policy:

{

  "Effect": "Allow",

  "Action": "s3:*",

  "Resource": "arn:aws:s3:::project-${aws:PrincipalTag/project}/*"

}

NB:

• This grants access dynamically based on the user’s assigned project attribute.
•  There is no need to create separate permission sets per project.

 4. Assignment Lifecycle and Propagation

1. Create a Permission Set in IAM Identity Center.
2. Assign it to a User/Group and AWS Account.
3. IAM Identity Center provisions:
• An IAM Role in the target AWS Account.
• An inline or attached managed policy based on the Permission Set.
1. User authenticates via IdP → IAM Identity Center → AWS STS.
2. STS issues temporary credentials for the specific SSO Role.

NB:

• If an assignment is revoked, IAM Identity Center automatically removes the IAM Role and associated policies in that account.

 5. Policy Evaluation Flow

1. User signs in to the Identity Center portal via the IdP (SAML/OIDC).
2. IAM Identity Center fetches the user’s group memberships and assignments.
3. The user selects a target AWS account + permission set (role).
4. IAM Identity Center calls AWS STS to assume the role.
5. STS evaluates the trust policy of the IAM Role:
• Confirms the request came from the sso.amazonaws.com service principal.
• Checks if the user is authorized for that role.
1. STS issues temporary credentials scoped to that role’s policies.

 6. Advanced Features & Description

Feature	Description
Account Assignment APIs	Automate assignment provisioning using sso-admin create-account-assignment.
Permission Set Provisioning Status	Track propagation across multiple accounts.
Delegated Administration	Allow an organization’s delegated admin account to manage Identity Center for all AWS accounts in the org.
Audit & Visibility	Use CloudTrail + Identity Center logs to monitor access and assignment changes.
Session Duration	Configure short-lived sessions per permission set (1–12 hours).

 

 7. Diagram of Fine-Grained Permissions & Assignments (Architecture Flow)

1. External IdP authenticates the user (SAML/OIDC).
2. IAM Identity Center receives attributes and evaluates assignments.
3. IAM IC maps user/group to AWS Account and Permission Set.
4. Corresponding IAM Role is assumed via STS (Security Token Service).
5. Temporary credentials grant fine-grained access defined by inline/custom policies.