Today I learned about setting up AWS IAM Identity center for an AWS Organization. There are four major concepts besides the identity provider which I’m not going to get into that you need to know about.
Those concepts are
- users
- groups
- permisson sets
- accounts
Users are pretty straight forward. Its a person with access to the AWS org. This person can be assigned to groups or directly to a permission set which allows you to access certain resources in an account or accounts.
A group is a collection of users that share permissions for example this could be view only permissions for the logs account as a group.
Permissions sets are the equivlent of IAM policies. They are the actions that a user or group of users is allowed to take. This is actually seperated from accounts and permission sets exist seperatly from AWS accounts.
When it comes to accounts there is a three way relationship between users or groups, permission sets and accounts. This means that each a group is granted a permission set over a collection of accounts.