skip to Main Content

I have a highly multi-account environment and Users that are assigned multiple permission sets per account.

e.g. Bob has both Administrator and ReadOnly for Test and Prod accounts.
Say I want to only remove Bob’s Administrator access for the Prod account, but leave his ReadOnly permission and also leave the both the Administrator and ReadOnly permission sets intact (because Alice is still an Administrator in Prod).

How do I do this in IAM Identity Center? The only options seem to be to delete the permission set or disable/delete the user. I don’t see how to remove a permission set from a user for a specific account.

2

Answers


  1. Chosen as BEST ANSWER

    I learned that there is no "bulk remove" like there is for adding account permissions. You have to remove the permissions one account at a time.

    • Navigate to the IAM Identity Center console and under "Multi-Account Permissions" on the left hand side, select "AWS Accounts"
    • Click on the desired account link, rather than the checkbox to the left.
    • Once in the individual account, under the "Users and Groups" tabs, you would see the users and groups for this account.
    • Select the radial button next to the username or group and click on the "Change Permission Sets" button towards the right side of the screen.
    • From this page you can then uncheck the desired permission permission set and click "Save Changes".

    A bit tedious for multiple accounts, but at least it's possible.


  2. Use the DeleteAccountAssignment API, which "Deletes a principal’s access from a specified AWS account using a specified permission set."

    The key concept here is the "Account Assignment". It is a 3-way relationship between a (1) Permission Set, (2) User or Group Principal and (3) Account.

    You create and delete account assignments using the same parameters, all of which are required:

    "InstanceArn": <Identity Center ARN>,
    "PermissionSetArn": <Permission Set ARN>,
    "PrincipalId": <Identity Center GUID for the User or Group>,
    "PrincipalType": "USER" | "GROUP",
    "TargetId": <AWS Account ARN>,
    "TargetType": "AWS_ACCOUNT"
    

    There is no "update" action – the relationship either exists or doesn’t.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search