Hey everyone! I'm diving into AWS and trying to understand the differences between AWS Organizations and IAM Identity Center. I started by setting up an AWS Organization and created a new member account for it. My goal was to limit the permissions of that account, so I made a 'Developer' group with the ReadOnlyAccess policy attached, but the account still seems to have full access — it can create, update, and manage resources that ReadOnlyAccess shouldn't allow. Is there a disconnect between user accounts created in AWS Organizations and those in IAM Identity Center? Am I missing something crucial? Any insight would be greatly appreciated! Thanks!
3 Answers
It sounds like there's some confusion regarding the terms. When you mention 'group', are you referring to a user group in IAM Identity Center or an organizational unit (OU) in AWS Organizations? Remember, to manage permissions in Organizations, you use Service Control Policies (SCPs) instead of IAM policies. In IAM Identity Center, you assign permissions through a Permission Set, which maps to the appropriate group and account. To troubleshoot further, run the command 'aws sts get-caller-identity' in a command prompt. It shows exactly who AWS thinks you are and what role you’re using. This might clarify why you're still able to do more than just read-only actions.
Welcome! Just to clarify, AWS Organizations is used to manage AWS accounts, while IAM Identity Center manages user identities across those accounts. You need to use both together effectively for proper access control. Check out AWS documentation for specific use cases. If you still need help, AWS has good support resources available.
Thanks for the warm welcome and the resource links! I’ll definitely check them out.
When you mention restricting access, ensure that users are logging into the Identity Center Access Portal. If users were created as IAM Users before converting to Organizations, they might retain old permissions unless removed. Focus on managing permissions through Identity Center and get rid of any IAM Users to avoid security risks.
Thanks for your detailed answer! Just to clarify, I was indeed referring to groups in IAM Identity Center. Your suggestion about using SCPs has really helped out!