Hey everyone! I'm diving into AWS Cloud and trying to get my hands dirty with some practical experience. I'm confused about the main differences between AWS Organizations and IAM Identity Center.
I set up an AWS Organization and added a new member account, looking to limit its permissions. I created a group called Developer, attached the ReadOnlyAccess policy, and added this account to the group. But despite that, the account seems to have full access—it can create, update, and manage resources far beyond what ReadOnlyAccess should allow.
So, I'm wondering if there's a disconnect between accounts set up under AWS Organizations and those managed through IAM Identity Center? Am I missing something important or any specific steps here? Any help would be greatly appreciated! Thanks!
4 Answers
Just to add, AWS Organizations manage AWS Accounts while IAM Identity Center handles the users across those accounts. You use both in tandem for effective management!
Check out the documentation about the relationship between AWS Organizations and IAM Identity Center. It explains the intricacies well—definitely worth a read! Here’s a link: http://go.aws/44JG6BA. And if you need more help, they have support options available: http://go.aws/get-help.
You're mixing up some terms, so let me clarify. In AWS, Accounts are containers for resources and are identified by a unique number, while Users are logins for individuals associated with those Accounts. You assign Users and Groups permissions via IAM Identity Center, and those can differ per Account. If the Users were created before switching to Organizations, they might still be IAM Users, which can cause confusion. Make sure you're transitioning to the Identity Center for user management to avoid security risks.
It sounds like there's some confusion regarding what you mean by "group." Are you referring to an Organizational Unit (OU) under AWS Organizations or a group for users in IAM Identity Center?
To restrict permissions for accounts in Organizations, you need to use Service Control Policies (SCPs) instead of IAM policies. In Identity Center, you assign policies to a Permission Set, which you then link to the Group and the Account/OU you're working with.
A handy debug tip: use the command `aws sts get-caller-identity` in your command prompt. This command helps you see exactly who AWS thinks you are and what role you're using, which can clarify what's going wrong here. It seems like you might still be operating on an admin permission level instead of properly pulling the ReadOnly permissions from Identity Center.
Thanks for the detailed response! Just to clarify, when I mentioned 'Group,' I was indeed talking about groups in IAM Identity Center. I ended up using SCPs as you recommended, and that worked! Now I’m curious: between setting up an AWS Organization with SCPs versus using IAM Identity Center to assign policies to Permission Sets, which one do you prefer and in what situations?
Thanks for sharing that tip! I’ll definitely try using that command. It’s good to know about SCPs for this kind of permission management.
Thanks for the resources! They’re very helpful as I get familiar with these concepts.