DEV Community

xiao jin
xiao jin

Posted on

AWS IAM Identity Center Permissionsets and OU Mappings

#aws #cloudnative

Background

We're using IAM Identity Center, previously called AWS SSO, to manage the permissions and user mapping centrally. The permissionset is a function provided by AWS IAM Identity Center. This function will provision the role inside the organization so that the user can easily assume the role via other SSO services.

However, we found there is no way to control the permissionsets and organization unit mapping. This means the admin can accidentally assign the wrong permissionsets to users. We treat it as a security risk for us.

Below is a diagram of organization unit and permissionsets mapping:

Permissionsets and OU Architecture
Security risks summary:

  • Administrators will accidentally assign the wrong permission for the wrong users.
  • Nothing to validate and check if the permissionsets are suitable for the account. In a big company, it will be difficult to maintain so many permissionsets.

Why SCP Does Not Work.

The very first thing that came into my mind for organization restriction is SCP(Service Control Policies). But why this will not work?
The reason is as follows:

  • The permissionset assignment happened in the Management account, not in the child OU itself.
  • The SCP restricts only the account action in the OU level, but all the actions happened in one account. Actions cannot be split to different levels.

Restrict via Permission Boundary

This is a permission boundary to restrict user not act outside his own OU. Actually, each permissionset means a role inside different accounts. Then it makes sense to create permission boundary for the permissionset.

An inline policy appended to the permissionset:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringNotLike": {
                    "aws:PrincipalOrgPaths": ["<organization-id>/<ou-id>/"]
                }
            }
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Quick Explanation:

  • Deny all actions when met the condition.
  • If "aws:PricipalOrgPaths" does not equal the one we defined, then action rejected.
  • This actually has the same meaning of "allow only" when the organization is what we defined.
profile
Hostinger
 Promoted

Hostinger image

Get n8n VPS hosting 3x cheaper than a cloud solution

Get fast, easy, secure n8n VPS hosting from $4.99/mo at Hostinger. Automate any workflow using a pre-installed n8n application and no-code customization.

Start now

Top comments (0)

profile
Qodo
 Promoted

Qodo Takeover

Introducing Qodo Gen 1.0: Transform Your Workflow with Agentic AI

Rather than just generating snippets, our agents understand your entire project context, can make decisions, use tools, and carry out tasks autonomously.

Read full post

Read next

arpadt profile image

Using YubiKeys for passwordless authentication in Cognito user pools

Arpad Toth -

chinmay13 profile image

Deploying a Serverless Architecture with REST API using API Gateway, Lambda, DynamoDB, and Terraform

Chinmay Tonape -

hoangguruu profile image

Top 110+ DevOps Interview Questions and Answers for 2025

Hoang Guruu -

ssun3 profile image

Terraforming IAM: Organizing Permissions for Clarity and Flexibility

ssun3 -