In this step your Security and Cloud Administrators will define and provision policies to control the extent of access workload administrators have in your test and production workload AWS accounts.
Depending on the extent of your workload administrator policy needs, this step can take 30 minutes to several hours to complete.
You’ll first need to define a set of IAM policies that can form the basis of an AWS SSO permission set that can be used to grant your workload administrators sufficient access to get their work done in their test and production environments.
Since the permissions provided by these policies are largely dependent on the type of workload and the supporting AWS resources, this guide does not provide you with an example set of policies.
See Access management for AWS resources for an introduction to managing access via IAM.
AWS provides predefined, AWS managed policies for common sets of permissions associated with many of the AWS services. You can browse the AWS managed policies by accessing the IAM service in the AWS management console and selecting
Depending on the AWS services your initial workloads use, you might be able to reuse some of the AWS managed policies combined with custom policies that you create to suit your particular needs.
Once you’ve identified a set of policies that are suitable for your workload administrators, you’ll need to create a permission set in AWS SSO so that you can assign the permissions to the test and production accounts and grant the appropriate team members access to those accounts using those permissions.
AWS accountsin AWS SSO.
Create permission set.
Create a custom permission set.
Name. For example,
examplewith your organization identifier.
Description. For example,
Day-to-day permissions used workload administrators in their test and prod AWS accounts.
Session durationto the desired value.
Attach managed policiesand select the AWS managed policies of interest.
Create a custom permissions policyand paste the content of your custom policy.
Later, when you onboard the people who are playing the role of workload administrators to the new workload AWS accounts, you’ll reference this permission set.
In the next section, after you’ve created the initial test and production AWS accounts, you should test the workload administrator permission set and supporting policies. You should adjust the policies based on the results of your testing and be prepared to evolve the policies over time.