Posted On: Jul 19, 2022
AWS Single Sign-On (AWS SSO) now supports AWS Identity and Access Management (IAM) customer managed policies (CMPs) and permission boundary policies within AWS SSO permission sets. The new capability helps AWS SSO customers to improve their security posture by creating larger and finer-grained policies for least privilege access and by tailoring policies to reference the resources of the account to which they are applied. Using CMPs, AWS SSO customers can maintain the consistency of policies, as CMP changes apply automatically to all permission sets and roles that use the CMP. This enables customers to govern their CMPs and permissions boundaries centrally, and allows auditors to find, monitor, and review them. Customers, who have existing CMPs for roles they manage in AWS IAM, can reuse their CMPs without the need to create, review, and approve new in-line policies for permission sets.
AWS SSO permission sets are role definitions that manage access to multiple AWS accounts. Until now, to define the level of access in a permission set, administrators had to specify in-line policies which were limited to 10,240 characters. With this release, they can specify in the permission set the names of up to 10 CMPs and one permission boundary policy, each up to 6,144 characters long.