Permission Sets

Permission sets define what actions users and groups can perform within AWS accounts. A permission set is a collection of AWS IAM policies -- both AWS managed policies and custom inline policies -- that gets assigned to users or groups on specific AWS accounts through assignments.

Permission Sets List

The Permission Sets page displays a paginated table of all permission sets in your organization.

Available Actions

Action	Description	Link
Create Permission Set	Define a new permission set	Create Permission Set
Edit Permission Set	Modify an existing permission set	Edit Permission Set
Delete Permission Set	Remove a permission set	Delete Permission Set

Understanding Permission Set Components

A permission set can contain two types of policies:

AWS Managed Policies

Pre-built policies provided by AWS, such as ReadOnlyAccess, PowerUserAccess, or AdministratorAccess. These are maintained by AWS and automatically updated when AWS adds new services.

Inline IAM Policies

Custom JSON policy documents that you write to grant specific, fine-grained permissions. These give you full control over exactly which AWS actions, resources, and conditions are allowed.

tip

For most use cases, start with an AWS managed policy and add inline policies only for fine-grained access control that the managed policies do not cover.

How Permission Sets Work

1. You create a permission set with one or more policies.
2. You create an assignment that links the permission set to a user or group on an AWS account.
3. When the user logs into the AWS account, they receive the permissions defined in the permission set.

warning

Permission sets do not take effect until they are assigned to a user or group on an AWS account.

---

Create Permission Set

Create a new permission set that defines what AWS actions users and groups can perform. Permission sets are composed of AWS managed policies and/or custom inline IAM policies.

Prerequisites

• You should have an understanding of which AWS permissions your users need.

Step-by-Step Guide

1. Navigate to Admin Portal > Permission Sets from the sidebar.
2. Click the Create Permission Set button at the top of the table.

3. Fill in the permission set details:
   • Name -- Enter a unique, descriptive name.
   • Description -- Optionally, describe the purpose of this permission set.
   • Session Duration -- Set how long a user's AWS session lasts before requiring re-authentication.
4. Attach policies:
   • AWS Managed Policies -- Search for and select pre-built AWS policies from the list. See AWS Managed Policies for details.
   • Inline Policies -- Write custom JSON IAM policy documents in the policy editor. See Inline IAM Policies for details.
5. Review the configuration.
6. Click Create to save the permission set.

Field Reference

Field	Type	Required	Description
Name	Text	Yes	A unique name for the permission set. Used to identify it in assignments and AWS.
Description	Text	No	An optional description of the permission set's purpose and intended use.
Session Duration	Duration	No	The maximum length of an AWS console or CLI session. Defines how long a user stays authenticated before needing to re-authenticate.
AWS Managed Policies	Multi-select	No	One or more AWS managed policies to attach. Use the search field to filter by policy name.
Inline Policies	JSON	No	Custom IAM policy documents in JSON format. Validated on input.

warning

A permission set must have at least one policy attached -- either an AWS managed policy or an inline policy. A permission set with no policies grants no access.

tip

Use the search functionality when selecting AWS managed policies. AWS has hundreds of managed policies, and searching by keyword (e.g., "S3", "EC2", "ReadOnly") is the fastest way to find what you need.

What Happens Next

After creating a permission set:

1. The permission set is saved in Prism's database.
2. You can now create assignments that use this permission set.

info

A permission set has no effect until it is assigned to a user or group on a specific AWS account. Creating the permission set is the first step -- assigning it is the second.

---

Edit Permission Set

Modify an existing permission set to update its policies, session duration, or other settings. Changes to a permission set affect all assignments that use it.

Prerequisites

• The permission set you want to edit must already exist.

Step-by-Step Guide

1. Navigate to Admin Portal > Permission Sets from the sidebar.
2. Locate the permission set you want to edit in the table.
3. Click the permission set name to view its details.

4. Click the Edit action button on the permission set's row.
5. Modify the desired fields:
   • Description -- Update the description.
   • Session Duration -- Change the session timeout.
   • AWS Managed Policies -- Add or remove managed policies from the selection.
   • Inline Policies -- Edit the custom JSON policy documents.
6. Review the changes.
7. Click Save to apply the updates.

Field Reference

Field	Type	Required	Editable	Description
Name	Text	Yes	No	The permission set's name.
Description	Text	No	Yes	Description of the permission set's purpose.
Session Duration	Duration	No	Yes	Maximum AWS session length.
AWS Managed Policies	Multi-select	No	Yes	AWS managed policies attached to the set.
Inline Policies	JSON	No	Yes	Custom inline IAM policy documents.

warning

Editing a permission set affects all users and groups that are assigned this permission set across all AWS accounts. Review existing assignments before making changes to avoid unintended access modifications.

What Happens Next

After editing a permission set:

1. The updated configuration is saved in Prism's database.
2. The changes sync to each AWS account the permission set is assigned to. This is eventually consistent as the changes propagate to each account.

tip

If you need different permissions for different accounts, create separate permission sets rather than editing a shared one. This avoids unintentionally changing access for users on other accounts.

---

Delete Permission Set

Remove a permission set from your Prism organization. Deleting a permission set revokes all assignments that use it.

Prerequisites

• The permission set you want to delete must already exist.

Step-by-Step Guide

1. Navigate to Admin Portal > Permission Sets from the sidebar.
2. Locate the permission set you want to delete in the table.
3. Click the Delete action button on the permission set's row.
4. A confirmation dialog will appear, asking you to confirm the deletion.
5. Review the permission set name displayed in the dialog to ensure you are deleting the correct one.
6. Click Confirm to proceed with the deletion, or Cancel to abort.

warning

Deleting a permission set is irreversible. All assignments that reference this permission set will be revoked. Users and groups that depended on this permission set will lose the associated AWS access.

What Happens Next

After deleting a permission set:

1. The permission set is removed from Prism's database.
2. All assignments that used this permission set are revoked.
3. The permission set disappears from the Permission Sets list.

tip

Before deleting a permission set, check which assignments use it. If users still need similar access, create a replacement permission set and update the assignments before deleting the old one.

---

AWS Managed Policies

AWS managed policies are pre-built IAM policies created and maintained by AWS. They provide ready-made permission sets for common use cases and are automatically updated by AWS when new services or features are released.

Overview

When creating or editing a permission set, you can attach one or more AWS managed policies. Prism provides a searchable list of all available AWS managed policies, making it easy to find and select the right policies for your use case.

How to Attach AWS Managed Policies

1. During permission set creation or editing, locate the AWS Managed Policies section.
2. Use the search field to filter policies by name or keyword.
3. Browse the filtered list and select the policies you want to attach.
4. Selected policies appear in the attached policies list.
5. You can remove a selected policy by deselecting it.

tip

Type keywords like "ReadOnly", "S3", "EC2", or "Admin" in the search field to quickly narrow down the policy list.

Common AWS Managed Policies

Here are some frequently used AWS managed policies:

Policy Name	Description	Use Case
AdministratorAccess	Provides full access to all AWS services and resources.	Full admin access for account administrators.
ReadOnlyAccess	Provides read-only access to all AWS services.	Auditors, viewers, and read-only users.
PowerUserAccess	Provides full access to AWS services except IAM and Organizations.	Developers who need broad access but should not manage IAM.
ViewOnlyAccess	Provides view-only access (more restrictive than ReadOnlyAccess).	Users who only need to view resource configurations.
SecurityAudit	Provides read access to security configuration and logs.	Security team members performing audits.
SystemAdministrator	Provides access for system administrators to manage AWS resources.	IT operations and system administrators.
DatabaseAdministrator	Provides access for database administration tasks.	DBAs managing RDS, DynamoDB, and other database services.
NetworkAdministrator	Provides access for network administration tasks.	Network engineers managing VPCs, Route 53, and CloudFront.
Billing	Provides access to billing and cost management.	Finance teams managing AWS costs.

Best Practices

• Start with least privilege -- Choose the most restrictive managed policy that meets your needs. You can always add more permissions later.
• Combine with inline policies -- Use a managed policy for broad access and an inline policy to restrict or extend specific permissions.
• Avoid AdministratorAccess unless necessary -- Full admin access should be reserved for a small number of trusted users.

warning

AWS managed policies can be quite broad. For example, PowerUserAccess grants access to nearly all AWS services. Always review the policy's permissions to ensure they align with the principle of least privilege.

info

AWS managed policies are maintained by AWS and may change over time as new services are added. This means users with a managed policy like ReadOnlyAccess will automatically gain read access to new AWS services as they are released.

---

Inline IAM Policies

Inline IAM policies are custom JSON policy documents that you write to define fine-grained AWS permissions. They give you complete control over exactly which actions, resources, and conditions are allowed or denied.

Prerequisites

• You should be familiar with the AWS IAM policy language.

Overview

Unlike AWS managed policies, inline policies are written by you and are fully customizable. Prism provides a JSON editor with validation to help you write syntactically correct IAM policies.

How to Write an Inline Policy

1. During permission set creation or editing, locate the Inline Policies section.
2. The JSON editor will be displayed.
3. Write or paste your IAM policy document in JSON format.
4. The editor validates the JSON syntax as you type.
5. Fix any validation errors before saving.

IAM Policy Structure

An IAM policy document has the following structure:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

Policy Elements

Element	Required	Description
Version	Yes	The policy language version. Always use "2012-10-17".
Statement	Yes	An array of one or more permission statements.
Effect	Yes	Either "Allow" or "Deny".
Action	Yes	The AWS service actions to allow or deny (e.g., "s3:GetObject").
Resource	Yes	The AWS resource ARNs the statement applies to. Use "*" for all resources.
Condition	No	Optional conditions that must be met for the statement to apply.

Common Examples

Read-Only Access to a Specific S3 Bucket

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-app-data",
        "arn:aws:s3:::my-app-data/*"
      ]
    }
  ]
}

EC2 Instance Management in a Specific Region

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:RebootInstances",
        "ec2:DescribeInstances"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "us-east-1"
        }
      }
    }
  ]
}

Deny Access to Specific Services

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "iam:*",
        "organizations:*",
        "account:*"
      ],
      "Resource": "*"
    }
  ]
}

Validation

The JSON editor in Prism validates your policy document for:

• JSON syntax -- Ensures the document is valid JSON.
• Required fields -- Checks that Version, Statement, Effect, Action, and Resource are present.

Best Practices

• Follow least privilege -- Grant only the minimum permissions needed.
• Use specific resource ARNs -- Avoid "Resource": "*" when possible. Target specific resources.
• Use conditions -- Add conditions to restrict by region, IP address, time, or other factors.
• Test policies -- Use the AWS IAM Policy Simulator to test your policies before deploying.
• Document your policies -- Use the permission set description to explain what the inline policy is for.