Managing least privileges with AWS SSO

How are people managing least privileges with AWS SSO?
Let’s say I want to grant some end users access to a specific S3 bucket via SSO, and no other access?
Do I create a single use permission set that’s only valid for that one account/bucket?

(xpost from twitter)

That is the way I would do it

Yeah that’s how I do it also. It’s a tad annoying but better than any other alternative I’ve been able to think of.

We do exactly this. I’ve never tried it but I think there is a way to use attributes to use a single policy to give different users the same access but on different buckets based on these attributes. (docs on attribute based access control).

Thanks all, glad to know I’m not missing something super obvious

The attribute based stuff is definitely interesting, but also a little scary

Is anyone using attribute based policies? would like to see an example