Using identity-based policies (IAM policies) for Amazon Account Management - Amazon Account Management
Amazon Account Management actions policies
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using identity-based policies (IAM policies) for Amazon Account Management

For a full discussion of Amazon Web Services accounts and IAM users, see What Is IAM? in the IAM User Guide.

For instructions on how you can update customer managed policies, see Editing customer managed policies (console) in the IAM User Guide.

Amazon Account Management actions policies

This table summarizes the permissions that grant access to your account settings. For examples of policies that use these permissions, see Amazon Account Management policy examples.

Note

To grant IAM users write access to a specific account setting in the Account page of the Amazon Web Services Management Console, you must allow the GetAccountInformation permission, in addition to the permission (or permissions) that you want to use to modify that setting.

Permission name Access level Description

account:ListRegions

List

Grants permission to list the available Regions.

account:GetAccountInformation

Read

Grants permission to retrieve the account information for an account.

account:GetAlternateContact

Read

Grants permission to retrieve the alternate contacts for an account.

account:GetChallengeQuestions

Read

Grants permission to retrieve the challenge questions for an account.

account:GetContactInformation

Read

Grants permission to retrieve the primary contact information for an account.

account:GetRegionOptStatus

Read

Grants permission to get the opt-in status of a Region.

account:AcceptPrimaryEmailUpdate

Write

Grants permission to accept the primary email address update of the member account in an Amazon organization.

account:CloseAccount

Write

Grants permission to close an account.

Note

This is a permission for the console only. No API access is available for this permission.

account:DeleteAlternateContact

Write

Grants permission to delete the alternate contacts for an account.

account:DisableRegion

Write

Grants permission to disable use of a Region.

account:EnableRegion

Write

Grants permission to enable use of a Region.

account:PutAlternateContact

Write

Grants permission to modify the alternate contacts for an account.

account:PutChallengeQuestions

Write

Grants permission to modify the challenge questions for an account.

Note

This is a permission for the console only. No API access is available for this permission.

account:PutContactInformation

Write

Grants permission to update the primary contact information for an account.

account:StartPrimaryEmailUpdate

Write

Grants permission to initiate the primary email address update of the member account in an Amazon organization.