Amazon managed policies for the Amazon Web Services Management Console - Amazon Web Services Management Console
AWSManagementConsoleBasicUserAccessAWSManagementConsoleAdministratorAccessPolicy updates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for the Amazon Web Services Management Console

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: AWSManagementConsoleBasicUserAccess

You can attach AWSManagementConsoleBasicUserAccess to your users, groups, and roles.

This policy grants the permissions necessary for non-administrative users of the Amazon Web Services Management Console. This includes features such as resource discovery, notifications, browser-based shell access, and customized navigation.

Permissions details

This AWSManagementConsoleBasicUserAccess is grouped into the following sets of permissions:

  • cloudshell – Allows principals full access to Amazon CloudShell capabilities, including environment creation, session management, and command execution.

  • ec2 – Allows principals to describe Regions enabled for the account in Unified Navigation.

  • notifications – Allows principals to obain events from Amazon User Notifications.

  • q – Allows principals to chat with Amazon Q Developer.

  • resource-explorer-2 – Allows principals to search and discover Amazon resources using Unified Search.

  • uxc – Allows principals to read Amazon User Experience Customization settings.

To view the permissions for this policy, see AWSManagementConsoleBasicUserAccess in the Amazon Managed Policy Reference.

Amazon managed policy: AWSManagementConsoleAdministratorAccess

You can attach AWSManagementConsoleAdministratorAccess to your users, groups, and roles.

This policy grants full access to configure and customize the Amazon Web Services Management Console. It allows administrators to set account colors, enable user notifications, and configure resource discovery. It also includes permissions from the AWSManagementConsoleBasicUserAccess managed policy, which are essential for non-administrative users of the Amazon Web Services Management Console.

Permissions details

This AWSManagementConsoleAdministratorAccess is grouped into the following sets of permissions:

  • cloudshell – Allows principals full access to Amazon CloudShell capabilities, including environment creation, session management, and command execution.

  • ec2 – Allows principals to describe Regions enabled for the account in Unified Navigation.

  • notifications – Allows principals to access and update notification configurations, events, and feature opt-in status.

  • q – Allows principals to chat with Amazon Q Developer for AI-assisted support.

  • resource-explorer-2 – Allows principals to search and discover Amazon resources using Unified Search.

  • uxc – Allows principals full access to Amazon User Experience Customization settings.

To view the permissions for this policy, see AWSManagementConsoleAdministratorAccess in the Amazon Managed Policy Reference.

Amazon Web Services Management Console updates to Amazon managed policies

View details about updates to Amazon managed policies for the Amazon Web Services Management Console since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Web Services Management Console Document history page.

Change Description Date

AWSManagementConsoleBasicUserAccess – New policy

Added a new Amazon managed policy that grants permissions necessary for basic Amazon Web Services Management Console navigation, account color viewing, and resource discovery.

 August 14, 2025

AWSManagementConsoleAdministratorAccess – New policy

Added a new Amazon managed policy that provides full access to configure and customize the Amazon Web Services Management Console.

 August 14, 2025

Amazon Web Services Management Console started tracking changes

Amazon Web Services Management Console started tracking changes for its Amazon managed policies.

 August 14, 2025