Control account instance creation with Services Control Policies - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Control account instance creation with Services Control Policies

Users can create an instance of IAM Identity Center that is bound to a single Amazon Web Services account, called an account instance of IAM Identity Center. You can control account instance creation with Service Control Policies (SCP).

  1. Open the IAM Identity Center console.

  2. On the Dashboard, in the Central management section, choose the Prevent account instances button.

  3. In the Attach SCP to prevent creation of new account instances dialog box, an SCP is provided for you. Copy the SCP and choose the Go to SCP dashboard button. You'll be directed to the Amazon Organizations console to create the SCP or attach it as a statement to an existing SCP.

    Service control policies are a feature of Amazon Organizations. For instructions on attaching an SCP, see Attaching and detaching service control policies in the Amazon Organizations User Guide.

Rather than prevent account instance creation, you can limit account instance creation to a specific Amazon Web Services account within your organization:

Example : SCP to control instance creation
{
    "Version": "2012-10-17",
    "Statement" : [
        {
            "Sid": "DenyMemberAccountInstances",
            "Effect": "Deny",
            "Action": "sso:CreateInstance",
            "Resource": "*",
            "Condition": {
                 "StringNotEquals": {
                    "aws:PrincipalAccount": ["<ALLOWED-ACCOUNT-ID>"]
                }
            }
        }
    ]
}