Control account instance creation with Services Control Policies
If you enabled IAM Identity Center before November 2023, you can choose whether member accounts can create an account instance of IAM Identity Center, which is an instance of IAM Identity Center that's bound to a single Amazon Web Services account. Otherwise, by default, member accounts in your organization already have the option to create an account instance. Enabling member accounts to create account instances isn't reversible, but you can use a Service Control Policy (SCP) to prevent or limit account instance creation.
SCPs are a feature of Amazon Organizations. For instructions on attaching an SCP, see Attaching and detaching service control policies in the Amazon Organizations User Guide.
Prevent account instances
Use the following procedure to generate an SCP that prevents member accounts from creating account instances of IAM Identity Center.
-
Open the IAM Identity Center console
. -
On the Dashboard, in the Central management section, choose the Prevent account instances button.
-
In the Attach SCP to prevent creation of new account instances dialog box, an SCP is provided for you. Copy the SCP and choose the Go to SCP dashboard button. You'll be directed to the Amazon Organizations console
to create the SCP or attach it as a statement to an existing SCP.
Limit account instances
Rather than prevent account instance creation, you can limit account instance creation to a specific Amazon Web Services account within your organization:
Example : SCP to control instance creation
{ "Version": "2012-10-17", "Statement" : [ { "Sid": "DenyMemberAccountInstances", "Effect": "Deny", "Action": "sso:CreateInstance", "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": ["<ALLOWED-ACCOUNT-ID>"] } } } ] }
For more information on IAM and policy identifiers, see the following: