Use Service Control Policies to control account instance creation - Amazon IAM Identity Center
Prevent account instancesLimit account instances
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use Service Control Policies to control account instance creation

The ability for member accounts to create account instances depends on when you enabled IAM Identity Center:

In either case, you can use Service Control Policies (SCPs) to:

  • Prevent all member accounts from creating account instances.

  • Allow only specific member accounts to create account instances.

Prevent account instances

Use the following procedure to generate an SCP that prevents member accounts from creating account instances of IAM Identity Center.

  1. Open the IAM Identity Center console.

  2. On the Dashboard, in the Central management section, choose the Prevent account instances button.

  3. In the Attach SCP to prevent creation of new account instances dialog box, an SCP is provided for you. Copy the SCP and choose the Go to SCP dashboard button. You'll be directed to the Amazon Organizations console to create the SCP or attach it as a statement to an existing SCP. SCPs are a feature of Amazon Organizations. For instructions on attaching an SCP, see Attaching and detaching service control policies in the Amazon Organizations User Guide.

Limit account instances

Instead of preventing all account instance creation, this policy denies any attempt to create an account instance of IAM Identity Center for all Amazon Web Services accounts except those explicitly listed in the "<ALLOWED-ACCOUNT-ID>" placeholder.

Example : Deny policy to limit account instance creation
{

    "Version": "2012-10-17",
    "Statement" : [
        {
            "Sid": "DenyMemberAccountInstances",
            "Effect": "Deny",
            "Action": "sso:CreateInstance",
            "Resource": "*",
            "Condition": {
                 "StringNotEquals": {
                    "aws:PrincipalAccount": ["<ALLOWED-ACCOUNT-ID>"]
                }
            }
        }
    ]
}

  • Replace ["<ALLOWED-ACCOUNT-ID>"] with the actual Amazon Web Services account ID(s) that you want to allow to create an account instance of IAM Identity Center.

  • You can list multiple allowed account IDs in the array format: ["111122223333", "444455556666"].

  • Attach this policy to your organization SCP to enforce centralized control over IAM Identity Center account instance creation.

    For instructions on attaching an SCP, see Attaching and detaching service control policies in the Amazon Organizations User Guide.