Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for IAM Identity Center

To create IAM customer managed policies that provide your team with only the permissions they need takes time and expertise. To get started quickly, you can use Amazon managed policies. These policies cover common use cases and are available in your Amazon Web Services account. For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.

Amazon services maintain and update Amazon managed policies. You can't change the permissions in Amazon managed policies. Services occasionally add additional permissions to an Amazon managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an Amazon managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an Amazon managed policy, so policy updates won't break your existing permissions.

Additionally, Amazon supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess Amazon managed policy provides read-only access to all Amazon services and resources. When a service launches a new feature, Amazon adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see Amazon managed policies for job functions in the IAM User Guide.

New actions that allow you to list and delete user sessions are available under the new namespace identitystore-auth. Any additional permissions for actions in this namespace will be updated on this page. When creating your custom IAM policies, avoid using * after identitystore-auth because this applies to all actions that exist in the namespace today or in the future.

Amazon managed policy: AWSSSOMasterAccountAdministrator

The AWSSSOMasterAccountAdministrator policy provides required administrative actions to principals. The policy is intended for principals who perform the job role of an Amazon IAM Identity Center administrator. Over time the list of actions provided will be updated to match the existing functionality of IAM Identity Center and the actions that are required as an administrator.

You can attach the AWSSSOMasterAccountAdministrator policy to your IAM identities. When you attach the AWSSSOMasterAccountAdministrator policy to an identity, you grant administrative Amazon IAM Identity Center permissions. Principals with this policy can access IAM Identity Center within the Amazon Organizations management account and all member accounts. This principal can fully manage all IAM Identity Center operations, including the ability to create an IAM Identity Center instance, users, permission sets, and assignments. The principal can also instantiate those assignments throughout the Amazon organization member accounts and establish connections between Amazon Directory Service managed directories and IAM Identity Center. As new administrative features are released, the account administrator will be granted these permissions automatically.

Permissions groupings

This policy is grouped into statements based on the set of permissions provided.

To view the permissions for this policy, see AWSSSOMasterAccountAdministrator in Amazon Managed Policy Reference.

Additional information about this policy

When IAM Identity Center is enabled for the first time, the IAM Identity Center service creates a service linked role in the Amazon Organizations management account (formerly master account) so that IAM Identity Center can manage the resources in your account. The actions required are iam:CreateServiceLinkedRole and iam:PassRole, which are shown in the following snippets.

{
  "Version" : "2012-10-17",
  "Statement" : [
    {
      "Sid" : "AWSSSOCreateSLR",
      "Effect" : "Allow",
      "Action" : "iam:CreateServiceLinkedRole",
      "Resource" : "arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO",
      "Condition" : {
        "StringLike" : {
          "iam:AWSServiceName" : "sso.amazonaws.com"
        }
      }
    },
    {
      "Sid" : "AWSSSOMasterAccountAdministrator",
      "Effect" : "Allow",
      "Action" : "iam:PassRole",
      "Resource" : "arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO",
      "Condition" : {
        "StringLike" : {
          "iam:PassedToService" : "sso.amazonaws.com"
        }
      }
    },
    {
      "Sid" : "AWSSSOMemberAccountAdministrator",
      "Effect" : "Allow",
      "Action" : [
        "ds:DescribeTrusts",
        "ds:UnauthorizeApplication",
        "ds:DescribeDirectories",
        "ds:AuthorizeApplication",
        "iam:ListPolicies",
        "organizations:EnableAWSServiceAccess",
        "organizations:ListRoots",
        "organizations:ListAccounts",
        "organizations:ListOrganizationalUnitsForParent",
        "organizations:ListAccountsForParent",
        "organizations:DescribeOrganization",
        "organizations:ListChildren",
        "organizations:DescribeAccount",
        "organizations:ListParents",
        "organizations:ListDelegatedAdministrators",
        "sso:*",
        "sso-directory:*",
        "identitystore:*",
        "identitystore-auth:*",
        "ds:CreateAlias",
        "access-analyzer:ValidatePolicy",
        "signin:CreateTrustedIdentityPropagationApplicationForConsole",
        "signin:ListTrustedIdentityPropagationApplicationsForConsole"
      ],
      "Resource" : "*"
    },
    {
      "Sid" : "AWSSSOManageDelegatedAdministrator",
      "Effect" : "Allow",
      "Action" : [
        "organizations:RegisterDelegatedAdministrator",
        "organizations:DeregisterDelegatedAdministrator"
      ],
      "Resource" : "*",
      "Condition" : {
        "StringEquals" : {
          "organizations:ServicePrincipal" : "sso.amazonaws.com"
        }
      }
      },
      {
         "Sid": "AllowDeleteSyncProfile",
         "Effect": "Allow",
         "Action": [
                  "identity-sync:DeleteSyncProfile"
         ],
         "Resource": [
                  "arn:aws:identity-sync:*:*:profile/*"
         ]
    }
  ]
}
         

Amazon managed policy: AWSSSOMemberAccountAdministrator

The AWSSSOMemberAccountAdministrator policy provides required administrative actions to principals. The policy is intended for principals who perform the job role of an IAM Identity Center administrator. Over time the list of actions provided will be updated to match the existing functionality of IAM Identity Center and the actions that are required as an administrator.

You can attach the AWSSSOMemberAccountAdministrator policy to your IAM identities. When you attach the AWSSSOMemberAccountAdministrator policy to an identity, you grant administrative Amazon IAM Identity Center permissions. Principals with this policy can access IAM Identity Center within the Amazon Organizations management account and all member accounts. This principal can fully manage all IAM Identity Center operations, including the ability to create users, permission sets, and assignments. The principal can also instantiate those assignments throughout the Amazon organization member accounts and establish connections between Amazon Directory Service managed directories and IAM Identity Center. As new administrative features are released, the account administrator is granted these permissions automatically.

To view the permissions for this policy, see AWSSSOMemberAccountAdministrator in Amazon Managed Policy Reference.

Additional information about this policy

IAM Identity Center administrators manage users, groups, and passwords in their Identity Center directory store (sso-directory). The account admin role includes permissions for the following actions:

IAM Identity Center administrators need limited permissions to the following Amazon Directory Service actions to perform daily tasks.

These permissions allow IAM Identity Center administrators to identify existing directories and manage applications so that they can be configured for use with IAM Identity Center. For more information about each of these actions, see Amazon Directory Service API permissions: Actions, resources, and conditions reference.

IAM Identity Center uses IAM policies to grant permissions to IAM Identity Center users. IAM Identity Center administrators create permission sets and attach polices to them. The IAM Identity Center administrator must have the permissions to list the existing policies so that they can choose which polices to use with the permission set they are creating or updating. To set secure and functional permissions, the IAM Identity Center administrator must have permissions to run the IAM Access Analyzer policy validation.

IAM Identity Center administrators need limited access to the following Amazon Organizations actions to perform daily tasks:

These permissions allow IAM Identity Center administrators the ability to work with organization resources (accounts) for basic IAM Identity Center administrative tasks such as the following:

For more information about using a delegated administrator with IAM Identity Center, see Delegated administration. For more information about how these permissions are used with Amazon Organizations, see Using Amazon Organizations with other Amazon services.

Amazon managed policy: AWSSSODirectoryAdministrator

You can attach the AWSSSODirectoryAdministrator policy to your IAM identities.

This policy grants administrative permissions over IAM Identity Center users and groups. Principals with this policy attached can make any updates to IAM Identity Center users and groups.

To view the permissions for this policy, see AWSSSODirectoryAdministrator in Amazon Managed Policy Reference.

Amazon managed policy: AWSSSOReadOnly

You can attach the AWSSSOReadOnly policy to your IAM identities.

This policy grants read-only permissions that allow users to view information in IAM Identity Center. Principals with this policy attached cannot view the IAM Identity Center users or groups directly. Principals with this policy attached cannot make any updates in IAM Identity Center. For example, principals with these permissions can view IAM Identity Center settings, but cannot change any of the setting values.

To view the permissions for this policy, see AWSSSOReadOnly in Amazon Managed Policy Reference.

Amazon managed policy: AWSSSODirectoryReadOnly

You can attach the AWSSSODirectoryReadOnly policy to your IAM identities.

This policy grants read-only permissions that allow users to view users and groups in IAM Identity Center. Principals with this policy attached cannot view IAM Identity Center assignments, permission sets, applications, or settings. Principals with this policy attached can't make any updates in IAM Identity Center. For example, principals with these permissions can view IAM Identity Center users, but they can't change any user attributes or assign MFA devices.

To view the permissions for this policy, see AWSSSODirectoryReadOnly in Amazon Managed Policy Reference.

Amazon managed policy: AWSIdentitySyncFullAccess

You can attach the AWSIdentitySyncFullAccess policy to your IAM identities.

Principals with this policy attached have full access permissions to create and delete sync profiles, associate or update a sync profile with a sync target, create, list and delete sync filters, and start or stop synchronization.

Permission details

To view the permissions for this policy, see AWSIdentitySyncFullAccess in Amazon Managed Policy Reference.

Amazon managed policy: AWSIdentitySyncReadOnlyAccess

You can attach the AWSIdentitySyncReadOnlyAccess policy to your IAM identities.

This policy grants read-only permissions that allow users to view information about the identity synchronization profile, filters, and target settings. Principals with this policy attached can't make any updates to synchronization settings. For example, principals with these permissions can view identity synchronization settings, but can't change any of the profile or filter values.

To view the permissions for this policy, see AWSIdentitySyncReadOnlyAccess in Amazon Managed Policy Reference.

Amazon managed policy: AWSSSOServiceRolePolicy

You can't attach the AWSSSOServiceRolePolicy policy to your IAM identities.

This policy is attached to a service-linked role that allows IAM Identity Center to delegate and enforce which users have single sign-on access to specific Amazon Web Services accounts in Amazon Organizations. When you enable IAM, a service-linked role is created in all of the Amazon Web Services accounts within your organization. IAM Identity Center also creates the same service-linked role in every account that is subsequently added to your organization. This role allows IAM Identity Center to access each account's resources on your behalf. Service-linked roles that are created in each Amazon Web Services account are named AWSServiceRoleForSSO. For more information, see Using service-linked roles for IAM Identity Center.

Amazon managed policy: AWSIAMIdentityCenterAllowListForIdentityContext

When assuming a role with the IAM Identity Center identity context, Amazon Security Token Service (Amazon STS) automatically attaches the AWSIAMIdentityCenterAllowListForIdentityContext policy to the role.

This policy provides the list of actions that are allowed when you use trusted identity propagation with roles that are assumed with the IAM Identity Center identity context. All other actions that are called with this context are blocked. The identity context is passed as ProvidedContext.

To view the permissions for this policy, see AWSIAMIdentityCenterAllowListForIdentityContext in Amazon Managed Policy Reference.

IAM Identity Center updates to Amazon managed policies

The following table describes the updates to Amazon managed policies for IAM Identity Center since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the IAM Identity Center Document history page.