Using identity-based policies (IAM policies) for AWS Account Management

For a full discussion of AWS accounts and IAM users, see What Is IAM? in the IAM User Guide.

For instructions on how you can update customer managed policies, see Editing customer managed policies (console) in the IAM User Guide.

AWS Account Management actions policies

This table summarizes the permissions that grant access to your account settings. For examples of policies that use these permissions, see AWS Account Management policy examples.

Note

To grant IAM users write access to a specific account setting in the Account page of the AWS Management Console, you must allow the GetAccountInformation permission, in addition to the permission (or permissions) that you want to use to modify that setting.

Permission name	Access level	Description
`account:ListRegions`	List	Grants permission to list the available Regions.
`account:GetAccountInformation`	Read	Grants permission to retrieve the account information for an account.
`account:GetAlternateContact`	Read	Grants permission to retrieve the alternate contacts for an account.
`account:GetChallengeQuestions`	Read	Grants permission to retrieve the challenge questions for an account.
`account:GetContactInformation`	Read	Grants permission to retrieve the primary contact information for an account.
`account:GetRegionOptStatus`	Read	Grants permission to get the opt-in status of a Region.
`account:AcceptPrimaryEmailUpdate`	Write	Grants permission to accept the primary email address update of the member account in an AWS organization.
`account:CloseAccount`	Write	Grants permission to close an account. Note This is a permission for the console only. No API access is available for this permission.
`account:DeleteAlternateContact`	Write	Grants permission to delete the alternate contacts for an account.
`account:DisableRegion`	Write	Grants permission to disable use of a Region.
`account:EnableRegion`	Write	Grants permission to enable use of a Region.
`account:PutAlternateContact`	Write	Grants permission to modify the alternate contacts for an account.
`account:PutChallengeQuestions`	Write	Grants permission to modify the challenge questions for an account. Note This is a permission for the console only. No API access is available for this permission.
`account:PutContactInformation`	Write	Grants permission to update the primary contact information for an account.
`account:StartPrimaryEmailUpdate`	Write	Grants permission to initiate the primary email address update of the member account in an AWS organization.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity-based policy examples

Troubleshooting