AWSSSOReadOnly
Description: Provides read only access to AWS SSO configurations.
AWSSSOReadOnly is an AWS managed policy.
Using this policy
You can attach AWSSSOReadOnly to your users, groups, and roles.
Policy details
-
Type: AWS managed policy
-
Creation time: June 27, 2018, 20:24 UTC
-
Edited time: September 16, 2025, 19:49 UTC
-
ARN:
arn:aws:iam::aws:policy/AWSSSOReadOnly
Policy version
Policy version: v10 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
JSON policy document
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AWSSSOReadOnly", "Effect" : "Allow", "Action" : [ "ds:DescribeDirectories", "ds:DescribeTrusts", "iam:ListPolicies", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListRoots", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "organizations:ListDelegatedAdministrators", "sso:Describe*", "sso:Get*", "sso:List*", "sso:Search*", "sso-directory:DescribeDirectory", "access-analyzer:ValidatePolicy", "signin:ListTrustedIdentityPropagationApplicationsForConsole" ], "Resource" : "*" }, { "Sid" : "AllowKMSKeyUseViaAWSIAMIdentityCenterService", "Effect" : "Allow", "Action" : [ "kms:Decrypt" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn" : "*" } } }, { "Sid" : "AllowKMSKeyDiscovery", "Effect" : "Allow", "Action" : [ "kms:ListAliases", "kms:DescribeKey" ], "Resource" : "*" } ] }
Learn more
