Getting started with AWS Supply Chain - AWS Supply Chain
Using the console

Getting started with AWS Supply Chain

In this section, you can learn to create an AWS Supply Chain instance, grant user permission roles, log into the AWS Supply Chain web application, and create custom user permission roles. An AWS account can have up to 10 AWS Supply Chain instances in active or initializing state.

Topics

Using the AWS Supply Chain console

Note

If your AWS account is a member account of an AWS organization and includes a Service Control Policy (SCP), make sure the organization's SCP grants the following permissions to the member account. If the following permissions are not included in the organization's SCP policy, AWS Supply Chain instance creation will fail.

To access the AWS Supply Chain console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the AWS Supply Chain resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that they're trying to perform.

To ensure that users and roles can still use the AWS Supply Chain console, also attach the AWS Supply Chain ConsoleAccess or ReadOnly AWS managed policy to the entities. For more information, see Adding permissions to a user in the IAM User Guide.

The following permissions are needed by the Console Admin to create and update AWS Supply Chain instances successfully.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": "scn:*",
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"s3:GetObject",
				"s3:PutObject",
				"s3:ListBucket",
				"s3:CreateBucket",
				"s3:PutBucketVersioning",
				"s3:PutBucketObjectLockConfiguration",
				"s3:PutEncryptionConfiguration",
				"s3:PutBucketPolicy",
				"s3:PutLifecycleConfiguration",
				"s3:PutBucketPublicAccessBlock",
				"s3:DeleteObject",
				"s3:ListAllMyBuckets",
				"s3:PutBucketOwnershipControls",
				"s3:PutBucketNotification",
				"s3:PutAccountPublicAccessBlock",
				"s3:PutBucketLogging",
				"s3:PutBucketTagging"
			],
			"Resource": "arn:aws:s3:::aws-supply-chain-*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"cloudtrail:CreateTrail",
				"cloudtrail:PutEventSelectors",
				"cloudtrail:GetEventSelectors",
				"cloudtrail:StartLogging"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"events:DescribeRule",
				"events:PutRule",
				"events:PutTargets"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"chime:CreateAppInstance",
				"chime:DeleteAppInstance",
				"chime:PutAppInstanceRetentionSettings",
				"chime:TagResource"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"cloudwatch:PutMetricData",
				"cloudwatch:Describe*",
				"cloudwatch:Get*",
				"cloudwatch:List*"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"organizations:DescribeOrganization",
				"organizations:EnableAWSServiceAccess"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"kms:CreateGrant",
				"kms:RetireGrant",
				"kms:DescribeKey"
			],
			"Resource": key_arn,
			"Effect": "Allow"
		},
		{
			"Action": [
				"kms:ListAliases"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"iam:CreateRole",
				"iam:CreatePolicy",
				"iam:GetRole",
				"iam:PutRolePolicy",
				"iam:AttachRolePolicy",
				"iam:CreateServiceLinkedRole"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"sso:StartPeregrine",
				"sso:DescribeRegisteredRegions",
				"sso:ListDirectoryAssociations",
				"sso:GetPeregrineStatus",
				"sso:GetSSOStatus",
				"sso:ListProfiles",
				"sso:GetProfile",
				"sso:AssociateProfile",
				"sso:AssociateDirectory",
				"sso:RegisterRegion",
				"sso:StartSSO",
				"sso:CreateManagedApplicationInstance",
				"sso:DeleteManagedApplicationInstance",
				"sso:GetManagedApplicationInstance",
				"sso-directory:SearchUsers"
			],
			"Resource": "*",
			"Effect": "Allow"
		}
	]
}

key_arn specifies the key you would like to use for the AWS Supply Chain instance. For best practices and to restrict access to only the keys you would like to use for AWS Supply Chain, see Specifying KMS keys in IAM policy statements. To represent all KMS keys, use a wildcard character alone ("*").