Getting started with AWS Supply Chain - AWS Supply Chain

Getting started with AWS Supply Chain

In this section, you can learn to create an AWS Supply Chain instance, grant user permission roles, log into the AWS Supply Chain web application, and create custom user permission roles. An AWS account can have up to 10 AWS Supply Chain instances in active or initializing state.

Prerequisites

Before you create an AWS Supply Chain instance, make sure that you complete the following steps:

  • You've created an AWS account. For more information, see Setting up an AWS account.

    Note

    If you haven't activated AWS IAM Identity Center, create an AWS organization and activate IAM Identity Center. For more information on creating an AWS organization, see Creating an organization.

  • Turn on IAM Identity Center in the same AWS Region where you want to create your AWS Supply Chain instance . AWS Supply Chain is only supported in US East (N. Virginia), US West (Oregon), Europe (Frankfurt), Asia Pacific (Sydney) Region, and Europe (Ireland) Region Regions. For more information, see Enabling IAM Identity Center .

    Note

    AWS Supply Chain Demand Planning is not supported in Europe (Ireland) Region.

    Note

    If you haven't activated IAM Identity Center in a Region other than those listed here, you can't create an AWS Supply Chain instance.

  • You can create IAM users from the AWS Identity and Access Management (IAM) console. For more information, see Setting up an AWS account.

  • Add users who need access to AWS Supply Chain to IAM Identity Center. For more information, see Adding users in IAM Identity Center. You can also connect your active directory to IAM Identity Center. For more information, see Connect to a Microsoft AD directory in the AWS IAM Identity Center User Guide.

  • When using Microsoft active directory, make sure the active directory sync is enabled.

  • You need AWS Key Management Service (AWS KMS) to create an instance. AWS Supply Chain uses this AWS KMS key to encrypt all the data that comes into AWS Supply Chain.

Using the AWS Supply Chain console

Note

If your AWS account is a member account of an AWS organization and includes a Service Control Policy (SCP), make sure the organization's SCP grants the following permissions to the member account. If the following permissions are not included in the organization's SCP policy, AWS Supply Chain instance creation will fail.

To access the AWS Supply Chain console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the AWS Supply Chain resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that they're trying to perform.

To ensure that users and roles can still use the AWS Supply Chain console, also attach the AWS Supply Chain ConsoleAccess or ReadOnly AWS managed policy to the entities. For more information, see Adding permissions to a user in the IAM User Guide.

The following permissions are needed by the Console Admin to create and update AWS Supply Chain instances successfully.

{ "Version": "2012-10-17", "Statement": [ { "Action": "scn:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket", "s3:CreateBucket", "s3:PutBucketVersioning", "s3:PutBucketObjectLockConfiguration", "s3:PutEncryptionConfiguration", "s3:PutBucketPolicy", "s3:PutLifecycleConfiguration", "s3:PutBucketPublicAccessBlock", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:PutBucketOwnershipControls", "s3:PutBucketNotification", "s3:PutAccountPublicAccessBlock", "s3:PutBucketLogging" ], "Resource": "arn:aws:s3:::aws-supply-chain-*", "Effect": "Allow" }, { "Action": [ "cloudtrail:CreateTrail", "cloudtrail:PutEventSelectors", "cloudtrail:GetEventSelectors", "cloudtrail:StartLogging" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "events:DescribeRule", "events:PutRule", "events:PutTargets" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "chime:CreateAppInstance", "chime:DeleteAppInstance", "chime:PutAppInstanceRetentionSettings", "chime:TagResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cloudwatch:PutMetricData", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "organizations:DescribeOrganization", "organizations:CreateOrganization", "organizations:EnableAWSServiceAccess" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "kms:CreateGrant", "kms:RetireGrant", "kms:DescribeKey", "kms:ListAliases" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:GetRole", "iam:PutRolePolicy", "iam:AttachRolePolicy", "iam:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "sso:StartPeregrine", "sso:DescribeRegisteredRegions", "sso:ListDirectoryAssociations", "sso:GetPeregrineStatus", "sso:GetSSOStatus", "sso:ListProfiles", "sso:GetProfile", "sso:AssociateProfile", "sso:AssociateDirectory", "sso:RegisterRegion", "sso:StartSSO", "sso:CreateManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:GetManagedApplicationInstance", "sso-directory:SearchUsers" ], "Resource": "*", "Effect": "Allow" } ] }