Using AWS Management Console Private Access with AWS Organizations service control policies Allow AWS Management Console use for expected accounts and organizations only (trusted identities)

Implementing service control policies and VPC endpoint policies

You can use service control policies (SCPs) and VPC endpoint policies for AWS Management Console Private Access to limit the set of accounts that are allowed to use the AWS Management Console from within your VPC and its connected on-premises networks.

Using AWS Management Console Private Access with AWS Organizations service control policies

If your AWS organization is using a service control policy (SCP) that allows specific services, you must add signin:* to the allowed actions. This permission is needed because signing in to the AWS Management Console over a Private Access VPC endpoint performs an IAM authorization that the SCP blocks without the permission. As an example, the following service control policy allows the Amazon EC2 and CloudWatch services to be used in the organization, including when they are accessed using an AWS Management Console Private Access endpoint.


{
  "Effect": "Allow",
  "Action": [
    "signin:*",
    "ec2:*",
    "cloudwatch:*",
    ... Other services allowed
  },
  "Resource": "*"
}

For more information about SCPs, see Service control policies (SCPs) in the AWS Organizations User Guide.

Allow AWS Management Console use for expected accounts and organizations only (trusted identities)

AWS Management Console and AWS Sign-In support a VPC endpoint policy that specifically controls the identity of the signed-in account.

Unlike other VPC endpoint policies, the policy is evaluated before authentication. As a result, it specifically controls sign-in and use of the authenticated session only, and not any AWS service-specific actions that the session takes. For example, as the session accesses an AWS service console, such as the Amazon EC2 console, these VPC endpoint policies will not be evaluated against the Amazon EC2 actions that are taken to display that page. Rather, you can use the IAM policies associated with the signed-in IAM Principal to control its permission to AWS service actions.

Note

VPC endpoint policies for AWS Management Console and SignIn VPC endpoints support only a limited subset of policy formulations. Every Principal and Resource should be set to * and the Action should be either * or signin:*. You control access to VPC endpoints using aws:PrincipalOrgId and aws:PrincipalAccount condition keys.

The following policies are recommended for both the Console and SignIn VPC endpoints.

This VPC endpoint policy allows sign-in to AWS accounts in the specified AWS organization and blocks sign-in to any other accounts.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalOrgId": "o-xxxxxxxxxxx"
        }
      }
    }
  ]
}

This VPC endpoint policy limits sign-in to a list of specific AWS accounts and blocks sign-in to any other accounts.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalAccount": [ "111122223333", "222233334444" ]
        }
      }
    }
  ]
}

Polices that limit AWS accounts or an organization on the AWS Management Console and Sign-In VPC endpoints are evaluated at the time of sign-in and are periodically re-evaluated for existing sessions.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Required VPC endpoints and DNS configuration

Implementing identity-based policies and other policy types