IAM Identity Center Groups for AWS Control Tower

AWS Control Tower offers preconfigured groups to organize users that perform specific tasks in your accounts. You can add users and assign them to these groups directly in IAM Identity Center. Doing so matches permission sets to users in groups within your accounts. The following groups are created when you set up your landing zone.

AWSAccountFactory
Account	Permission sets	Description
Management account	AWSServiceCatalogEndUserAccess	This group is only used in this account to provision new accounts using Account Factory.

AWSServiceCatalogAdmins
Account	Permission sets	Description
Management account	AWSServiceCatalogAdminFullAccess	This group is only used in this account to make administrative changes to Account Factory. Users in this group can't provision new accounts unless they're also in the AWSAccountFactory group.

AWSControlTowerAdmins
Account	Permission sets	Description
Management account	AWSAdministratorAccess	Users of this group in this account are the only ones that have access to the AWS Control Tower console.
Log archive account	AWSAdministratorAccess	Users have administrator access in this account.
Audit account	AWSAdministratorAccess	Users have administrator access in this account.
Member accounts	AWSOrganizationsFullAccess	Users have full access to Organizations in this account.

AWSSecurityAuditPowerUsers
Account	Permission sets	Description
Management account	AWSPowerUserAccess	Users can perform application development tasks and can create and configure resources and services that support AWS aware application development.
Log archive account	AWSPowerUserAccess	Users can perform application development tasks and can create and configure resources and services that support AWS aware application development.
Audit account	AWSPowerUserAccess	Users can perform application development tasks and can create and configure resources and services that support AWS aware application development.
Member accounts	AWSPowerUserAccess	Users can perform application development tasks and can create and configure resources and services that support AWS aware application development.

AWSSecurityAuditors
Account	Permission sets	Description
Management account	AWSReadOnlyAccess	Users have read-only access to all AWS services and resources in this account.
Log archive account	AWSReadOnlyAccess	Users have read-only access to all AWS services and resources in this account.
Audit account	AWSReadOnlyAccess	Users have read-only access to all AWS services and resources in this account.
Member accounts	AWSReadOnlyAccess	Users have read-only access to all AWS services and resources in this account.

AWSLogArchiveAdmins
Account	Permission sets	Description
Log archive account	AWSAdministratorAccess	Users have administrator access in this account.

AWSLogArchiveViewers
Account	Permission sets	Description
Log archive account	AWSReadOnlyAccess	Users have read-only access to all AWS services and resources in this account.

AWSAuditAccountAdmins
Account	Permission sets	Description
Audit account	AWSAdministratorAccess	Users have administrator access in this account.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

User groups, roles, and permission sets

Overview of managing resource access with IAM