AWS managed policies for AWS Service Catalog AppRegistry - AWS Service Catalog
AWSServiceCatalogAdminFullAccessAWSServiceCatalogAdminReadOnlyAccessAWSServiceCatalogEndUserFullAccessAWSServiceCatalogEndUserReadOnlyAccessAWSServiceCatalogSyncServiceRolePolicyAWSServiceCatalogOrgsDataSyncServiceRolePolicyDeprecated policiesPolicy updates

AWS managed policies for AWS Service Catalog AppRegistry

AWS managed policy: AWSServiceCatalogAdminFullAccess

You can attach AWSServiceCatalogAdminFullAccess to your IAM entities. AppRegistry also attaches this policy to a service role that allows AppRegistry to perform actions on your behalf.

This policy grants administrative permissions that allow full access to the administrator console view and grants permission to create and manage products and portfolios.

Permissions details

This policy includes the following permissions.

  • servicecatalog – Allows principals full permissions to the administrator console view and the ability to create and manage portfolios and products, manage constraints, grant access to end users, and perform other administrative tasks within AWS Service Catalog.

  • cloudformation– Allows AWS Service Catalog full permissions to list, read, write, and tag AWS CloudFormation stacks.

  • config– Allows AWS Service Catalog limited permissions to portfolios, products, and provisioned products via AWS Config.

  • iam– Allows principals full permissions to view and create service users, gropus, or roles that are required for creating and managing products and portfolios.

  • ssm – Allows AWS Service Catalog to use AWS Systems Manager to list and read Systems Manager documents in the current AWS account and AWS Region. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:SetStackPolicy",
                "cloudformation:UpdateStack",
                "cloudformation:CreateChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:ListChangeSets",
                "cloudformation:DeleteChangeSet",
                "cloudformation:ListStackResources",
                "cloudformation:TagResource",
                "cloudformation:CreateStackSet",
                "cloudformation:CreateStackInstances",
                "cloudformation:UpdateStackSet",
                "cloudformation:UpdateStackInstances",
                "cloudformation:DeleteStackSet",
                "cloudformation:DeleteStackInstances",
                "cloudformation:DescribeStackSet",
                "cloudformation:DescribeStackInstance",
                "cloudformation:DescribeStackSetOperation",
                "cloudformation:ListStackInstances",
                "cloudformation:ListStackSetOperations",
                "cloudformation:ListStackSetOperationResults"
            ],
            "Resource": [
                "arn:aws:cloudformation:*:*:stack/SC-*",
                "arn:aws:cloudformation:*:*:stack/StackSet-SC-*",
                "arn:aws:cloudformation:*:*:changeSet/SC-*",
                "arn:aws:cloudformation:*:*:stackset/SC-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateUploadBucket",
                "cloudformation:GetTemplateSummary",
                "cloudformation:ValidateTemplate",
                "iam:GetGroup",
                "iam:GetRole",
                "iam:GetUser",
                "iam:ListGroups",
                "iam:ListRoles",
                "iam:ListUsers",
                "servicecatalog:Get*",
                "servicecatalog:Scan*",
                "servicecatalog:Search*",
                "servicecatalog:List*",
                "servicecatalog:TagResource",
                "servicecatalog:UntagResource",
                "servicecatalog:SyncResource",
                "ssm:DescribeDocument",
                "ssm:GetAutomationExecution",
                "ssm:ListDocuments",
                "ssm:ListDocumentVersions",
                "config:DescribeConfigurationRecorders",
                "config:DescribeConfigurationRecorderStatus"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "servicecatalog:Accept*",
                "servicecatalog:Associate*",
                "servicecatalog:Batch*",
                "servicecatalog:Copy*",
                "servicecatalog:Create*",
                "servicecatalog:Delete*",
                "servicecatalog:Describe*",
                "servicecatalog:Disable*",
                "servicecatalog:Disassociate*",
                "servicecatalog:Enable*",
                "servicecatalog:Execute*",
                "servicecatalog:Import*",
                "servicecatalog:Provision*",
                "servicecatalog:Put*",
                "servicecatalog:Reject*",
                "servicecatalog:Terminate*",
                "servicecatalog:Update*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "servicecatalog.amazonaws.com"
                }
            }
        },
    	{
	   "Effect": "Allow",
	   "Action": "iam:CreateServiceLinkedRole",
	   "Resource": "arn:aws:iam::*:role/aws-service-role/orgsdatasync.servicecatalog.amazonaws.com/AWSServiceRoleForServiceCatalogOrgsDataSync",
	   "Condition": {
	   "StringEquals": {
		   "iam:AWSServiceName": "orgsdatasync.servicecatalog.amazonaws.com"
           }
        }
    }

AWS managed policy: AWSServiceCatalogAdminReadOnlyAccess

You can attach AWSServiceCatalogAdminReadOnlyAccess to your IAM entities. AppRegistry also attaches this policy to a service role that allows AppRegistry to perform actions on your behalf.

This policy grants read-only permissions that allow full access to the administrator console view. This policy does not grant access to create or manage products and portfolios.

Permissions details

This policy includes the following permissions.

  • servicecatalog – Allows principals read-only permissions to the administrator console view.

  • cloudformation– Allows AWS Service Catalog limited permissions to list and read AWS CloudFormation stacks.

  • config– Allows AWS Service Catalog limited permissions to portfolios, products, and provisioned products via AWS Config.

  • iam– Allows principals limited permissions to view service users, groups, or roles that are required for creating and managing products and portfolios.

  • ssm – Allows AWS Service Catalog to use AWS Systems Manager to list and read Systems Manager documents in the current AWS account and AWS Region. 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"cloudformation:DescribeStackEvents",
				"cloudformation:DescribeStacks",
				"cloudformation:DescribeChangeSet",
				"cloudformation:ListChangeSets",
				"cloudformation:ListStackResources",
				"cloudformation:DescribeStackSet",
				"cloudformation:DescribeStackInstance",
				"cloudformation:DescribeStackSetOperation",
				"cloudformation:ListStackInstances",
				"cloudformation:ListStackSetOperations",
				"cloudformation:ListStackSetOperationResults"
			],
			"Resource": [
				"arn:aws:cloudformation:*:*:stack/SC-*",
				"arn:aws:cloudformation:*:*:stack/StackSet-SC-*",
				"arn:aws:cloudformation:*:*:changeSet/SC-*",
				"arn:aws:cloudformation:*:*:stackset/SC-*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"cloudformation:GetTemplateSummary",
				"iam:GetGroup",
				"iam:GetRole",
				"iam:GetUser",
				"iam:ListGroups",
				"iam:ListRoles",
				"iam:ListUsers",
				"servicecatalog:Get*",
				"servicecatalog:List*",
				"servicecatalog:Describe*",
				"servicecatalog:ScanProvisionedProducts",
				"servicecatalog:Search*",
				"ssm:DescribeDocument",
				"ssm:GetAutomationExecution",
				"ssm:ListDocuments",
				"ssm:ListDocumentVersions",
				"config:DescribeConfigurationRecorders",
				"config:DescribeConfigurationRecorderStatus"
			],
			"Resource": "*"
		}
	]
}

AWS managed policy: AWSServiceCatalogEndUserFullAccess

You can attach AWSServiceCatalogEndUserFullAccess to your IAM entities. AppRegistry also attaches this policy to a service role that allows AppRegistry to perform actions on your behalf.

This policy grants contributor permissions that allow full access to the end user console view and grants permission to launch products and manage provisioned products.

Permissions details

This policy includes the following permissions.

  • servicecatalog – Allows principals full permissions to the end user console view and the ability to launch products and manage provisioned products.

  • cloudformation– Allows AWS Service Catalog full permissions to list, read, write, and tag AWS CloudFormation stacks.

  • config– Allows AWS Service Catalog limited permissions to list and read details about portfolios, products, and provisioned products via AWS Config.

  • ssm – Allows AWS Service Catalog to use AWS Systems Manager to read Systems Manager documents in the current AWS account and AWS Region. 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"cloudformation:CreateStack",
				"cloudformation:DeleteStack",
				"cloudformation:DescribeStackEvents",
				"cloudformation:DescribeStacks",
				"cloudformation:SetStackPolicy",
				"cloudformation:ValidateTemplate",
				"cloudformation:UpdateStack",
				"cloudformation:CreateChangeSet",
				"cloudformation:DescribeChangeSet",
				"cloudformation:ExecuteChangeSet",
				"cloudformation:ListChangeSets",
				"cloudformation:DeleteChangeSet",
				"cloudformation:TagResource",
				"cloudformation:CreateStackSet",
				"cloudformation:CreateStackInstances",
				"cloudformation:UpdateStackSet",
				"cloudformation:UpdateStackInstances",
				"cloudformation:DeleteStackSet",
				"cloudformation:DeleteStackInstances",
				"cloudformation:DescribeStackSet",
				"cloudformation:DescribeStackInstance",
				"cloudformation:DescribeStackSetOperation",
				"cloudformation:ListStackInstances",
				"cloudformation:ListStackResources",
				"cloudformation:ListStackSetOperations",
				"cloudformation:ListStackSetOperationResults"
			],
			"Resource": [
				"arn:aws:cloudformation:*:*:stack/SC-*",
				"arn:aws:cloudformation:*:*:stack/StackSet-SC-*",
				"arn:aws:cloudformation:*:*:changeSet/SC-*",
				"arn:aws:cloudformation:*:*:stackset/SC-*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"cloudformation:GetTemplateSummary",
				"servicecatalog:DescribeProduct",
				"servicecatalog:DescribeProductView",
				"servicecatalog:DescribeProvisioningParameters",
				"servicecatalog:ListLaunchPaths",
				"servicecatalog:ProvisionProduct",
				"servicecatalog:SearchProducts",
				"ssm:DescribeDocument",
				"ssm:GetAutomationExecution",
				"config:DescribeConfigurationRecorders",
				"config:DescribeConfigurationRecorderStatus"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"servicecatalog:DescribeProvisionedProduct",
				"servicecatalog:DescribeRecord",
				"servicecatalog:ListRecordHistory",
				"servicecatalog:ListStackInstancesForProvisionedProduct",
				"servicecatalog:ScanProvisionedProducts",
				"servicecatalog:TerminateProvisionedProduct",
				"servicecatalog:UpdateProvisionedProduct",
				"servicecatalog:SearchProvisionedProducts",
				"servicecatalog:CreateProvisionedProductPlan",
				"servicecatalog:DescribeProvisionedProductPlan",
				"servicecatalog:ExecuteProvisionedProductPlan",
				"servicecatalog:DeleteProvisionedProductPlan",
				"servicecatalog:ListProvisionedProductPlans",
				"servicecatalog:ListServiceActionsForProvisioningArtifact",
				"servicecatalog:ExecuteProvisionedProductServiceAction",
				"servicecatalog:DescribeServiceActionExecutionParameters"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"servicecatalog:userLevel": "self"
				}
			}
		}
	]
}

AWS managed policy: AWSServiceCatalogEndUserReadOnlyAccess

You can attach AWSServiceCatalogEndUserReadOnlyAccess to your IAM entities. AppRegistry also attaches this policy to a service role that allows AppRegistry to perform actions on your behalf.

This policy grants read-only permissions that allow read-only access to the end user console view. This policy does not grant permission to launch products or manage provisioned products.

Permissions details

This policy includes the following permissions.

  • servicecatalog – Allows principals read-only permissions to the end user console view.

  • cloudformation– Allows AWS Service Catalog limited permissions to list and read AWS CloudFormation stacks.

  • config– Allows AWS Service Catalog limited permissions to list and read details about portfolios, products, and provisioned products via AWS Config.

  • ssm – Allows AWS Service Catalog to use AWS Systems Manager to read Systems Manager documents in the current AWS account and AWS Region. 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"cloudformation:DescribeStackEvents",
				"cloudformation:DescribeStacks",
				"cloudformation:DescribeChangeSet",
				"cloudformation:ListChangeSets",
				"cloudformation:DescribeStackSet",
				"cloudformation:DescribeStackInstance",
				"cloudformation:DescribeStackSetOperation",
				"cloudformation:ListStackInstances",
				"cloudformation:ListStackResources",
				"cloudformation:ListStackSetOperations",
				"cloudformation:ListStackSetOperationResults"
			],
			"Resource": [
				"arn:aws:cloudformation:*:*:stack/SC-*",
				"arn:aws:cloudformation:*:*:stack/StackSet-SC-*",
				"arn:aws:cloudformation:*:*:changeSet/SC-*",
				"arn:aws:cloudformation:*:*:stackset/SC-*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"cloudformation:GetTemplateSummary",
				"servicecatalog:DescribeProduct",
				"servicecatalog:DescribeProductView",
				"servicecatalog:DescribeProvisioningParameters",
				"servicecatalog:ListLaunchPaths",
				"servicecatalog:SearchProducts",
				"ssm:DescribeDocument",
				"ssm:GetAutomationExecution",
				"config:DescribeConfigurationRecorders",
				"config:DescribeConfigurationRecorderStatus"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"servicecatalog:DescribeProvisionedProduct",
				"servicecatalog:DescribeRecord",
				"servicecatalog:ListRecordHistory",
				"servicecatalog:ListStackInstancesForProvisionedProduct",
				"servicecatalog:ScanProvisionedProducts",
				"servicecatalog:SearchProvisionedProducts",
				"servicecatalog:DescribeProvisionedProductPlan",
				"servicecatalog:ListProvisionedProductPlans",
				"servicecatalog:ListServiceActionsForProvisioningArtifact",
				"servicecatalog:DescribeServiceActionExecutionParameters"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"servicecatalog:userLevel": "self"
				}
			}
		}
	]
}

AWS managed policy: AWSServiceCatalogSyncServiceRolePolicy

AWS Service Catalog attaches this policy to the AWSServiceRoleForServiceCatalogSync service-linked role (SLR), allowing AWS Service Catalog to sync templates in an external repository to AWS Service Catalog products.

This policy grants permissions that allows limited access to AWS Service Catalog actions (for example, API calls), and to other AWS service actions that AWS Service Catalog depends on.

This policy includes the following permissions.

  • servicecatalog – Allows the AWS Service Catalog artifact sync role limited access to AWS Service Catalog public APIs.

  • codestar-connections– Allows the AWS Service Catalog artifact sync role limited access to CodeConnections public APIs.

  • cloudformation– Allows the AWS Service Catalog artifact sync role limited access to AWS CloudFormation public APIs. 


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "ArtifactSynctoServiceCatalog",
			"Effect": "Allow",
			"Action": [
				"servicecatalog:ListProvisioningArtifacts",
				"servicecatalog:DescribeProductAsAdmin",
				"servicecatalog:DeleteProvisioningArtifact",
				"servicecatalog:ListServiceActionsForProvisioningArtifact",
				"servicecatalog:CreateProvisioningArtifact",
				"servicecatalog:UpdateProvisioningArtifact"
			],
			"Resource": "*"
		},
		{
			"Sid": "AccessArtifactRepositories",
			"Effect": "Allow",
			"Action": [
				"codestar-connections:UseConnection"
			],
			"Resource": "arn:aws:codestar-connections:*:*:connection/*"
		},
		{
			"Sid": "ValidateTemplate",
			"Effect": "Allow",
			"Action": [
				"cloudformation:ValidateTemplate"
			],
			"Resource": "*"
		}
	]
}

AWS Service Catalog uses the permission details above for the AWSServiceRoleForServiceCatalogSync service-linked role that is created when a user creates or updates a AWS Service Catalog product that uses CodeConnections. You can modify this policy using the AWS CLI, AWS API, or through the AWS Service Catalog console. For more information on how to create, edit, and delete service-linked roles, refer to Using service-linked roles (SLRs) for AWS Service Catalog.

The permissions included in the AWSServiceRoleForServiceCatalogSync service-linked role allow AWS Service Catalog to perform the following actions on behalf of the customer.

  • servicecatalog:ListProvisioningArtifacts — Allows the AWS Service Catalog artifact sync role to list the provisioning artifacts for a given AWS Service Catalog product that is synced to a template file in a repository.

  • servicecatalog:DescribeProductAsAdmin — Allows the AWS Service Catalog artifact sync role to use the DescribeProductAsAdmin API to get details for a AWS Service Catalog product and its associated provisioned artifacts that are synced to a template file in a repository. The artifact sync role uses the output from this call to verify the product's service quota limit for provisioning artifacts.

  • servicecatalog:DeleteProvisioningArtifact — Allows the AWS Service Catalog artifact sync role to delete a provisioned artifact.

  • servicecatalog:ListServiceActionsForProvisioningArtifact — Allows the AWS Service Catalog artifact sync role to determine if Service Actions are associated with a provisioning artifact and ensure that the provisioning artifact is not deleted if a Service Action is associated.

  • servicecatalog:DescribeProvisioningArtifact — Allows the AWS Service Catalog artifact sync role to retrieve details from the DescribeProvisioningArtifact API, including the commit ID, which is provided in the SourceRevisionInfo output.

  • servicecatalog:CreateProvisioningArtifact — Allows the AWS Service Catalog artifact sync role to create a new provisioned artifact if a change is detected (for example, a git-push is committed) to the source template file in the external repository.

  • servicecatalog:UpdateProvisioningArtifact — Allows the AWS Service Catalog artifact sync role to update the provisioned artifact for a connected or synced product.

  • codestar-connections:UseConnection — Allows the AWS Service Catalog artifact sync role to use the existing connection to update and sync a product.

  • cloudformation:ValidateTemplate — Allows the AWS Service Catalog artifact sync role limited access to AWS CloudFormation to validate the template format for the template that is being used in external repository and verify if AWS CloudFormation can support the template.

AWS managed policy: AWSServiceCatalogOrgsDataSyncServiceRolePolicy

AWS Service Catalog attaches this policy to the AWSServiceRoleForServiceCatalogOrgsDataSync service-linked role (SLR), allowing AWS Service Catalog to sync with AWS Organizations.

This policy grants permissions that allows limited access to AWS Service Catalog actions (for example, API calls), and to other AWS service actions that AWS Service Catalog depends on.

This policy includes the following permissions.

  • organizations— Allows the AWS Service Catalog data sync role limited access to AWS Organizations public APIs. 


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OrganizationsDataSyncToServiceCatalog",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:ListAccounts",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListAWSServiceAccessForOrganization"
            ],
            "Resource": "*"
        }
    ]
}

AWS Service Catalog uses the permission details above for the AWSServiceRoleForServiceCatalogOrgsDataSync service-linked role that is created when a user enables AWS Organizations shared portfolio access or creates a portfolio share. You can modify this policy using the AWS CLI, AWS API, or through the AWS Service Catalog console. For more information on how to create, edit, and delete service-linked roles, refer to Using service-linked roles (SLRs) for AWS Service Catalog.

The permissions included in the AWSServiceRoleForServiceCatalogOrgsDataSync service-linked role allow AWS Service Catalog to perform the following actions on behalf of the customer.

  • organizations:DescribeAccount — Allows the AWS Service Catalog Organizations Data Sync role to retrieve AWS Organizations-related information about the specified account.

  • organizations:DescribeOrganization — Allows the AWS Service Catalog Organizations Data Sync role to retrieve information about the organization that the user's account belongs to.

  • organizations:ListAccounts — Allows the AWS Service Catalog Organizations Data Sync role to list the accounts in the user's organization.

  • organizations:ListChildren — Allows the AWS Service Catalog Organizations Data Sync role to list all of the organizational units (UOs) or accounts that are contained in the specified parent OU or root.

  • organizations:ListParents — Allows the AWS Service Catalog Organizations Data Sync role to list the root or OUs that serve as the immediate parent of the specified child OU or account.

  • organizations:ListAWSServiceAccessForOrganization — Allows the AWS Service Catalog Organizations Data Sync role to retrieve a list of the AWS services that the user enabled to integrate with their organization.

Deprecated policies

The following managed policies are deprecated:

  • ServiceCatalogAdminFullAccess — Use AWSServiceCatalogAdminFullAccess instead.

  • ServiceCatalogAdminReadOnlyAccess — Use AWSServiceCatalogAdminReadOnlyAccess instead.

  • ServiceCatalogEndUserFullAccess — Use AWSServiceCatalogEndUserFullAccess instead.

  • ServiceCatalogEndUserAccess — Use AWSServiceCatalogEndUserReadOnlyAccess instead.

Use the following procedure to ensure that your administrators and end users are granted permissions using the current policies.

To migrate from the deprecated policies to the current policies, see Adding and removing IAM identity permissions in AWS Identity and Access Management User Guide.

AppRegistry updates to AWS managed policies

View details about updates to AWS managed policies for AppRegistry since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AppRegistry Document history page.

Change Description Date

AWSServiceCatalogAdminFullAccess – Update managed policy

AWS Service Catalog updated the AWSServiceCatalogAdminFullAccess policy to include permissions required for the AWS Service Catalog administrator to create the AWSServiceRoleForServiceCatalogOrgsDataSync service-linked role (SLR) in their account.

April 14, 2023

AWSServiceCatalogOrgsDataSyncServiceRolePolicy – New managed policy

AWS Service Catalog added the AWSServiceCatalogOrgsDataSyncServiceRolePolicy, which is attached to the AWSServiceRoleForServiceCatalogOrgsDataSync service-linked role (SLR), allowing AWS Service Catalog to sync with AWS Organizations. This policy allows limited access to AWS Service Catalog actions (for example, API calls), and to other AWS service actions that AWS Service Catalog depends on.

April 14, 2023

AWSServiceCatalogAdminFullAccess – Update managed policy

AWS Service Catalog updated the AWSServiceCatalogAdminFullAccess policy to include all permissions for the AWS Service Catalog Administrator and create compatibility with AppRegistry.

 January 12, 2023

AWSServiceCatalogSyncServiceRolePolicy – New managed policy

AWS Service Catalog added the AWSServiceCatalogSyncServiceRolePolicy policy, which is attached to the AWSServiceRoleForServiceCatalogSync service-linked role (SLR). This policy allows AWS Service Catalog to sync templates in an external repository to AWS Service Catalog products.

 November 18, 2022

AWSServiceRoleForServiceCatalogSync – New service-linked role

AWS Service Catalog added the AWSServiceRoleForServiceCatalogSync service-linked role (SLR). This role is required for AWS Service Catalog to use CodeConnections and to create, update, and describe AWS Service Catalog Provisioning Artifacts for a product.

November 18, 2022

AWSServiceCatalogAdminFullAccess – Updated managed policy

AWS Service Catalog updated the AWSServiceCatalogAdminFullAccess policy to include all of the required permissions for a AWS Service Catalog Administrator. The policy identifies the specific actions administrator can take on all AWS Service Catalog resources, such as create, describe, delete, and more. Additionally, the policy was changed to support a recently launched feature, Attribute Based Access Control (ABAC) for AWS Service Catalog. ABAC allows you to use the AWSServiceCatalogAdminFullAccess policy as a template to allow or deny actions on AWS Service Catalog resources based on tags. For more information about ABAC, see What is ABAC for AWS in AWS Identity and Access Management.

September 30, 2022

AppRegistry started tracking changes

AppRegistry started tracking changes for its AWS managed policies.

 September 15, 2022