Control account instance creation with Services Control Policies - AWS IAM Identity Center

Control account instance creation with Services Control Policies

If you enabled IAM Identity Center before November 2023, you can choose whether member accounts can create an account instance of IAM Identity Center, which is an instance of IAM Identity Center that's bound to a single AWS account. Otherwise, by default, member accounts in your organization already have the option to create an account instance. Enabling member accounts to create account instances isn't reversible, but you can use a Service Control Policy (SCP) to prevent or limit account instance creation.

SCPs are a feature of AWS Organizations. For instructions on attaching an SCP, see Attaching and detaching service control policies in the AWS Organizations User Guide.

Prevent account instances

Use the following procedure to generate an SCP that prevents member accounts from creating account instances of IAM Identity Center.

  1. Open the IAM Identity Center console.

  2. On the Dashboard, in the Central management section, choose the Prevent account instances button.

  3. In the Attach SCP to prevent creation of new account instances dialog box, an SCP is provided for you. Copy the SCP and choose the Go to SCP dashboard button. You'll be directed to the AWS Organizations console to create the SCP or attach it as a statement to an existing SCP.

Limit account instances

Rather than prevent account instance creation, you can limit account instance creation to a specific AWS account within your organization:

Example : SCP to control instance creation
{ "Version": "2012-10-17", "Statement" : [ { "Sid": "DenyMemberAccountInstances", "Effect": "Deny", "Action": "sso:CreateInstance", "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": ["<ALLOWED-ACCOUNT-ID>"] } } } ] }

For more information on IAM and policy identifiers, see the following: