Control account instance creation with Services Control Policies

Users can create an instance of IAM Identity Center that is bound to a single AWS account, called an account instance of IAM Identity Center. You can control account instance creation with Service Control Policies (SCP).

Open the IAM Identity Center console.
On the Dashboard, in the Central management section, choose the Prevent account instances button.
In the Attach SCP to prevent creation of new account instances dialog box, an SCP is provided for you. Copy the SCP and choose the Go to SCP dashboard button. You'll be directed to the AWS Organizations console to create the SCP or attach it as a statement to an existing SCP.

Service control policies are a feature of AWS Organizations. For instructions on attaching an SCP, see Attaching and detaching service control policies in the AWS Organizations User Guide.

Rather than prevent account instance creation, you can limit account instance creation to a specific AWS account within your organization:

Example : SCP to control instance creation


{
    "Version": "2012-10-17",
    "Statement" : [
        {
            "Sid": "DenyMemberAccountInstances",
            "Effect": "Deny",
            "Action": "sso:CreateInstance",
            "Resource": "*",
            "Condition": {
                 "StringNotEquals": {
                    "aws:PrincipalAccount": ["<ALLOWED-ACCOUNT-ID>"]
                }
            }
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Enable account instances

Create an account instance