AWS managed policies for IAM Identity Center
To create IAM customer managed policies that provide your team with only the permissions they need takes time and expertise. To get started quickly, you can use AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.
New actions that allow you to list and delete user sessions are available under the new
namespace identitystore-auth
. Any additional permissions for actions in this
namespace will be updated on this page. When creating your custom IAM policies, avoid using
*
after identitystore-auth
because this applies to all actions
that exist in the namespace today or in the future.
AWS managed policy: AWSSSOMasterAccountAdministrator
The AWSSSOMasterAccountAdministrator
policy provides required
administrative actions to principals. The policy is intended for principals who perform the
job role of an AWS IAM Identity Center administrator. Over time the list of actions provided will be
updated to match the existing functionality of IAM Identity Center and the actions that are required as
an administrator.
You can attach the AWSSSOMasterAccountAdministrator
policy to your IAM
identities. When you attach the AWSSSOMasterAccountAdministrator
policy to an
identity, you grant administrative AWS IAM Identity Center permissions. Principals with this policy can
access IAM Identity Center within the AWS Organizations management account and all member accounts. This principal
can fully manage all IAM Identity Center operations, including the ability to create an IAM Identity Center instance,
users, permission sets, and assignments. The principal can also instantiate those
assignments throughout the AWS organization member accounts and establish connections
between AWS Directory Service managed directories and IAM Identity Center. As new administrative features are
released, the account administrator will be granted these permissions automatically.
Permissions groupings
This policy is grouped into statements based on the set of permissions provided.
-
AWSSSOMasterAccountAdministrator
– Allows IAM Identity Center to pass the service role namedAWSServiceRoleforSSO
to IAM Identity Center so that it can later assume the role and perform actions on their behalf. This is necessary when the person or application attempts to enable IAM Identity Center. For more information, see AWS account access. -
AWSSSOMemberAccountAdministrator
– Allows IAM Identity Center to perform account administrator actions in a multi-account AWS environment. For more information, see AWS managed policy: AWSSSOMemberAccountAdministrator. -
AWSSSOManageDelegatedAdministrator
– Allows IAM Identity Center to register and deregister a delegated administrator for your organization.
To view the permissions for this policy, see AWSSSOMasterAccountAdministrator in AWS Managed Policy Reference.
Additional information about this policy
When IAM Identity Center is enabled for the first time, the IAM Identity Center service creates a service linked role in the AWS Organizations management account (formerly master
account) so that IAM Identity Center can manage the resources in your account. The actions required
are iam:CreateServiceLinkedRole
and iam:PassRole
, which are
shown in the following snippets.
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AWSSSOCreateSLR", "Effect" : "Allow", "Action" : "iam:CreateServiceLinkedRole", "Resource" : "arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO", "Condition" : { "StringLike" : { "iam:AWSServiceName" : "sso.amazonaws.com" } } }, { "Sid" : "AWSSSOMasterAccountAdministrator", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : "arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO", "Condition" : { "StringLike" : { "iam:PassedToService" : "sso.amazonaws.com" } } }, { "Sid" : "AWSSSOMemberAccountAdministrator", "Effect" : "Allow", "Action" : [ "ds:DescribeTrusts", "ds:UnauthorizeApplication", "ds:DescribeDirectories", "ds:AuthorizeApplication", "iam:ListPolicies", "organizations:EnableAWSServiceAccess", "organizations:ListRoots", "organizations:ListAccounts", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAccountsForParent", "organizations:DescribeOrganization", "organizations:ListChildren", "organizations:DescribeAccount", "organizations:ListParents", "organizations:ListDelegatedAdministrators", "sso:*", "sso-directory:*", "identitystore:*", "identitystore-auth:*", "ds:CreateAlias", "access-analyzer:ValidatePolicy", "signin:CreateTrustedIdentityPropagationApplicationForConsole", "signin:ListTrustedIdentityPropagationApplicationsForConsole" ], "Resource" : "*" }, { "Sid" : "AWSSSOManageDelegatedAdministrator", "Effect" : "Allow", "Action" : [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource" : "*", "Condition" : { "StringEquals" : { "organizations:ServicePrincipal" : "sso.amazonaws.com" } } }, { "Sid": "AllowDeleteSyncProfile", "Effect": "Allow", "Action": [ "identity-sync:DeleteSyncProfile" ], "Resource": [ "arn:aws:identity-sync:*:*:profile/*" ] } ] }
AWS managed policy: AWSSSOMemberAccountAdministrator
The AWSSSOMemberAccountAdministrator
policy provides required
administrative actions to principals. The policy is intended for principals who perform the
job role of an IAM Identity Center administrator. Over time the list of actions provided will be updated
to match the existing functionality of IAM Identity Center and the actions that are required as an
administrator.
You can attach the AWSSSOMemberAccountAdministrator
policy to your IAM
identities. When you attach the AWSSSOMemberAccountAdministrator
policy to an
identity, you grant administrative AWS IAM Identity Center permissions. Principals with this policy can
access IAM Identity Center within the AWS Organizations management account and all member accounts. This principal
can fully manage all IAM Identity Center operations, including the ability to create users, permission
sets, and assignments. The principal can also instantiate those assignments throughout the
AWS organization member accounts and establish connections between AWS Directory Service managed
directories and IAM Identity Center. As new administrative features are released, the account
administrator is granted these permissions automatically.
To view the permissions for this policy, see AWSSSOMemberAccountAdministrator in AWS Managed Policy Reference.
Additional information about this policy
IAM Identity Center administrators manage users, groups, and passwords in their Identity Center directory store (sso-directory). The account admin role includes permissions for the following actions:
-
"sso:*"
-
"sso-directory:*"
IAM Identity Center administrators need limited permissions to the following AWS Directory Service actions to perform daily tasks.
-
"ds:DescribeTrusts"
-
"ds:UnauthorizeApplication"
-
"ds:DescribeDirectories"
-
"ds:AuthorizeApplication"
-
“ds:CreateAlias”
These permissions allow IAM Identity Center administrators to identify existing directories and manage applications so that they can be configured for use with IAM Identity Center. For more information about each of these actions, see AWS Directory Service API permissions: Actions, resources, and conditions reference.
IAM Identity Center uses IAM policies to grant permissions to IAM Identity Center users. IAM Identity Center administrators create permission sets and attach polices to them. The IAM Identity Center administrator must have the permissions to list the existing policies so that they can choose which polices to use with the permission set they are creating or updating. To set secure and functional permissions, the IAM Identity Center administrator must have permissions to run the IAM Access Analyzer policy validation.
-
"iam:ListPolicies"
-
"access-analyzer:ValidatePolicy"
IAM Identity Center administrators need limited access to the following AWS Organizations actions to perform daily tasks:
-
"organizations:EnableAWSServiceAccess"
-
"organizations:ListRoots"
-
"organizations:ListAccounts"
-
"organizations:ListOrganizationalUnitsForParent"
-
"organizations:ListAccountsForParent"
-
"organizations:DescribeOrganization"
-
"organizations:ListChildren"
-
"organizations:DescribeAccount"
-
"organizations:ListParents"
-
"organizations:ListDelegatedAdministrators"
-
"organizations:RegisterDelegatedAdministrator"
-
"organizations:DeregisterDelegatedAdministrator"
These permissions allow IAM Identity Center administrators the ability to work with organization resources (accounts) for basic IAM Identity Center administrative tasks such as the following:
-
Identifying the management account that belongs to the organization
-
Identifying the member accounts that belong to the organization
-
Enabling AWS service access for accounts
-
Setting up and managing a delegated administrator
For more information about using a delegated administrator with IAM Identity Center, see Delegated administration. For more information about how these permissions are used with AWS Organizations, see Using AWS Organizations with other AWS services.
AWS managed policy: AWSSSODirectoryAdministrator
You can attach the AWSSSODirectoryAdministrator
policy to your IAM
identities.
This policy grants administrative permissions over IAM Identity Center users and groups. Principals with this policy attached can make any updates to IAM Identity Center users and groups.
To view the permissions for this policy, see AWSSSODirectoryAdministrator in AWS Managed Policy Reference.
AWS managed policy: AWSSSOReadOnly
You can attach the AWSSSOReadOnly
policy to your IAM identities.
This policy grants read-only permissions that allow users to view information in IAM Identity Center. Principals with this policy attached cannot view the IAM Identity Center users or groups directly. Principals with this policy attached cannot make any updates in IAM Identity Center. For example, principals with these permissions can view IAM Identity Center settings, but cannot change any of the setting values.
To view the permissions for this policy, see AWSSSOReadOnly in AWS Managed Policy Reference.
AWS managed policy: AWSSSODirectoryReadOnly
You can attach the AWSSSODirectoryReadOnly
policy to your IAM
identities.
This policy grants read-only permissions that allow users to view users and groups in IAM Identity Center. Principals with this policy attached cannot view IAM Identity Center assignments, permission sets, applications, or settings. Principals with this policy attached can't make any updates in IAM Identity Center. For example, principals with these permissions can view IAM Identity Center users, but they can't change any user attributes or assign MFA devices.
To view the permissions for this policy, see AWSSSODirectoryReadOnly in AWS Managed Policy Reference.
AWS managed policy: AWSIdentitySyncFullAccess
You can attach the AWSIdentitySyncFullAccess
policy to your IAM
identities.
Principals with this policy attached have full access permissions to create and delete sync profiles, associate or update a sync profile with a sync target, create, list and delete sync filters, and start or stop synchronization.
Permission details
To view the permissions for this policy, see AWSIdentitySyncFullAccess in AWS Managed Policy Reference.
AWS managed policy: AWSIdentitySyncReadOnlyAccess
You can attach the AWSIdentitySyncReadOnlyAccess
policy to your IAM
identities.
This policy grants read-only permissions that allow users to view information about the identity synchronization profile, filters, and target settings. Principals with this policy attached can't make any updates to synchronization settings. For example, principals with these permissions can view identity synchronization settings, but can't change any of the profile or filter values.
To view the permissions for this policy, see AWSIdentitySyncReadOnlyAccess in AWS Managed Policy Reference.
AWS managed policy: AWSSSOServiceRolePolicy
You can't attach the AWSSSOServiceRolePolicy
policy to your IAM
identities.
This policy is attached to a service-linked role that allows IAM Identity Center to delegate and
enforce which users have single sign-on access to specific AWS accounts in AWS Organizations. When
you enable IAM, a service-linked role is created in all of the AWS accounts within your
organization. IAM Identity Center also creates the same service-linked role in every account that is
subsequently added to your organization. This role allows IAM Identity Center to access each account's
resources on your behalf. Service-linked roles that are created in each AWS account are
named AWSServiceRoleForSSO
. For more information, see Using service-linked roles for
IAM Identity Center.
AWS managed policy: AWSIAMIdentityCenterAllowListForIdentityContext
When assuming a role with the IAM Identity Center identity context, AWS Security Token Service (AWS STS) automatically
attaches the AWSIAMIdentityCenterAllowListForIdentityContext
policy to the
role.
This policy provides the list of actions that are allowed when you use trusted identity
propagation with roles that are assumed with the IAM Identity Center identity context. All other actions
that are called with this context are blocked. The identity context is passed as
ProvidedContext
.
To view the permissions for this policy, see AWSIAMIdentityCenterAllowListForIdentityContext in AWS Managed Policy Reference.
IAM Identity Center updates to AWS managed policies
The following table describes the updates to AWS managed policies for IAM Identity Center since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the IAM Identity Center Document history page.
Change | Description | Date |
---|---|---|
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the |
October 2, 2024 |
AWSSSOMasterAccountAdministrator |
IAM Identity Center added a new action to grant DeleteSyncProfile permissions to allow you to use this policy to delete sync profiles. This is action is associated with DeleteInstance API. |
September 26, 2024 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the |
September 4, 2024 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the |
July 12, 2024 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the |
June 27, 2024 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the
|
May 17, 2024 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the |
April 30, 2024 |
AWSSSOMasterAccountAdministrator |
This policy now includes the
|
April 26, 2024 |
AWSSSOMemberAccountAdministrator |
This policy now includes the
|
April 26, 2024 |
AWSSSOReadOnly |
This policy now includes the
|
April 26, 2024 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the |
April 26, 2024 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the |
April 24, 2024 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the |
April 19, 2024 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the |
April 11, 2024 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy now includes the
|
November 26, 2023 |
AWSIAMIdentityCenterAllowListForIdentityContext |
This policy provides the list of actions that are allowed when you use trusted identity propagation with roles that are assumed with the IAM Identity Center identity context. |
November 15, 2023 |
AWSSSODirectoryReadOnly |
This policy now includes the new namespace
|
February 21, 2023 |
AWSSSOServiceRolePolicy |
This policy now allows the |
October 20, 2022 |
AWSSSOMasterAccountAdministrator |
This policy now includes the new namespace
|
October 20, 2022 |
AWSSSOMemberAccountAdministrator |
This policy now includes the new namespace
|
October 20, 2022 |
AWSSSODirectoryAdministrator |
This policy now includes the new namespace
|
October 20, 2022 |
AWSSSOMasterAccountAdministrator |
This policy now includes new permissions to call |
August 16, 2022 |
AWSSSOMemberAccountAdministrator |
This policy now includes new permissions to call |
August 16, 2022 |
AWSSSOReadOnly |
This policy now includes new permissions to call |
August 11, 2022 |
AWSSSOServiceRolePolicy |
This policy now includes new permissions to call |
July 14, 2022 |
AWSSSOServiceRolePolicy | This policy now includes new permissions that allow calls to ListAWSServiceAccessForOrganization and in
AWS Organizations. |
May 11, 2022 |
AWSSSOMasterAccountAdministrator |
Add IAM Access Analyzer permissions that allow a principal to use the policy checks for validation. | April 28, 2022 |
AWSSSOMasterAccountAdministrator |
This policy now allows all IAM Identity Center Identity Store service actions. For information about the actions available in the IAM Identity Center Identity Store service, see the IAM Identity Center Identity Store API Reference. |
March 29, 2022 |
AWSSSOMemberAccountAdministrator |
This policy now allows all IAM Identity Center Identity Store service actions. |
March 29, 2022 |
AWSSSODirectoryAdministrator |
This policy now allows all IAM Identity Center Identity Store service actions. |
March 29, 2022 |
AWSSSODirectoryReadOnly |
This policy now grants access to the IAM Identity Center Identity Store service read actions. This access is required to retrieve user and group information from the IAM Identity Center Identity Store service. |
March 29, 2022 |
AWSIdentitySyncFullAccess |
This policy allows full access to identity-sync permissions. |
March 3, 2022 |
AWSIdentitySyncReadOnlyAccess |
This policy grants read-only permissions that allow a principal to view identity-sync settings. |
March 3, 2022 |
AWSSSOReadOnly |
This policy grants read-only permissions that allow a principal to view IAM Identity Center configuration settings. |
August 4, 2021 |
IAM Identity Center started tracking changes | IAM Identity Center started tracking changes for AWS managed policies. | August 4, 2021 |