# Identity and access management for IAM Identity Center
Access to IAM Identity Center requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an AWS managed application.
Authentication to the AWS access portal is controlled by the directory that you have connected to IAM Identity Center. However, authorization to the AWS accounts that are available to users from within the AWS access portal is determined by two factors:
1. Who has been assigned access to those AWS accounts in the IAM Identity Center console. For more information, see [Single sign-on access to AWS accounts](useraccess.md).
1. What level of permissions have been granted to the users in the IAM Identity Center console to allow them the appropriate access to those AWS accounts. For more information, see [Create, manage, and delete permission sets](permissionsets.md).
The following sections explain how you as an administrator can control access to the IAM Identity Center console or can delegate administrative access for day-to-day tasks from the IAM Identity Center console.
+ [Authentication](#authentication)
+ [Access control](#accesscontrol)
## Authentication
Learn how to access AWS using [IAM identities](https://docs.aws.amazon.com//IAM/latest/UserGuide/id.html).
## Access control
You can have valid credentials to authenticate your requests, but unless you have permissions, you cannot create or access IAM Identity Center resources. For example, you must have permissions to create an IAM Identity Center connected directory.
**Note**
If your IAM Identity Center instance is configured with a customer managed KMS key, your IAM Identity Center administrators and other actors who need access to the KMS key will need additional permissions. Refer to [Implementing customer managed KMS keys in AWS IAM Identity Center](identity-center-customer-managed-keys.md).
The following sections describe how to manage permissions for IAM Identity Center. We recommend that you read the overview first.
+ [Overview of managing access permissions to your IAM Identity Center resources](iam-auth-access-overview.md)
+ [Identity-based policy examples for IAM Identity Center](iam-auth-access-using-id-policies.md)
+ [Resource-based policy example for IAM Identity Center IAM Identity Center](iam-auth-access-using-resource-based-policies.md)
+ [Using service-linked roles for IAM Identity Center](using-service-linked-roles.md)
# Overview of managing access permissions to your IAM Identity Center resources
Every AWS resource is owned by an AWS account, and permissions to create or access the resources are governed by permissions policies. To provide access, an account administrator can add permissions to IAM identities (that is, users, groups, and roles). Some services (such as AWS Lambda) also support adding permissions to resources.
**Note**
An *account administrator* (or administrator user) is a user with administrator privileges. For more information, see [IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
**Topics**
+ [IAM Identity Center resources and operations](#creatingiampolicies)
+ [Understanding resource ownership](#accesscontrolresourceowner)
+ [Managing access to resources](#accesscontrolmanagingaccess)
+ [Specifying policy elements: actions, effects, resources, and principals](#policyactions)
+ [Specifying conditions in a policy](#specifyiampolicyconditions)
## IAM Identity Center resources and operations
In IAM Identity Center, the primary resources are application instances, profiles, and permission sets.
## Understanding resource ownership
A *resource owner* is the AWS account that created a resource. That is, the resource owner is the AWS account of the *principal entity* (the account, a user, or an IAM role) that authenticates the request that creates the resource. The following examples illustrate how this works:
+ If the AWS account root user creates an IAM Identity Center resource, such as an application instance or permission set, your AWS account is the owner of that resource.
+ If you create a user in your AWS account and grant that user permissions to create IAM Identity Center resources, the user can then create IAM Identity Center resources. However, your AWS account, to which the user belongs, owns the resources.
+ If you create an IAM role in your AWS account with permissions to create IAM Identity Center resources, anyone who can assume the role can create IAM Identity Center resources. Your AWS account, to which the role belongs, owns the IAM Identity Center resources.
## Managing access to resources
A *permissions policy* describes who has access to what. The following section explains the available options for creating permissions policies.
**Note**
This section discusses using IAM in the context of IAM Identity Center. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [AWS IAM policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
Policies that are attached to an IAM identity are referred to as *identity-based* policies (IAM policies). Policies that are attached to a resource are referred to as *resource-based* policies. IAM Identity Center supports only identity-based policies (IAM policies).
**Topics**
+ [Identity-based policies (IAM policies)](#accesscontrolidentitybased)
+ [Resource-based policies](#accesscontrolresourcebased)
### Identity-based policies (IAM policies)
You can add permissions to IAM identities. For example, you can do the following:
+ **Attach a permissions policy to a user or a group in your AWS account** – An account administrator can use a permissions policy that is associated with a particular user to grant permissions for that user to add an IAM Identity Center resource, such as a new application.
+ **Attach a permissions policy to a role (grant cross-account permissions)** – You can attach an identity-based permissions policy to an IAM role to grant cross-account permissions.
For more information about using IAM to delegate permissions, see [Access management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*.
The following permissions policy grants permissions to a user to run all of the actions that begin with `List`. These actions show information about an IAM Identity Center resource, such as an application instance or permissions set. Note that the wildcard character (\$1) in the `Resource` element indicates that the actions are allowed for all IAM Identity Center resources that are owned by the account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"sso:List*",
"Resource":"*"
}
]
}
```
------
For more information about using identity-based policies with IAM Identity Center, see [Identity-based policy examples for IAM Identity Center](iam-auth-access-using-id-policies.md). For more information about users, groups, roles, and permissions, see [Identities (users, groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.
### Resource-based policies
Other services, such as Amazon S3, also support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket. IAM Identity Center doesn't support resource-based policies.
## Specifying policy elements: actions, effects, resources, and principals
For each IAM Identity Center resource (see [IAM Identity Center resources and operations](#creatingiampolicies)), the service defines a set of API operations. To grant permissions for these API operations, IAM Identity Center defines a set of actions that you can specify in a policy. Note that performing an API operation can require permissions for more than one action.
The following are the basic policy elements:
+ **Resource** – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the policy applies.
+ **Action** – You use action keywords to identify resource operations that you want to allow or deny. For example, the `sso:DescribePermissionsPolicies` permission allows the user permissions to perform the IAM Identity Center `DescribePermissionsPolicies` operation.
+ **Effect** – You specify the effect when the user requests the specific action—this can be either allow or deny. If you do not explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.
+ **Principal** – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). IAM Identity Center doesn't support resource-based policies.
To learn more about IAM policy syntax and descriptions, see [AWS IAM policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
## Specifying conditions in a policy
When you grant permissions, you can use the access policy language to specify the conditions that are required for a policy to take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
To express conditions, you use predefined condition keys. There are no condition keys specific to IAM Identity Center. However, there are AWS condition keys that you can use as appropriate. For a complete list of AWS keys, see [Available global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in the *IAM User Guide*.
# Identity-based policy examples for IAM Identity Center
This topic provides examples of IAM policies that you can create to grant users and roles permissions to administer IAM Identity Center.
**Important**
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your IAM Identity Center resources. For more information, see [Overview of managing access permissions to your IAM Identity Center resources](iam-auth-access-overview.md).
The sections in this topic cover the following:
+ [Custom policy examples](#policyexample)
+ [Permissions required to use the IAM Identity Center console](#requiredpermissionsconsole)
## Custom policy examples
This section provides examples of common use cases that require a custom IAM policy. These example policies are identity-based policies, which do not specify the Principal element. This is because with an identity-based policy, you do not specify the principal who gets the permission. Instead, you attach the policy to the principal. When you attach an identity-based permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions. You can create identity-based policies in IAM and attach them to users, groups, and/or roles. You can also apply these policies to IAM Identity Center users when you create a permission set in IAM Identity Center.
**Note**
Use these examples when you create policies for your environment and make sure to test for both positive (“access granted”) and negative (“access denied”) test cases before you deploy these policies in your production environment. For more information about testing IAM policies, see [Testing IAM policies with the IAM policy simulator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
**Topics**
+ [Example 1: Allow a user to view IAM Identity Center](#policyexamplesetupenable)
+ [Example 2: Allow a user to manage permissions to AWS accounts in IAM Identity Center](#policyexamplemanageconnecteddirectory)
+ [Example 3: Allow a user to manage applications in IAM Identity Center](#policyexamplemanageapplication)
+ [Example 4: Allow a user to manage users and groups in your Identity Center directory](#policyexamplemanageusersgroups)
### Example 1: Allow a user to view IAM Identity Center
The following permissions policy grants read-only permissions to a user so they can view all the settings and directory information configured in IAM Identity Center.
**Note**
This policy is provided for example purposes only. In a production environment, we recommend that you use the `ViewOnlyAccess` AWS managed policy for IAM Identity Center.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"iam:ListPolicies",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListRoots",
"organizations:ListAccountsForParent",
"organizations:ListDelegatedAdministrators",
"organizations:ListOrganizationalUnitsForParent",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListPermissionSets",
"sso:DescribePermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso-directory:DescribeDirectory",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups"
],
"Resource": "*"
}
]
}
```
------
### Example 2: Allow a user to manage permissions to AWS accounts in IAM Identity Center
The following permissions policy grants permissions to allow a user to create, manage, and deploy permission sets for your AWS accounts.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreateAccountAssignment",
"sso:CreatePermissionSet",
"sso:DeleteAccountAssignment",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:ProvisionPermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:UpdatePermissionSet"
],
"Resource": "*"
},
{
"Sid": "IAMListPermissions",
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListPolicies"
],
"Resource": "*"
},
{
"Sid": "AccessToSSOProvisionedRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetSAMLProvider"
],
"Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
}
]
}
```
------
**Note**
The additional permissions listed under the `"Sid": "IAMListPermissions"`, and `"Sid": "AccessToSSOProvisionedRoles"` sections are required only to enable the user to create assignments in the AWS Organizations management account. In certain cases, you may also need to add `iam:UpdateSAMLProvider` to these sections.
### Example 3: Allow a user to manage applications in IAM Identity Center
The following permissions policy grants permissions to allow a user to view and configure applications in IAM Identity Center, including pre-integrated SaaS applications from within the IAM Identity Center catalog.
**Note**
The `sso:AssociateProfile` operation used in the following policy example is required for management of user and group assignments to applications. It also allows a user to assign users and groups to AWS accounts by using existing permission sets. If a user must manage AWS account access within IAM Identity Center, and requires permissions necessary to manage permission sets, see [Example 2: Allow a user to manage permissions to AWS accounts in IAM Identity Center](#policyexamplemanageconnecteddirectory).
As of October 2020, many of these operations are available only through the AWS console. This example policy includes “read” actions such as list, get, and search, which are relevant to the error-free operation of the console for this case.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:AssociateProfile",
"sso:CreateApplicationInstance",
"sso:ImportApplicationInstanceServiceProviderMetadata",
"sso:DeleteApplicationInstance",
"sso:DeleteProfile",
"sso:DisassociateProfile",
"sso:GetApplicationTemplate",
"sso:UpdateApplicationInstanceServiceProviderConfiguration",
"sso:UpdateApplicationInstanceDisplayData",
"sso:DeleteManagedApplicationInstance",
"sso:UpdateApplicationInstanceStatus",
"sso:GetManagedApplicationInstance",
"sso:UpdateManagedApplicationInstanceStatus",
"sso:CreateManagedApplicationInstance",
"sso:UpdateApplicationInstanceSecurityConfiguration",
"sso:UpdateApplicationInstanceResponseConfiguration",
"sso:GetApplicationInstance",
"sso:CreateApplicationInstanceCertificate",
"sso:UpdateApplicationInstanceResponseSchemaConfiguration",
"sso:UpdateApplicationInstanceActiveCertificate",
"sso:DeleteApplicationInstanceCertificate",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationTemplates",
"sso:ListApplications",
"sso:ListApplicationInstances",
"sso:ListDirectoryAssociations",
"sso:ListProfiles",
"sso:ListProfileAssociations",
"sso:ListInstances",
"sso:GetProfile",
"sso:GetSSOStatus",
"sso:GetSsoConfiguration",
"sso-directory:DescribeDirectory",
"sso-directory:DescribeUsers",
"sso-directory:ListMembersInGroup",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers"
],
"Resource": "*"
}
]
}
```
------
### Example 4: Allow a user to manage users and groups in your Identity Center directory
The following permissions policy grants permissions to allow a user to create, view, modify, and delete users and groups in IAM Identity Center.
In some cases, direct modifications to users and groups in IAM Identity Center are restricted. For example, when Active Directory, or an external identity provider with Automatic Provisioning enabled, is selected as the identity source.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso-directory:ListGroupsForUser",
"sso-directory:DisableUser",
"sso-directory:EnableUser",
"sso-directory:SearchGroups",
"sso-directory:DeleteGroup",
"sso-directory:AddMemberToGroup",
"sso-directory:DescribeDirectory",
"sso-directory:UpdateUser",
"sso-directory:ListMembersInGroup",
"sso-directory:CreateUser",
"sso-directory:DescribeGroups",
"sso-directory:SearchUsers",
"sso:ListDirectoryAssociations",
"sso-directory:RemoveMemberFromGroup",
"sso-directory:DeleteUser",
"sso-directory:DescribeUsers",
"sso-directory:UpdateGroup",
"sso-directory:CreateGroup"
],
"Resource": "*"
}
]
}
```
------
## Permissions required to use the IAM Identity Center console
For a user to work with the IAM Identity Center console without errors, additional permissions are required. If an IAM policy has been created that is more restrictive than the minimum required permissions, the console will not function as intended for users with that policy. The following example lists the set of permissions that might be needed to ensure error-free operation within the IAM Identity Center console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:DescribeAccountAssignmentCreationStatus",
"sso:DescribeAccountAssignmentDeletionStatus",
"sso:DescribePermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"sso:DescribeRegisteredRegions",
"sso:GetApplicationInstance",
"sso:GetApplicationTemplate",
"sso:GetInlinePolicyForPermissionSet",
"sso:GetManagedApplicationInstance",
"sso:GetMfaDeviceManagementForDirectory",
"sso:GetPermissionSet",
"sso:GetProfile",
"sso:GetSharedSsoConfiguration",
"sso:GetSsoConfiguration",
"sso:GetSSOStatus",
"sso:GetTrust",
"sso:ListAccountAssignmentCreationStatus",
"sso:ListAccountAssignmentDeletionStatus",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationInstances",
"sso:ListApplications",
"sso:ListApplicationTemplates",
"sso:ListDirectoryAssociations",
"sso:ListInstances",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetProvisioningStatus",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListProfileAssociations",
"sso:ListProfiles",
"sso:ListTagsForResource",
"sso-directory:DescribeDirectory",
"sso-directory:DescribeGroups",
"sso-directory:DescribeUsers",
"sso-directory:ListGroupsForUser",
"sso-directory:ListMembersInGroup",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers"
],
"Resource": "*"
}
]
}
```
------
# Resource-based policy example for IAM Identity Center IAM Identity Center
Every application that works with IAM Identity Center and uses [OAuth 2.0](customermanagedapps-saml2-oauth2.md#oidc-concept) requires a resource-based policy. The application can be customer managed or AWS managed. The required resource-based policy, called the *application policy* (or [ActorPolicy](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_IamAuthenticationMethod.html#API_IamAuthenticationMethod_Contents) in the APIs), defines which [IAM principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying) are authorized to call IAM authentication method API actions such as [https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.html](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.html). The IAM authentication method allows an IAM principal, such an IAM role or an AWS service, to authenticate to the IAM Identity Center OIDC service by presenting IAM credentials to request or manage access tokens at the **/token?aws\$1iam=t** endpoint.
The application policy governs operations for issuing tokens (`CreateTokenWithIAM`). The policy also governs permission-only actions that are used only by AWS managed applications for validating tokens (`IntrospectTokenWithIAM`) and revoking tokens (`RevokeTokenWithIAM`). For a customer managed application, you configure this policy by specifying which IAM principals are authorized to call `CreateTokenWithIAM`. When an authorized principal calls this API action, the principal receives access and refresh tokens for the application.
If you are using the IAM Identity Center console to set up a customer managed application for [trusted identity propagation](trustedidentitypropagation-overview.md), see Step 4 in [Set up customer managed OAuth 2.0 applications](customermanagedapps-trusted-identity-propagation-set-up-your-own-app-OAuth2.md) for information about how to configure the application policy. For an example policy, see [Example policy: Allow an IAM role to create access and refresh tokens](#oauth-application-policy-example) later in this topic.
## Policy requirements
The policy must meet the following requirements:
+ The policy must include a `Version `element set to "2012-10-17".
+ The policy must include at least one `Statement` element.
+ Each policy `Statement` must include the following elements: `Effect`, `Principal`, `Action`, and `Resource`.
## Policy elements
The policy must include the following elements:
**Version**
Specifies the policy document version. Set the version to `2012-10-17` (the latest version).
**Statement**
Contains the policy `Statements`. The policy must contain at least one `Statement`.
Each policy `Statement` consists of the following elements.
**Effect**
(Required) Determines whether to allow or deny the permissions in the policy statement. Valid values are `Allow` or `Deny`.
**Principal**
(Required) The [principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying) is the identity that gets the permissions specified in the policy statement. You can specify IAM roles or AWS service principals.
**Action**
(Required) The IAM Identity Center OIDC service API operations to allow or deny. Valid actions include:
+ `sso-oauth:CreateTokenWithIAM`: This action, which corresponds to the [https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.html](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.html) API operation, grants permission to create and return access and refresh tokens for authorized client applications that are authenticated using any IAM entity, such as an AWS service role or user. These tokens might contain defined scopes that specify permissions such as `read:profile` or `write:data`.
+ `sso-oauth:IntrospectTokenWithIAM` [permission only]: Grants permission to validate and retrieve information about active OAuth 2.0 access tokens and refresh tokens, including their associated scopes and permissions. This permission is used only by AWS managed applications and is not documented in the *IAM Identity Center OIDC API Reference*.
+ `RevokeTokenWithIAM `[permission only]: Grants permission to revoke OAuth 2.0 access tokens and refresh tokens, invalidating them before their normal expiration. This permission is used only by AWS managed applications and is not documented in the *IAM Identity Center OIDC API Reference*.
**Resource**
(Required) In this policy, the value of the `Resource` element is `"*"`, which means "this application."
For more information about AWS policy syntax, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
## Example policy: Allow an IAM role to create access and refresh tokens
The following permissions policy grants permissions to `ExampleAppClientRole`, an IAM role assumed by a workload, to create and return access and refresh tokens.
```
1. {
2. "Version": "2012-10-17",
3. "Statement": [
4. {
5. "Sid": "AllowRoleToCreateTokens",
6. "Effect": "Allow",
7. "Principal": {
8. "AWS": "arn:aws:iam::111122223333:role/ExampleAppClientRole"
9. },
10. "Action": "sso-oauth:CreateTokenWithIAM",
11. "Resource": "*"
12. }
13. ]
14. }
```
# AWS managed policies for IAM Identity Center
To [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need takes time and expertise. To get started quickly, you can use AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
New actions that allow you to list and delete user sessions are available under the new namespace `identitystore-auth`. Any additional permissions for actions in this namespace will be updated on this page. When creating your custom IAM policies, avoid using `*` after `identitystore-auth` because this applies to all actions that exist in the namespace today or in the future.
## AWS managed policy: AWSSSOMasterAccountAdministrator
The `AWSSSOMasterAccountAdministrator` policy provides required administrative actions to principals. The policy is intended for principals who perform the job role of an AWS IAM Identity Center administrator. Over time the list of actions provided will be updated to match the existing functionality of IAM Identity Center and the actions that are required as an administrator.
You can attach the `AWSSSOMasterAccountAdministrator` policy to your IAM identities. When you attach the `AWSSSOMasterAccountAdministrator` policy to an identity, you grant administrative AWS IAM Identity Center permissions. Principals with this policy can access IAM Identity Center within the AWS Organizations management account and all member accounts. This principal can fully manage all IAM Identity Center operations, including the ability to create an IAM Identity Center instance, users, permission sets, and assignments. The principal can also instantiate those assignments throughout the AWS organization member accounts and establish connections between AWS Directory Service managed directories and IAM Identity Center. As new administrative features are released, the account administrator will be granted these permissions automatically.
This policy also includes AWS Key Management Service permissions required for IAM Identity Center instances that use customer managed keys for encryption.
**Permissions groupings**
This policy is grouped into statements based on the set of permissions provided.
+ `AWSSSOMasterAccountAdministrator` – Allows IAM Identity Center to [pass the service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) named `AWSServiceRoleforSSO` to IAM Identity Center so that it can later assume the role and perform actions on their behalf. This is necessary when the person or application attempts to enable IAM Identity Center. For more information, see [Configure access to AWS accounts](manage-your-accounts.md).
+ `AWSSSOMemberAccountAdministrator` – Allows IAM Identity Center to perform account administrator actions in a multi-account AWS environment. For more information, see [AWS managed policy: AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator).
+ `AWSSSOManageDelegatedAdministrator` – Allows IAM Identity Center to register and deregister a delegated administrator for your organization.
+ `AllowKMSKeyUseViaService` and `AllowKMSKeyDiscovery` – Allows AWS Key Management Service operations for customer managed keys used by IAM Identity Center instances.
To view the permissions for this policy, see [AWSSSOMasterAccountAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSOMasterAccountAdministrator.html) in *AWS Managed Policy Reference*.
### Additional information about this policy
When IAM Identity Center is enabled for the first time, the IAM Identity Center service creates a [service linked role](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-service-linked-roles.html) in the AWS Organizations management account (formerly master account) so that IAM Identity Center can manage the resources in your account. The actions required are `iam:CreateServiceLinkedRole` and `iam:PassRole`.
## AWS managed policy: AWSSSOMemberAccountAdministrator
The `AWSSSOMemberAccountAdministrator` policy provides required administrative actions to principals. The policy is intended for principals who perform the job role of an IAM Identity Center administrator. Over time the list of actions provided will be updated to match the existing functionality of IAM Identity Center and the actions that are required as an administrator.
You can attach the `AWSSSOMemberAccountAdministrator` policy to your IAM identities. When you attach the `AWSSSOMemberAccountAdministrator` policy to an identity, you grant administrative AWS IAM Identity Center permissions. Principals with this policy can access IAM Identity Center within the AWS Organizations management account and all member accounts. This principal can fully manage all IAM Identity Center operations, including the ability to create users, permission sets, and assignments. The principal can also instantiate those assignments throughout the AWS organization member accounts and establish connections between AWS Directory Service managed directories and IAM Identity Center. As new administrative features are released, the account administrator is granted these permissions automatically.
This policy also includes AWS Key Management Service permissions required for IAM Identity Center instances that use customer managed keys for encryption.
To view the permissions for this policy, see [AWSSSOMemberAccountAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSOMemberAccountAdministrator.html) in *AWS Managed Policy Reference*.
### Additional information about this policy
IAM Identity Center administrators manage users, groups, and passwords in their Identity Center directory store (sso-directory). The account admin role includes permissions for the following actions:
+ `"sso:*"`
+ `"sso-directory:*"`
IAM Identity Center administrators need limited permissions to the following Directory Service actions to perform daily tasks.
+ `"ds:DescribeTrusts"`
+ `"ds:UnauthorizeApplication"`
+ `"ds:DescribeDirectories"`
+ `"ds:AuthorizeApplication"`
+ `“ds:CreateAlias”`
These permissions allow IAM Identity Center administrators to identify existing directories and manage applications so that they can be configured for use with IAM Identity Center. For more information about each of these actions, see [Directory Service API permissions: Actions, resources, and conditions reference](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html).
IAM Identity Center uses IAM policies to grant permissions to IAM Identity Center users. IAM Identity Center administrators create permission sets and attach polices to them. The IAM Identity Center administrator must have the permissions to list the existing policies so that they can choose which polices to use with the permission set they are creating or updating. To set secure and functional permissions, the IAM Identity Center administrator must have permissions to run the IAM Access Analyzer policy validation.
+ `"iam:ListPolicies"`
+ `"access-analyzer:ValidatePolicy"`
IAM Identity Center administrators need limited access to the following AWS Organizations actions to perform daily tasks:
+ `"organizations:EnableAWSServiceAccess"`
+ `"organizations:ListRoots"`
+ `"organizations:ListAccounts"`
+ `"organizations:ListOrganizationalUnitsForParent"`
+ `"organizations:ListAccountsForParent"`
+ `"organizations:DescribeOrganization"`
+ `"organizations:ListChildren"`
+ `"organizations:DescribeAccount"`
+ `"organizations:ListParents"`
+ `"organizations:ListDelegatedAdministrators"`
+ `"organizations:RegisterDelegatedAdministrator"`
+ `"organizations:DeregisterDelegatedAdministrator"`
These permissions allow IAM Identity Center administrators the ability to work with organization resources (accounts) for basic IAM Identity Center administrative tasks such as the following:
+ Identifying the management account that belongs to the organization
+ Identifying the member accounts that belong to the organization
+ Enabling AWS service access for accounts
+ Setting up and managing a delegated administrator
For more information about using a delegated administrator with IAM Identity Center, see [Delegated administration](delegated-admin.md). For more information about how these permissions are used with AWS Organizations, see [Using AWS Organizations with other AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html).
## AWS managed policy: AWSSSODirectoryAdministrator
You can attach the `AWSSSODirectoryAdministrator` policy to your IAM identities.
This policy grants administrative permissions over IAM Identity Center users and groups. Principals with this policy attached can make any updates to IAM Identity Center users and groups. This policy also includes AWS Key Management Service permissions required for IAM Identity Center instances that use customer managed keys for encryption.
This policy includes the following permissions:
+ **IAM Identity Center Directory** - Full administrative access to IAM Identity Center directory operations.
+ **Identity Store** - Full administrative access to identity store operations and authentication.
+ **IAM Identity Center** - Permission to list directory associations.
+ **AWS Key Management Service** - Permissions to decrypt, describe keys, and generate data keys for customer managed keys used by IAM Identity Center instances.
To view the permissions for this policy, see [AWSSSODirectoryAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSODirectoryAdministrator.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSSSOReadOnly
You can attach the `AWSSSOReadOnly` policy to your IAM identities.
This policy grants read-only permissions that allow users to view information in IAM Identity Center. Principals with this policy attached cannot view the IAM Identity Center users or groups directly. Principals with this policy attached cannot make any updates in IAM Identity Center. For example, principals with these permissions can view IAM Identity Center settings, but cannot change any of the setting values.
This policy also includes AWS Key Management Service permissions required for IAM Identity Center instances that use customer managed keys for encryption.
To view the permissions for this policy, see [AWSSSOReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSOReadOnly.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSSSODirectoryReadOnly
You can attach the `AWSSSODirectoryReadOnly` policy to your IAM identities.
This policy grants read-only permissions that allow users to view users and groups in IAM Identity Center. Principals with this policy attached cannot view IAM Identity Center assignments, permission sets, applications, or settings. Principals with this policy attached cannot make any updates in IAM Identity Center. For example, principals with these permissions can view IAM Identity Center users, but they cannot change any user attributes or assign MFA devices.
This policy also includes AWS Key Management Service permissions required for IAM Identity Center instances that use customer managed keys for encryption.
To view the permissions for this policy, see [AWSSSODirectoryReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSODirectoryReadOnly.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSIdentitySyncFullAccess
You can attach the `AWSIdentitySyncFullAccess` policy to your IAM identities.
Principals with this policy attached have full access permissions to create and delete sync profiles, associate or update a sync profile with a sync target, create, list and delete sync filters, and start or stop synchronization.
**Permission details**
To view the permissions for this policy, see [AWSIdentitySyncFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSIdentitySyncFullAccess.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSIdentitySyncReadOnlyAccess
You can attach the `AWSIdentitySyncReadOnlyAccess` policy to your IAM identities.
This policy grants read-only permissions that allow users to view information about the identity synchronization profile, filters, and target settings. Principals with this policy attached cannot make any updates to synchronization settings. For example, principals with these permissions can view identity synchronization settings, but cannot change any of the profile or filter values.
To view the permissions for this policy, see [AWSIdentitySyncReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSIdentitySyncReadOnlyAccess.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSSSOServiceRolePolicy
You cannot attach the `AWSSSOServiceRolePolicy` policy to your IAM identities.
This policy is attached to a service-linked role that allows IAM Identity Center to delegate and enforce which users have single sign-on access to specific AWS accounts in AWS Organizations. When you enable IAM, a service-linked role is created in all of the AWS accounts within your organization. IAM Identity Center also creates the same service-linked role in every account that is subsequently added to your organization. This role allows IAM Identity Center to access each account's resources on your behalf. Service-linked roles that are created in each AWS account are named `AWSServiceRoleForSSO`. For more information, see [Using service-linked roles for IAM Identity Center](using-service-linked-roles.md).
## AWS managed policy: AWSIAMIdentityCenterAllowListForIdentityContext
When assuming a role with the IAM Identity Center identity context, AWS Security Token Service (AWS STS) automatically attaches the `AWSIAMIdentityCenterAllowListForIdentityContext` policy to the role.
This policy provides the list of actions that are allowed when you use trusted identity propagation with roles that are assumed with the IAM Identity Center identity context. All other actions that are called with this context are blocked. The identity context is passed as `ProvidedContext`.
To view the permissions for this policy, see [AWSIAMIdentityCenterAllowListForIdentityContext](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSIAMIdentityCenterAllowListForIdentityContext.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSIdentityCenterExternalManagementPolicy
You can attach the `AWSIdentityCenterExternalManagementPolicy` policy to your IAM identities.
This policy provides access to manage IAM Identity Center users from an external provider.
To view the permissions for this policy, see [AWSIdentityCenterExternalManagementPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSIdentityCenterExternalManagementPolicy.html) in *AWS Managed Policy Reference*.
## IAM Identity Center updates to AWS managed policies
The following table describes the updates to AWS managed policies for IAM Identity Center since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the IAM Identity Center Document history page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSIdentityCenterExternalManagementPolicy](#security-iam-awsmanpol-AWSIdentityCenterExternalManagementPolicy) | Updated managed policy to change the ARN for the provisioning tenant. | December 5, 2025 |
| [AWSIdentityCenterExternalManagementPolicy](#security-iam-awsmanpol-AWSIdentityCenterExternalManagementPolicy) | This policy provides access to manage IAM Identity Center users from an external provider. | November 21, 2025 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator), [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator), [AWSSSOReadOnly](#security-iam-awsmanpol-AWSSSOReadOnly), [AWSSSODirectoryAdministrator](#security-iam-awsmanpol-AWSSSODirectoryAdministrator), [AWSSSODirectoryReadOnly](#security-iam-awsmanpol-AWSSSODirectoryReadOnly) | Updated managed policies to include AWS KMS permissions required for IAM Identity Center instances that use customer managed keys for encryption. | September 17, 2025 |
| [ AWSSSOServiceRolePolicy](#security-iam-awsmanpol-AWSSSOServiceRolePolicy) | This policy now includes permissions to call `identity-sync:DeleteSyncProfile`. | February 11, 2025 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `qapps:ListQAppSessionData` and `qapps:ExportQAppSessionData` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | October 2, 2024 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) | IAM Identity Center added a new action to grant DeleteSyncProfile permissions to allow you to use this policy to delete sync profiles. This is action is associated with DeleteInstance API. | September 26, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `s3:ListCallerAccessGrants` action to support identity-enhanced console sessions for AWS managed applications that support these sessions. | September 4, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `aoss:APIAccessAll`, `es:ESHttpHead`, `es:ESHttpPost`, `es:ESHttpGet`, `es:ESHttpPatch`, `es:ESHttpDelete`, and `es:ESHttpPut` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | July 12, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `qapps:PredictQApp`, `qapps:ImportDocument`, `qapps:AssociateLibraryItemReview`, `qapps:DisassociateLibraryItemReview`, `qapps:GetQAppSession`, `qapps:UpdateQAppSession`, `qapps:GetQAppSessionMetadata`, `qapps:UpdateQAppSessionMetadata`, and `qapps:TagResource` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | June 27, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `elasticmapreduce:AddJobFlowSteps`, `elasticmapreduce:DescribeCluster`, `elasticmapreduce:CancelSteps`, `elasticmapreduce:DescribeStep`, and `elasticmapreduce:ListSteps` actions to support trusted identity propagation in Amazon EMR. | May 17, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `qapps:CreateQApp`, `qapps:PredictProblemStatementFromConversation`, `qapps:PredictQAppFromProblemStatement`, `qapps:CopyQApp`, `qapps:GetQApp`, `qapps:ListQApps`, `qapps:UpdateQApp`, `qapps:DeleteQApp`, `qapps:AssociateQAppWithUser`, `qapps:DisassociateQAppFromUser`, `qapps:ImportDocumentToQApp`, `qapps:ImportDocumentToQAppSession`, `qapps:CreateLibraryItem`, `qapps:GetLibraryItem`, `qapps:UpdateLibraryItem`, `qapps:CreateLibraryItemReview`, `qapps:ListLibraryItems`, `qapps:CreateSubscriptionToken`, `qapps:StartQAppSession`, and `qapps:StopQAppSession` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 30, 2024 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) | This policy now includes the `signin:CreateTrustedIdentityPropagationApplicationForConsole` and `signin:ListTrustedIdentityPropagationApplicationsForConsole` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 26, 2024 |
| [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator) | This policy now includes the `signin:CreateTrustedIdentityPropagationApplicationForConsole` and `signin:ListTrustedIdentityPropagationApplicationsForConsole` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 26, 2024 |
| [AWSSSOReadOnly](#security-iam-awsmanpol-AWSSSOReadOnly) | This policy now includes the `signin:ListTrustedIdentityPropagationApplicationsForConsole` action to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 26, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `qbusiness:PutFeedback` action to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 26, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `q:StartConversation`, `q:SendMessage`, `q:ListConversations`, `q:GetConversation`, `q:StartTroubleshootingAnalysis`, `q:GetTroubleshootingResults`, `q:StartTroubleshootingResolutionExplanation`, and ` q:UpdateTroubleshootingCommandResult` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 24, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `sts:SetContext` action to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 19, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `qbusiness:Chat`, `qbusiness:ChatSync`, `qbusiness:ListConversations`, ` qbusiness:ListMessages`, and `qbusiness:DeleteConversation` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 11, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `s3:GetAccessGrantsInstanceForPrefix` and `s3:GetDataAccess` actions. | November 26, 2023 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy provides the list of actions that are allowed when you use trusted identity propagation with roles that are assumed with the IAM Identity Center identity context. | November 15, 2023 |
| [AWSSSODirectoryReadOnly](#security-iam-awsmanpol-AWSSSODirectoryReadOnly) | This policy now includes the new namespace `identitystore-auth` with new permissions to allow users to list and get sessions. | February 21, 2023 |
| [AWSSSOServiceRolePolicy](#security-iam-awsmanpol-AWSSSOServiceRolePolicy) | This policy now allows the`[UpdateSAMLProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html)` action to be taken on the management account. | October 20, 2022 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) | This policy now includes the new namespace `identitystore-auth` with new permissions to allow the admin to list and delete sessions for a user. | October 20, 2022 |
| [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator) | This policy now includes the new namespace `identitystore-auth` with new permissions to allow the admin to list and delete sessions for a user. | October 20, 2022 |
| [AWSSSODirectoryAdministrator](#security-iam-awsmanpol-AWSSSODirectoryAdministrator) | This policy now includes the new namespace `identitystore-auth` with new permissions to allow the admin to list and delete sessions for a user. | October 20, 2022 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) | This policy now includes new permissions to call `[ListDelegatedAdministrators](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedAdministrators.html)` in AWS Organizations. This policy also now includes a subset of permissions `AWSSSOManageDelegatedAdministrator` that includes permissions to call `[RegisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html)` and `[DeregisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html)`. | August 16, 2022 |
| [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator) | This policy now includes new permissions to call `[ListDelegatedAdministrators](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedAdministrators.html)` in AWS Organizations. This policy also now includes a subset of permissions `AWSSSOManageDelegatedAdministrator` that includes permissions to call `[RegisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html)` and `[DeregisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html)`. | August 16, 2022 |
| [AWSSSOReadOnly](#security-iam-awsmanpol-AWSSSOReadOnly) | This policy now includes new permissions to call `[ListDelegatedAdministrators](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedAdministrators.html)` in AWS Organizations. | August 11, 2022 |
| [AWSSSOServiceRolePolicy](#security-iam-awsmanpol-AWSSSOServiceRolePolicy) | This policy now includes new permissions to call `[DeleteRolePermissionsBoundary](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePermissionsBoundary.html)` and `[PutRolePermisionsBoundary](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePermissionsBoundary.html)`. | July 14, 2022 |
| [AWSSSOServiceRolePolicy](#security-iam-awsmanpol-AWSSSOServiceRolePolicy) | This policy now includes new permissions that allow calls to [ListAWSServiceAccessForOrganization](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAWSServiceAccessForOrganization.html) and [ListDelegatedAdministrators](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedAdministrators.html) in AWS Organizations. | May 11, 2022 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator) [AWSSSOReadOnly](#security-iam-awsmanpol-AWSSSOReadOnly) | Add IAM Access Analyzer permissions that allow a principal to use the policy checks for validation. | April 28, 2022 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) | This policy now allows all IAM Identity Center Identity Store service actions. For information about the actions available in the IAM Identity Center Identity Store service, see the [IAM Identity Center Identity Store API Reference](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html). | March 29, 2022 |
| [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator) | This policy now allows all IAM Identity Center Identity Store service actions. | March 29, 2022 |
| [AWSSSODirectoryAdministrator](#security-iam-awsmanpol-AWSSSODirectoryAdministrator) | This policy now allows all IAM Identity Center Identity Store service actions. | March 29, 2022 |
| [AWSSSODirectoryReadOnly](#security-iam-awsmanpol-AWSSSODirectoryReadOnly) | This policy now grants access to the IAM Identity Center Identity Store service read actions. This access is required to retrieve user and group information from the IAM Identity Center Identity Store service. | March 29, 2022 |
| [AWSIdentitySyncFullAccess](#security-iam-awsmanpol-AWSIdentitySyncFullAccess) | This policy allows full access to identity-sync permissions. | March 3, 2022 |
| [AWSIdentitySyncReadOnlyAccess](#security-iam-awsmanpol-AWSIdentitySyncReadOnlyAccess) | This policy grants read-only permissions that allow a principal to view identity-sync settings. | March 3, 2022 |
| [AWSSSOReadOnly](#security-iam-awsmanpol-AWSSSOReadOnly) | This policy grants read-only permissions that allow a principal to view IAM Identity Center configuration settings. | August 4, 2021 |
| IAM Identity Center started tracking changes | IAM Identity Center started tracking changes for AWS managed policies. | August 4, 2021 |
# Using service-linked roles for IAM Identity Center
AWS IAM Identity Center uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to IAM Identity Center. It is predefined by IAM Identity Center and includes all the permissions that the service requires to call other AWS services on your behalf. For more information, see [Understanding service-linked roles in IAM Identity Center](slrconcept.md).
A service-linked role makes setting up IAM Identity Center easier because you don’t have to manually add the necessary permissions. IAM Identity Center defines the permissions of its service-linked role, and unless defined otherwise, only IAM Identity Center can assume its role. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for IAM Identity Center
IAM Identity Center uses the service-linked role named **AWSServiceRoleForSSO** to grant IAM Identity Center permissions to manage AWS resources, including IAM roles, policies, and SAML IdP on your behalf.
The AWSServiceRoleForSSO service-linked role trusts the following services to assume the role:
+ IAM Identity Center (service prefix: `sso`)
The AWSSSOServiceRolePolicy service-linked role permissions policy allows IAM Identity Center to complete the following on roles on the path “/aws-reserved/sso.amazonaws.com/” and with the name prefix “AWSReservedSSO\$1”:
+ `iam:AttachRolePolicy`
+ `iam:CreateRole`
+ `iam:DeleteRole`
+ `iam:DeleteRolePermissionsBoundary`
+ `iam:DeleteRolePolicy`
+ `iam:DetachRolePolicy`
+ `iam:GetRole`
+ `iam:ListRolePolicies`
+ `iam:PutRolePolicy`
+ `iam:PutRolePermissionsBoundary`
+ `iam:ListAttachedRolePolicies`
The AWSSSOServiceRolePolicy service-linked role permissions policy allows IAM Identity Center to complete the following on SAML providers with name prefix as “AWSSSO\$1”:
+ `iam:CreateSAMLProvider`
+ `iam:GetSAMLProvider`
+ `iam:UpdateSAMLProvider`
+ `iam:DeleteSAMLProvider`
The AWSSSOServiceRolePolicy service-linked role permissions policy allows IAM Identity Center to complete the following on all organizations:
+ `organizations:DescribeAccount`
+ `organizations:DescribeOrganization`
+ `organizations:ListAccounts`
+ `organizations:ListAWSServiceAccessForOrganization`
+ `organizations:ListDelegatedAdministrators`
The AWSSSOServiceRolePolicy service-linked role permissions policy allows IAM Identity Center to complete the following on all IAM roles (\$1):
+ `iam:listRoles`
The AWSSSOServiceRolePolicy service-linked role permissions policy allows IAM Identity Center to complete the following on “arn:aws:iam::\$1:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO”:
+ `iam:GetServiceLinkedRoleDeletionStatus`
+ `iam:DeleteServiceLinkedRole`
The AWSSSOServiceRolePolicy service-linked role permissions policy allows IAM Identity Center to complete the following on “arn:aws:identity-sync:\$1:\$1:profile/\$1”:
+ `identity-sync:DeleteSyncProfile`
For more information on updates to the AWSSSOServiceRolePolicy service-linked role permissions policy, see [IAM Identity Center updates to AWS managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"IAMRoleProvisioningActions",
"Effect":"Allow",
"Action":[
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRolePermissionsBoundary",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription",
"iam:UpdateAssumeRolePolicy"
],
"Resource":[
"arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
],
"Condition":{
"StringNotEquals":{
"aws:PrincipalOrgMasterAccountId":"${aws:PrincipalAccount}"
}
}
},
{
"Sid":"IAMRoleReadActions",
"Effect":"Allow",
"Action":[
"iam:GetRole",
"iam:ListRoles"
],
"Resource":[
"*"
]
},
{
"Sid":"IAMRoleCleanupActions",
"Effect":"Allow",
"Action":[
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies"
],
"Resource":[
"arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
]
},
{
"Sid":"IAMSLRCleanupActions",
"Effect":"Allow",
"Action":[
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:DeleteRole",
"iam:GetRole"
],
"Resource":[
"arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO"
]
},
{
"Sid": "IAMSAMLProviderCreationAction",
"Effect": "Allow",
"Action": [
"iam:CreateSAMLProvider"
],
"Resource": [
"arn:aws:iam::*:saml-provider/AWSSSO_*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalOrgMasterAccountId": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "IAMSAMLProviderUpdateAction",
"Effect": "Allow",
"Action": [
"iam:UpdateSAMLProvider"
],
"Resource": [
"arn:aws:iam::*:saml-provider/AWSSSO_*"
]
},
{
"Sid":"IAMSAMLProviderCleanupActions",
"Effect":"Allow",
"Action":[
"iam:DeleteSAMLProvider",
"iam:GetSAMLProvider"
],
"Resource":[
"arn:aws:iam::*:saml-provider/AWSSSO_*"
]
},
{
"Effect":"Allow",
"Action":[
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:ListDelegatedAdministrators"
],
"Resource":[
"*"
]
},
{
"Sid":"AllowUnauthAppForDirectory",
"Effect":"Allow",
"Action":[
"ds:UnauthorizeApplication"
],
"Resource":[
"*"
]
},
{
"Sid":"AllowDescribeForDirectory",
"Effect":"Allow",
"Action":[
"ds:DescribeDirectories",
"ds:DescribeTrusts"
],
"Resource":[
"*"
]
},
{
"Sid":"AllowDescribeAndListOperationsOnIdentitySource",
"Effect":"Allow",
"Action":[
"identitystore:DescribeUser",
"identitystore:DescribeGroup",
"identitystore:ListGroups",
"identitystore:ListUsers"
],
"Resource":[
"*"
]
},
{
"Sid":"AllowDeleteSyncProfile",
"Effect":"Allow",
"Action":[
"identity-sync:DeleteSyncProfile"
],
"Resource":[
"arn:aws:identity-sync:*:*:profile/*"
]
}
]
}
```
------
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for IAM Identity Center
You do not need to manually create a service-linked role. Once enabled, IAM Identity Center creates a service-linked role in all accounts within the organization in AWS Organizations. IAM Identity Center also creates the same service-linked role in every account that is subsequently added to your organization. This role allows IAM Identity Center to access each account's resources on your behalf.
**Notes**
If you are signed in to the AWS Organizations management account, it uses your currently signed-in role and not the service-linked role. This prevents the escalation of privileges.
When IAM Identity Center performs any IAM operations in the AWS Organizations management account, all operations happen using the credentials of the IAM principal. This enables the logs in CloudTrail to provide visibility of who made all privilege changes in the management account.
**Important**
If you were using the IAM Identity Center service before December 7, 2017, when it began supporting service-linked roles, then IAM Identity Center created the AWSServiceRoleForSSO role in your account. To learn more, see [A New Role Appeared in My IAM Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-link role and then need to create it again, you can use the same process to recreate the role in your account.
## Editing a service-linked role for IAM Identity Center
IAM Identity Center does not allow you to edit the AWSServiceRoleForSSO service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for IAM Identity Center
You do not need to manually delete the AWSServiceRoleForSSO role. When an AWS account is removed from an AWS organization, IAM Identity Center automatically cleans up the resources and deletes the service-linked role from that AWS account.
You can also use the IAM console, the IAM CLI, or the IAM API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.
**Note**
If the IAM Identity Center service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete IAM Identity Center resources used by the AWSServiceRoleForSSO**
1. [Remove user and group access to an AWS account](howtoremoveaccess.md) for all users and groups that have access to the AWS account.
1. [Remove permission sets in IAM Identity Center](howtoremovepermissionset.md) that you have associated with the AWS account.
**To manually delete the service-linked role using IAM**
Use the IAM console, the IAM CLI, or the IAM API to delete the AWSServiceRoleForSSO service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.