Help Center/ Organizations/ User Guide/ Managing SCPs/ Actions Supported by SCP-based Authorization/ Management & Governance/ IAM Identity Center
Updated on 2024-07-25 GMT+08:00
View PDF
Share

IAM Identity Center

The Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU.

This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to create a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an SCP.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
  • The Resource column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resources. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
    • If this column includes a resource, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resources defined by IAM Identity Center, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
    • If the Resource column has values for an action, the condition key takes effect only for the listed resources.
    • If the Resource column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by IAM Identity Center, see Conditions.

The following table lists the actions that you can define in SCP statements for IAM Identity Center.

Table 1 Actions supported by IAM Identity Center

Action

Description

Access Level

Resource (*: required)

Condition Key

IdentityCenter:permissionSet:create

Grants permission to create a permission set.

write

instance *

-

-
  • g:RequestTag/<tag-key>
  • g:TagKeys

IdentityCenter:permissionSet:attachManagedPolicy

Grants permission to attach system-defined identity policies to a permission set.

permission_management

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:detachManagedPolicy

Grants permission to detach system-defined identity policies from a specified permission set.

permission_management

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:update

Grants permission to update the permission set of a specified instance.

permission_management

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:delete

Grants permission to delete the permission set of a specified instance.

write

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:list

Grants permission to list the permission sets of a specified instance.

list

instance *

-

IdentityCenter:permissionSet:listAccountsForProvisioned

Grants permission to list all the accounts provisioned by a specified permission set.

list

permissionSet *

-

instance *

-

IdentityCenter:permissionSet:listProvisioningStatus

Grants permission to list the status of the permission set attachment request for a specified instance.

list

instance *

-

IdentityCenter:permissionSet:listManagedPolicies

Grants permission to list the system-defined identity policies attached to a specified permission set.

list

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:listProvisionedToAccount

Grants permission to list all permission sets associated with a specified account.

list

account *

-

instance *

-

IdentityCenter:permissionSet:describeProvisioningStatus

Grants permission to obtain the details of the permission set attachment status.

read

instance *

-

IdentityCenter:permissionSet:describe

Grants permission to obtain the permission set details of a specified instance.

read

instance *

-

permissionSet *

-

IdentityCenter:permissionSet:provision

Grants permission to attach a specified permission set to a specified principal.

write

account *

-

instance *

-

permissionSet *

-

IdentityCenter:instance:getIdentityCenterStatus

Grants permission to query the IAM Identity Center service status.

read

-

-

IdentityCenter:instance:registerRegion

Grants permission to register a region.

write

-

-

IdentityCenter:instance:describeRegisteredRegions

Grants permission to query regions enabled in IAM Identity Center.

read

-

-

IdentityCenter:instance:startIdentityCenter

Grants permission to enable IAM Identity Center.

write

-

-

IdentityCenter:instance:deleteIdentityCenter

Grants permission to disable IAM Identity Center.

write

-

-

IdentityCenter:instance:list

Grants permission to query the IAM Identity Center instance list.

list

-

-

IdentityCenter:accountAssignment:create

Grants permission to assign access to principals for a specified account using a specified permission set.

write

instance *

-

account *

-

permissionSet *

-

IdentityCenter:accountAssignment:delete

Grants permission to delete a principal's access from a specified account using a specified permission set.

write

instance *

-

account *

-

permissionSet *

-

IdentityCenter:accountAssignment:list

Grants permission to list the assignee of the specified account with the specified permission set.

list

instance *

-

account *

-

permissionSet *

-

IdentityCenter:accountAssignment:describeDeletionStatus

Grants permission to obtain the details about the status of the assignment deletion request.

read

instance *

-

IdentityCenter:accountAssignment:describeCreationStatus

Grants permission to obtain the details about the status of the assignment creation request.

read

instance *

-

IdentityCenter:accountAssignment:listCreationStatus

Grants permission to list the status of the account assignment creation request for a specified IAM Identity Center instance.

list

instance *

-

IdentityCenter:accountAssignment:listDeletionStatus

Grants permission to list the status of the account assignment deletion request for a specified IAM Identity Center instance.

list

instance *

-

IdentityCenter:accountAssignment:listProfileAssociation

Grants permission to query all users or groups associated with an account or permission set.

read

-

-

IdentityCenter:accountAssignment:disassociationProfile

Grants permission to disassociate all authorizations from a user or group.

write

-

-

IdentityCenter:instance:listIdentityStoreAssociations

Grants permission to query details about the identity source configured in IAM Identity Center.

read

-

-

IdentityCenter:ssoConfiguration:update

Grants permission to update the configuration for the current IAM Identity Center instance.

write

-

-

IdentityCenter:ssoConfiguration:describe

Grants permission to obtain the configuration for the current IAM Identity Center instance.

read

-

-

IdentityCenter:mfaDevices:describeManagementSettings

Grants permission to obtain MFA settings.

read

-

-

IdentityCenter:mfaDevices:updateManagementSettings

Grants permission to update MFA settings.

write

-

-

IdentityCenter:instance:createAlias

Grants permission to create an alias for a specified identity source.

write

-

-

IdentityCenter:user:create

Grants permission to create a user.

write

-

-

IdentityCenter:user:list

Grants permission to query the user list.

read

-

-

IdentityCenter:user:describe

Grants permission to query user details.

read

-

-

IdentityCenter:user:describeUsers

Grants permission to obtain user details in batch.

read

-

-

IdentityCenter:user:update

Grants permission to update a user.

write

-

-

IdentityCenter:user:delete

Grants permission to delete a user.

write

-

-

IdentityCenter:user:getUserId

Grants permission to obtain the user ID.

read

-

-

IdentityCenter:user:enableUser

Grants permission to enable a user.

write

-

-

IdentityCenter:user:disableUser

Grants permission to disable a user.

write

-

-

IdentityCenter:group:create

Grants permission to create a group.

write

-

-

IdentityCenter:group:list

Grants permission to query the group list.

read

-

-

IdentityCenter:group:describe

Grants permission to query group details.

read

-

-

IdentityCenter:group:describeGroups

Grants permission to obtain group details in batch.

read

-

-

IdentityCenter:group:update

Grants permission to update a group.

write

-

-

IdentityCenter:group:delete

Grants permission to delete a group.

write

-

-

IdentityCenter:group:getGroupId

Grants permission to obtain the group ID.

read

-

-

IdentityCenter:groupMembership:create

Grants permission to add a member to a group.

write

-

-

IdentityCenter:groupMemberships:list

Grants permission to query all members in a group.

read

-

-

IdentityCenter:groupMembership:listForMember

Grants permission to query all groups that a user is added to.

read

-

-

IdentityCenter:groupMembership:describe

Grants permission to query the group membership.

read

-

-

IdentityCenter:groupMembership:delete

Grants permission to disassociate users and groups.

write

-

-

IdentityCenter:groupMembership:getGroupMembershipId

Grants permission to query the membership ID.

read

-

-

IdentityCenter:groupMembership:isMembershipInGroup

Grants permission to query whether a user is in a group.

read

-

-

IdentityCenter:externalIdp:create

Grants permission to create an external identity provider.

write

-

-

IdentityCenter:externalIdp:list

Grants permission to obtain the identity source configuration of the external identity provider.

read

-

-

IdentityCenter:externalIdp:enable

Grants permission to enable an external identity provider.

write

-

-

IdentityCenter:externalIdp:disable

Grants permission to disable an external identity provider.

write

-

-

IdentityCenter:externalIdp:getSpConfiguration

Grants permission to obtain the configuration of the IAM Identity Center service provider.

read

-

-

IdentityCenter:externalIdp:update

Grants permission to update the configuration of the external identity provider.

write

-

-

IdentityCenter:externalIdp:delete

Grants permission to delete the configuration of the external identity provider.

write

-

-

IdentityCenter:externalIdp:importCertificate

Grants permission to import a certificate.

write

-

-

IdentityCenter:externalIdp:deleteCertificate

Grants permission to delete a certificate.

write

-

-

IdentityCenter:externalIdp:listCertificates

Grants permission to obtain the certificate list.

read

-

-

IdentityCenter:externalIdp:createProvisioningTenant

Grants permission to create a tenant.

write

-

-

IdentityCenter:externalIdp:listProvisioningTenant

Grants permission to query the tenant list.

read

-

-

IdentityCenter:externalIdp:deleteProvisioningTenant

Grants permission to delete a tenant.

write

-

-

IdentityCenter:externalIdp:createBearerToken

Grants permission to create a bearer token.

write

-

-

IdentityCenter:externalIdp:listBearerTokens

Grants permission to query the bearer token list.

read

-

-

IdentityCenter:externalIdp:deleteBearerToken

Grants permission to delete a bearer token.

write

-

-

IdentityCenter:user:updatePassword

Grants permission to update a password by sending a password reset link via email or generating a one-time password for a user.

write

-

-

IdentityCenter:user:deleteUserMfaDevice

Grants permission to delete an MFA device for a specified user.

write

-

-

IdentityCenter:user:updateMfaDevice

Grants permission to update MFA device information.

write

-

-

IdentityCenter:user:listMfaDevice

Grants permission to query the MFA device list.

read

-

-

IdentityCenter:user:registerVirtualMfaDevice

Grants permission to begin the creation process of a virtual MFA device.

write

-

-

IdentityCenter:user:verifyEmail

Grants permission to verify an email address of a user.

write

-

-

Each API of IAM Identity Center usually supports one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by IAM Identity Center APIs

API

Action

Dependencies

POST /v1/instances/{instance_id}/permission-sets

IdentityCenter:permissionSet:create

organizations:delegatedAdministrators:list

POST /v1/instances/{instance_id}/permission-sets/{permission_set_id}/attach-managed-policy

IdentityCenter:permissionSet:attachManagedPolicy
  • iam:policies:get
  • organizations:delegatedAdministrators:list

POST /v1/instances/{instance_id}/permission-sets/{permission_set_id}/detach-managed-policy

IdentityCenter:permissionSet:detachManagedPolicy

organizations:delegatedAdministrators:list

PUT /v1/instances/{instance_id}/permission-sets/{permission_set_id}

IdentityCenter:permissionSet:update

organizations:delegatedAdministrators:list

DELETE /v1/instances/{instance_id}/permission-sets/{permission_set_id}

IdentityCenter:permissionSet:delete

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets

IdentityCenter:permissionSet:list

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/{permission_set_id}/accounts

IdentityCenter:permissionSet:listAccountsForProvisioned

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/provisioning-statuses

IdentityCenter:permissionSet:listProvisioningStatus

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/{permission_set_id}/managed-policies

IdentityCenter:permissionSet:listManagedPolicies

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/provisioned-to-accounts

IdentityCenter:permissionSet:listProvisionedToAccount

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/provisioning-status/{request_id}

IdentityCenter:permissionSet:describeProvisioningStatus

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/permission-sets/{permission_set_id}

IdentityCenter:permissionSet:describe

organizations:delegatedAdministrators:list

POST /v1/instances/{instance_id}/permission-sets/{permission_set_id}/provision

IdentityCenter:permissionSet:provision

organizations:delegatedAdministrators:list

GET /v1/instances

IdentityCenter:instance:list

organizations:delegatedAdministrators:list

POST /v1/instances/{instance_id}/account-assignments/create

IdentityCenter:accountAssignment:create

organizations:delegatedAdministrators:list

POST /v1/instances/{instance_id}/account-assignments/delete

IdentityCenter:accountAssignment:delete

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/account-assignments

IdentityCenter:accountAssignment:list

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/account-assignments/deletion-status/{request_id}

IdentityCenter:accountAssignment:describeDeletionStatus

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/account-assignments/creation-status/{request_id}

IdentityCenter:accountAssignment:describeCreationStatus

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/account-assignments/creation-statuses

IdentityCenter:accountAssignment:listCreationStatus

organizations:delegatedAdministrators:list

GET /v1/instances/{instance_id}/account-assignments/deletion-statuses

IdentityCenter:accountAssignment:listDeletionStatus

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/users

IdentityCenter:user:create

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/users

IdentityCenter:user:list

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/users/{user_id}

IdentityCenter:user:describe

organizations:delegatedAdministrators:list

PUT /v1/identity-stores/{identity_store_id}/users/{user_id}

IdentityCenter:user:update

organizations:delegatedAdministrators:list

DELETE /v1/identity-stores/{identity_store_id}/users/{user_id}

IdentityCenter:user:delete

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/users/retrieve-user-id

IdentityCenter:user:getUserId

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/groups

IdentityCenter:group:create

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/groups

IdentityCenter:group:list

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/groups/{group_id}

IdentityCenter:group:describe

organizations:delegatedAdministrators:list

PUT /v1/identity-stores/{identity_store_id}/groups/{group_id}

IdentityCenter:group:update

organizations:delegatedAdministrators:list

DELETE /v1/identity-stores/{identity_store_id}/groups/{group_id}

IdentityCenter:group:delete

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/groups/retrieve-group-id

IdentityCenter:group:getGroupId

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/group-memberships

IdentityCenter:groupMembership:create

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/group-memberships

IdentityCenter:groupMemberships:list

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/group-memberships-for-member

IdentityCenter:groupMembership:listForMember

organizations:delegatedAdministrators:list

GET /v1/identity-stores/{identity_store_id}/group-memberships/{membership_id}

IdentityCenter:groupMembership:describe

organizations:delegatedAdministrators:list

DELETE /v1/identity-stores/{identity_store_id}/group-memberships/{membership_id}

IdentityCenter:groupMembership:delete

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/group-memberships/retrieve-group-membership-id

IdentityCenter:groupMembership:getGroupMembershipId

organizations:delegatedAdministrators:list

POST /v1/identity-stores/{identity_store_id}/is-member-in-groups

IdentityCenter:groupMembership:isMembershipInGroup

organizations:delegatedAdministrators:list

Resources

A resource is what a policy applies to. If you specify a resource for any action in Table 3, the resource URN must be specified in the policy statements using that action, and the policy applies only to these resources. If no resources are specified, the Resource element is marked with an asterisk (*) and the policy applies to all resources. You can also set condition keys in a policy to define resources.

The following table lists the resources that you can define in SCP statements for IAM Identity Center.

Table 3 Resources supported by IAM Identity Center

Resource

URN

instance

IdentityCenter::<management-account-id>:instance:<instance-id>

account

IdentityCenter::<management-account-id>:account:<account-id>

permissionSet

IdentityCenter::<management-account-id>:permissionSet:<instance-id>/<permission-set-id>

Conditions

IAM Identity Center does not support service-specific condition keys in SCPs.

It can only use global condition keys applicable to all services. For details, see Global Condition Keys.

Parent topic: Management & Governance