Using AWS Management Console Private Access with AWS Organizations service control policies - AWS Management Console

Using AWS Management Console Private Access with AWS Organizations service control policies

If your AWS organization is using a service control policy (SCP) that allows specific services, you must add signin:* to the allowed actions. This permission is needed because signing in to the AWS Management Console over a Private Access VPC endpoint performs an IAM authorization that the SCP blocks without the permission. As an example, the following service control policy allows the Amazon EC2 and CloudWatch services to be used in the organization, including when they are accessed using an AWS Management Console Private Access endpoint.

{ "Effect": "Allow", "Action": [ "signin:*", "ec2:*", "cloudwatch:*", ... Other services allowed }, "Resource": "*" }

For more information about SCPs, see Service control policies (SCPs) in the AWS Organizations User Guide.