Permissions Required to Use the AWS Control Tower Console

AWS Control Tower creates three roles automatically when you set up a landing zone. All three roles are required to allow console access. AWS Control Tower splits permissions into three roles as a best practice to restrict access to the minimal sets of actions and resources.

Three required roles

AWSControlTowerAdmin role
AWSControlTowerStackSetRole
AWSControlTowerCloudTrailRole

We recommend that you restrict access to your role trust policies for these roles. For more information, see Optional conditions for your role trust relationships.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM policies for AWS Control Tower

Managed policies for AWS Control Tower