Permissions Required to Use the AWS Control Tower Console
AWS Control Tower creates three roles automatically when you set up a landing zone. All three roles are required to allow console access. AWS Control Tower splits permissions into three roles as a best practice to restrict access to the minimal sets of actions and resources.
Three required roles
We recommend that you restrict access to your role trust policies for these roles. For more information, see Optional conditions for your role trust relationships.