Permissions required for accounts

The permissions required for each method of provisioning and updating accounts are discussed in each section, respectively. With the appropriate user group permissions, provisioners can specify standardized baselines and network configurations for any accounts in their organization.

Note

When provisioning an account, the account requester always must have the CreateAccount and the DescribeCreateAccountStatus permissions. This permission set is part of the Admin role, and it is given automatically when a requester assumes the Admin role. If you delegate permission to provision accounts, you may need to add these permissions directly for the account requestors.

When you create accounts from the AWS Control Tower console with Account Factory, you must be signed into an account with an IAM user that has the AWSServiceCatalogEndUserFullAccess policy enabled, along with permissions to use the AWS Control Tower console, and you cannot be signed in as the Root user.

For general information about permissions required in AWS Control Tower, see Using identity-based policies (IAM policies) for AWS Control Tower. For information about roles and accounts in AWS Control Tower, see Roles and accounts.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Methods of provisioning

About accounts