The permissions required for each method of provisioning and updating accounts are discussed in each section, respectively. With the appropriate user group permissions, provisioners can specify standardized baselines and network configurations for any accounts in their organization.
Note
When provisioning an account, the account requester always must have the
CreateAccount and the DescribeCreateAccountStatus
permissions. This permission set is part of the Admin role, and it is given
automatically when a requester assumes the Admin role. If you delegate permission to
provision accounts, you may need to add these permissions directly for the account
requestors.
When you create accounts from the AWS Control Tower console with Account Factory, you must be signed
into an account with an IAM user that has the
AWSServiceCatalogEndUserFullAccess policy enabled, along with
permissions to use the AWS Control Tower console, and you cannot be signed in as the
Root user.
For general information about permissions required in AWS Control Tower, see Using identity-based policies (IAM policies) for AWS Control Tower. For information about roles and accounts in AWS Control Tower, see Roles and accounts.
