Required roles and permissions

AWS Control Tower uses IAM roles to help manage access to resources.

For general information about roles, see User groups, roles, and permission sets.

For information about IAM groups and their permissions in AWS Control Tower, see IAM Identity Center groups for AWS Control Tower.
For information about permissions required to provision accounts, see Permissions required for accounts.
For information about console permissions required for AWS Control Tower, see Permissions required to use the AWS Control Tower console.

For information about how to create a role, including permissions designed for programmatic access, see Create roles and assign permissions, and Programmatic roles and trust relationships for the AWS Control Tower audit account.
For information about other roles that AWS Control Tower uses to manage your accounts, see Using identity-based policies (IAM policies) for AWS Control Tower, and the Managed policies for AWS Control Tower.
For information about AWS Control Tower and AWS Config roles, see AWS Control Tower ConfigRecorderRole.
For information about roles that AWS Control Tower uses to aggregate AWS Config information for your accounts, see How AWS Control Tower aggregates AWS Config rules in unmanaged OUs and accounts.
For information about how to protect your resources as you are assigning roles and permissions, see Optional conditions for your role trust relationships, Optionally configure AWS KMS keys, and Prevent cross-service impersonation.
For specific information about automated account provisioning in AWS Control Tower with IAM roles, see Automated Account Provisioning with IAM Roles.
To view the policy that protects the AWS Config SNS topic, see The AWS Config SNS topic policy.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

CIDR and Peering for VPC and AWS Control Tower

Roles and accounts