Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

IAM Identity Center Groups for AWS Control Tower

PDF
RSS
Focus mode
IAM Identity Center Groups for AWS Control Tower - AWS Control Tower

AWS Control Tower offers preconfigured groups to organize users that perform specific tasks in your accounts. You can add users and assign them to these groups directly in IAM Identity Center. Doing so matches permission sets to users in groups within your accounts. For the latest guidance and best practices on configuring your groups, see Best practices in the IAM Identity Center User Guide.

The following groups are created when you set up your landing zone.

AWSAccountFactory
Account Permission sets Description
Management account AWSServiceCatalogEndUserAccess This group is only used in this account to provision new accounts using Account Factory.
AWSServiceCatalogAdmins
Account Permission sets Description
Management account AWSServiceCatalogAdminFullAccess This group is only used in this account to make administrative changes to Account Factory. Users in this group can't provision new accounts unless they're also in the AWSAccountFactory group.
AWSControlTowerAdmins
Account Permission sets Description
Management account AWSAdministratorAccess Users of this group in this account are the only ones that have access to the AWS Control Tower console.
Log archive account AWSAdministratorAccess Users have administrator access in this account.
Audit account AWSAdministratorAccess Users have administrator access in this account.
Member accounts AWSOrganizationsFullAccess Users have full access to Organizations in this account.
AWSSecurityAuditPowerUsers
Account Permission sets Description
Management account AWSPowerUserAccess Users can perform application development tasks and can create and configure resources and services that support AWS aware application development.
Log archive account AWSPowerUserAccess Users can perform application development tasks and can create and configure resources and services that support AWS aware application development.
Audit account AWSPowerUserAccess Users can perform application development tasks and can create and configure resources and services that support AWS aware application development.
Member accounts AWSPowerUserAccess Users can perform application development tasks and can create and configure resources and services that support AWS aware application development.
AWSSecurityAuditors
Account Permission sets Description
Management account AWSReadOnlyAccess Users have read-only access to all AWS services and resources in this account.
Log archive account AWSReadOnlyAccess Users have read-only access to all AWS services and resources in this account.
Audit account AWSReadOnlyAccess Users have read-only access to all AWS services and resources in this account.
Member accounts AWSReadOnlyAccess Users have read-only access to all AWS services and resources in this account.
AWSLogArchiveAdmins
Account Permission sets Description
Log archive account AWSAdministratorAccess Users have administrator access in this account.
AWSLogArchiveViewers
Account Permission sets Description
Log archive account AWSReadOnlyAccess Users have read-only access to all AWS services and resources in this account.
AWSAuditAccountAdmins
Account Permission sets Description
Audit account AWSAdministratorAccess Users have administrator access in this account.
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.