# AWS managed policies for IAM Identity Center
To [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need takes time and expertise. To get started quickly, you can use AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
New actions that allow you to list and delete user sessions are available under the new namespace `identitystore-auth`. Any additional permissions for actions in this namespace will be updated on this page. When creating your custom IAM policies, avoid using `*` after `identitystore-auth` because this applies to all actions that exist in the namespace today or in the future.
## AWS managed policy: AWSSSOMasterAccountAdministrator
The `AWSSSOMasterAccountAdministrator` policy provides required administrative actions to principals. The policy is intended for principals who perform the job role of an AWS IAM Identity Center administrator. Over time the list of actions provided will be updated to match the existing functionality of IAM Identity Center and the actions that are required as an administrator.
You can attach the `AWSSSOMasterAccountAdministrator` policy to your IAM identities. When you attach the `AWSSSOMasterAccountAdministrator` policy to an identity, you grant administrative AWS IAM Identity Center permissions. Principals with this policy can access IAM Identity Center within the AWS Organizations management account and all member accounts. This principal can fully manage all IAM Identity Center operations, including the ability to create an IAM Identity Center instance, users, permission sets, and assignments. The principal can also instantiate those assignments throughout the AWS organization member accounts and establish connections between AWS Directory Service managed directories and IAM Identity Center. As new administrative features are released, the account administrator will be granted these permissions automatically.
This policy also includes AWS Key Management Service permissions required for IAM Identity Center instances that use customer managed keys for encryption.
**Permissions groupings**
This policy is grouped into statements based on the set of permissions provided.
+ `AWSSSOMasterAccountAdministrator` – Allows IAM Identity Center to [pass the service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) named `AWSServiceRoleforSSO` to IAM Identity Center so that it can later assume the role and perform actions on their behalf. This is necessary when the person or application attempts to enable IAM Identity Center. For more information, see [Configure access to AWS accounts](manage-your-accounts.md).
+ `AWSSSOMemberAccountAdministrator` – Allows IAM Identity Center to perform account administrator actions in a multi-account AWS environment. For more information, see [AWS managed policy: AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator).
+ `AWSSSOManageDelegatedAdministrator` – Allows IAM Identity Center to register and deregister a delegated administrator for your organization.
+ `AllowKMSKeyUseViaService` and `AllowKMSKeyDiscovery` – Allows AWS Key Management Service operations for customer managed keys used by IAM Identity Center instances.
To view the permissions for this policy, see [AWSSSOMasterAccountAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSOMasterAccountAdministrator.html) in *AWS Managed Policy Reference*.
### Additional information about this policy
When IAM Identity Center is enabled for the first time, the IAM Identity Center service creates a [service linked role](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-service-linked-roles.html) in the AWS Organizations management account (formerly master account) so that IAM Identity Center can manage the resources in your account. The actions required are `iam:CreateServiceLinkedRole` and `iam:PassRole`.
## AWS managed policy: AWSSSOMemberAccountAdministrator
The `AWSSSOMemberAccountAdministrator` policy provides required administrative actions to principals. The policy is intended for principals who perform the job role of an IAM Identity Center administrator. Over time the list of actions provided will be updated to match the existing functionality of IAM Identity Center and the actions that are required as an administrator.
You can attach the `AWSSSOMemberAccountAdministrator` policy to your IAM identities. When you attach the `AWSSSOMemberAccountAdministrator` policy to an identity, you grant administrative AWS IAM Identity Center permissions. Principals with this policy can access IAM Identity Center within the AWS Organizations management account and all member accounts. This principal can fully manage all IAM Identity Center operations, including the ability to create users, permission sets, and assignments. The principal can also instantiate those assignments throughout the AWS organization member accounts and establish connections between AWS Directory Service managed directories and IAM Identity Center. As new administrative features are released, the account administrator is granted these permissions automatically.
This policy also includes AWS Key Management Service permissions required for IAM Identity Center instances that use customer managed keys for encryption.
To view the permissions for this policy, see [AWSSSOMemberAccountAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSOMemberAccountAdministrator.html) in *AWS Managed Policy Reference*.
### Additional information about this policy
IAM Identity Center administrators manage users, groups, and passwords in their Identity Center directory store (sso-directory). The account admin role includes permissions for the following actions:
+ `"sso:*"`
+ `"sso-directory:*"`
IAM Identity Center administrators need limited permissions to the following Directory Service actions to perform daily tasks.
+ `"ds:DescribeTrusts"`
+ `"ds:UnauthorizeApplication"`
+ `"ds:DescribeDirectories"`
+ `"ds:AuthorizeApplication"`
+ `“ds:CreateAlias”`
These permissions allow IAM Identity Center administrators to identify existing directories and manage applications so that they can be configured for use with IAM Identity Center. For more information about each of these actions, see [Directory Service API permissions: Actions, resources, and conditions reference](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html).
IAM Identity Center uses IAM policies to grant permissions to IAM Identity Center users. IAM Identity Center administrators create permission sets and attach polices to them. The IAM Identity Center administrator must have the permissions to list the existing policies so that they can choose which polices to use with the permission set they are creating or updating. To set secure and functional permissions, the IAM Identity Center administrator must have permissions to run the IAM Access Analyzer policy validation.
+ `"iam:ListPolicies"`
+ `"access-analyzer:ValidatePolicy"`
IAM Identity Center administrators need limited access to the following AWS Organizations actions to perform daily tasks:
+ `"organizations:EnableAWSServiceAccess"`
+ `"organizations:ListRoots"`
+ `"organizations:ListAccounts"`
+ `"organizations:ListOrganizationalUnitsForParent"`
+ `"organizations:ListAccountsForParent"`
+ `"organizations:DescribeOrganization"`
+ `"organizations:ListChildren"`
+ `"organizations:DescribeAccount"`
+ `"organizations:ListParents"`
+ `"organizations:ListDelegatedAdministrators"`
+ `"organizations:RegisterDelegatedAdministrator"`
+ `"organizations:DeregisterDelegatedAdministrator"`
These permissions allow IAM Identity Center administrators the ability to work with organization resources (accounts) for basic IAM Identity Center administrative tasks such as the following:
+ Identifying the management account that belongs to the organization
+ Identifying the member accounts that belong to the organization
+ Enabling AWS service access for accounts
+ Setting up and managing a delegated administrator
For more information about using a delegated administrator with IAM Identity Center, see [Delegated administration](delegated-admin.md). For more information about how these permissions are used with AWS Organizations, see [Using AWS Organizations with other AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html).
## AWS managed policy: AWSSSODirectoryAdministrator
You can attach the `AWSSSODirectoryAdministrator` policy to your IAM identities.
This policy grants administrative permissions over IAM Identity Center users and groups. Principals with this policy attached can make any updates to IAM Identity Center users and groups. This policy also includes AWS Key Management Service permissions required for IAM Identity Center instances that use customer managed keys for encryption.
This policy includes the following permissions:
+ **IAM Identity Center Directory** - Full administrative access to IAM Identity Center directory operations.
+ **Identity Store** - Full administrative access to identity store operations and authentication.
+ **IAM Identity Center** - Permission to list directory associations.
+ **AWS Key Management Service** - Permissions to decrypt, describe keys, and generate data keys for customer managed keys used by IAM Identity Center instances.
To view the permissions for this policy, see [AWSSSODirectoryAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSODirectoryAdministrator.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSSSOReadOnly
You can attach the `AWSSSOReadOnly` policy to your IAM identities.
This policy grants read-only permissions that allow users to view information in IAM Identity Center. Principals with this policy attached cannot view the IAM Identity Center users or groups directly. Principals with this policy attached cannot make any updates in IAM Identity Center. For example, principals with these permissions can view IAM Identity Center settings, but cannot change any of the setting values.
This policy also includes AWS Key Management Service permissions required for IAM Identity Center instances that use customer managed keys for encryption.
To view the permissions for this policy, see [AWSSSOReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSOReadOnly.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSSSODirectoryReadOnly
You can attach the `AWSSSODirectoryReadOnly` policy to your IAM identities.
This policy grants read-only permissions that allow users to view users and groups in IAM Identity Center. Principals with this policy attached cannot view IAM Identity Center assignments, permission sets, applications, or settings. Principals with this policy attached cannot make any updates in IAM Identity Center. For example, principals with these permissions can view IAM Identity Center users, but they cannot change any user attributes or assign MFA devices.
This policy also includes AWS Key Management Service permissions required for IAM Identity Center instances that use customer managed keys for encryption.
To view the permissions for this policy, see [AWSSSODirectoryReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSODirectoryReadOnly.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSIdentitySyncFullAccess
You can attach the `AWSIdentitySyncFullAccess` policy to your IAM identities.
Principals with this policy attached have full access permissions to create and delete sync profiles, associate or update a sync profile with a sync target, create, list and delete sync filters, and start or stop synchronization.
**Permission details**
To view the permissions for this policy, see [AWSIdentitySyncFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSIdentitySyncFullAccess.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSIdentitySyncReadOnlyAccess
You can attach the `AWSIdentitySyncReadOnlyAccess` policy to your IAM identities.
This policy grants read-only permissions that allow users to view information about the identity synchronization profile, filters, and target settings. Principals with this policy attached cannot make any updates to synchronization settings. For example, principals with these permissions can view identity synchronization settings, but cannot change any of the profile or filter values.
To view the permissions for this policy, see [AWSIdentitySyncReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSIdentitySyncReadOnlyAccess.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSSSOServiceRolePolicy
You cannot attach the `AWSSSOServiceRolePolicy` policy to your IAM identities.
This policy is attached to a service-linked role that allows IAM Identity Center to delegate and enforce which users have single sign-on access to specific AWS accounts in AWS Organizations. When you enable IAM, a service-linked role is created in all of the AWS accounts within your organization. IAM Identity Center also creates the same service-linked role in every account that is subsequently added to your organization. This role allows IAM Identity Center to access each account's resources on your behalf. Service-linked roles that are created in each AWS account are named `AWSServiceRoleForSSO`. For more information, see [Using service-linked roles for IAM Identity Center](using-service-linked-roles.md).
## AWS managed policy: AWSIAMIdentityCenterAllowListForIdentityContext
When assuming a role with the IAM Identity Center identity context, AWS Security Token Service (AWS STS) automatically attaches the `AWSIAMIdentityCenterAllowListForIdentityContext` policy to the role.
This policy provides the list of actions that are allowed when you use trusted identity propagation with roles that are assumed with the IAM Identity Center identity context. All other actions that are called with this context are blocked. The identity context is passed as `ProvidedContext`.
To view the permissions for this policy, see [AWSIAMIdentityCenterAllowListForIdentityContext](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSIAMIdentityCenterAllowListForIdentityContext.html) in *AWS Managed Policy Reference*.
## AWS managed policy: AWSIdentityCenterExternalManagementPolicy
You can attach the `AWSIdentityCenterExternalManagementPolicy` policy to your IAM identities.
This policy provides access to manage IAM Identity Center users from an external provider.
To view the permissions for this policy, see [AWSIdentityCenterExternalManagementPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSIdentityCenterExternalManagementPolicy.html) in *AWS Managed Policy Reference*.
## IAM Identity Center updates to AWS managed policies
The following table describes the updates to AWS managed policies for IAM Identity Center since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the IAM Identity Center Document history page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSIdentityCenterExternalManagementPolicy](#security-iam-awsmanpol-AWSIdentityCenterExternalManagementPolicy) | Updated managed policy to change the ARN for the provisioning tenant. | December 5, 2025 |
| [AWSIdentityCenterExternalManagementPolicy](#security-iam-awsmanpol-AWSIdentityCenterExternalManagementPolicy) | This policy provides access to manage IAM Identity Center users from an external provider. | November 21, 2025 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator), [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator), [AWSSSOReadOnly](#security-iam-awsmanpol-AWSSSOReadOnly), [AWSSSODirectoryAdministrator](#security-iam-awsmanpol-AWSSSODirectoryAdministrator), [AWSSSODirectoryReadOnly](#security-iam-awsmanpol-AWSSSODirectoryReadOnly) | Updated managed policies to include AWS KMS permissions required for IAM Identity Center instances that use customer managed keys for encryption. | September 17, 2025 |
| [ AWSSSOServiceRolePolicy](#security-iam-awsmanpol-AWSSSOServiceRolePolicy) | This policy now includes permissions to call `identity-sync:DeleteSyncProfile`. | February 11, 2025 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `qapps:ListQAppSessionData` and `qapps:ExportQAppSessionData` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | October 2, 2024 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) | IAM Identity Center added a new action to grant DeleteSyncProfile permissions to allow you to use this policy to delete sync profiles. This is action is associated with DeleteInstance API. | September 26, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `s3:ListCallerAccessGrants` action to support identity-enhanced console sessions for AWS managed applications that support these sessions. | September 4, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `aoss:APIAccessAll`, `es:ESHttpHead`, `es:ESHttpPost`, `es:ESHttpGet`, `es:ESHttpPatch`, `es:ESHttpDelete`, and `es:ESHttpPut` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | July 12, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `qapps:PredictQApp`, `qapps:ImportDocument`, `qapps:AssociateLibraryItemReview`, `qapps:DisassociateLibraryItemReview`, `qapps:GetQAppSession`, `qapps:UpdateQAppSession`, `qapps:GetQAppSessionMetadata`, `qapps:UpdateQAppSessionMetadata`, and `qapps:TagResource` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | June 27, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `elasticmapreduce:AddJobFlowSteps`, `elasticmapreduce:DescribeCluster`, `elasticmapreduce:CancelSteps`, `elasticmapreduce:DescribeStep`, and `elasticmapreduce:ListSteps` actions to support trusted identity propagation in Amazon EMR. | May 17, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `qapps:CreateQApp`, `qapps:PredictProblemStatementFromConversation`, `qapps:PredictQAppFromProblemStatement`, `qapps:CopyQApp`, `qapps:GetQApp`, `qapps:ListQApps`, `qapps:UpdateQApp`, `qapps:DeleteQApp`, `qapps:AssociateQAppWithUser`, `qapps:DisassociateQAppFromUser`, `qapps:ImportDocumentToQApp`, `qapps:ImportDocumentToQAppSession`, `qapps:CreateLibraryItem`, `qapps:GetLibraryItem`, `qapps:UpdateLibraryItem`, `qapps:CreateLibraryItemReview`, `qapps:ListLibraryItems`, `qapps:CreateSubscriptionToken`, `qapps:StartQAppSession`, and `qapps:StopQAppSession` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 30, 2024 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) | This policy now includes the `signin:CreateTrustedIdentityPropagationApplicationForConsole` and `signin:ListTrustedIdentityPropagationApplicationsForConsole` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 26, 2024 |
| [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator) | This policy now includes the `signin:CreateTrustedIdentityPropagationApplicationForConsole` and `signin:ListTrustedIdentityPropagationApplicationsForConsole` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 26, 2024 |
| [AWSSSOReadOnly](#security-iam-awsmanpol-AWSSSOReadOnly) | This policy now includes the `signin:ListTrustedIdentityPropagationApplicationsForConsole` action to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 26, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `qbusiness:PutFeedback` action to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 26, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `q:StartConversation`, `q:SendMessage`, `q:ListConversations`, `q:GetConversation`, `q:StartTroubleshootingAnalysis`, `q:GetTroubleshootingResults`, `q:StartTroubleshootingResolutionExplanation`, and ` q:UpdateTroubleshootingCommandResult` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 24, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `sts:SetContext` action to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 19, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `qbusiness:Chat`, `qbusiness:ChatSync`, `qbusiness:ListConversations`, ` qbusiness:ListMessages`, and `qbusiness:DeleteConversation` actions to support identity-enhanced console sessions for AWS managed applications that support these sessions. | April 11, 2024 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy now includes the `s3:GetAccessGrantsInstanceForPrefix` and `s3:GetDataAccess` actions. | November 26, 2023 |
| [AWSIAMIdentityCenterAllowListForIdentityContext](#security-iam-awsmanpol-AWSIAMIdentityCenterAllowListForIdentityContext) | This policy provides the list of actions that are allowed when you use trusted identity propagation with roles that are assumed with the IAM Identity Center identity context. | November 15, 2023 |
| [AWSSSODirectoryReadOnly](#security-iam-awsmanpol-AWSSSODirectoryReadOnly) | This policy now includes the new namespace `identitystore-auth` with new permissions to allow users to list and get sessions. | February 21, 2023 |
| [AWSSSOServiceRolePolicy](#security-iam-awsmanpol-AWSSSOServiceRolePolicy) | This policy now allows the`[UpdateSAMLProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html)` action to be taken on the management account. | October 20, 2022 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) | This policy now includes the new namespace `identitystore-auth` with new permissions to allow the admin to list and delete sessions for a user. | October 20, 2022 |
| [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator) | This policy now includes the new namespace `identitystore-auth` with new permissions to allow the admin to list and delete sessions for a user. | October 20, 2022 |
| [AWSSSODirectoryAdministrator](#security-iam-awsmanpol-AWSSSODirectoryAdministrator) | This policy now includes the new namespace `identitystore-auth` with new permissions to allow the admin to list and delete sessions for a user. | October 20, 2022 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) | This policy now includes new permissions to call `[ListDelegatedAdministrators](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedAdministrators.html)` in AWS Organizations. This policy also now includes a subset of permissions `AWSSSOManageDelegatedAdministrator` that includes permissions to call `[RegisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html)` and `[DeregisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html)`. | August 16, 2022 |
| [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator) | This policy now includes new permissions to call `[ListDelegatedAdministrators](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedAdministrators.html)` in AWS Organizations. This policy also now includes a subset of permissions `AWSSSOManageDelegatedAdministrator` that includes permissions to call `[RegisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html)` and `[DeregisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html)`. | August 16, 2022 |
| [AWSSSOReadOnly](#security-iam-awsmanpol-AWSSSOReadOnly) | This policy now includes new permissions to call `[ListDelegatedAdministrators](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedAdministrators.html)` in AWS Organizations. | August 11, 2022 |
| [AWSSSOServiceRolePolicy](#security-iam-awsmanpol-AWSSSOServiceRolePolicy) | This policy now includes new permissions to call `[DeleteRolePermissionsBoundary](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePermissionsBoundary.html)` and `[PutRolePermisionsBoundary](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePermissionsBoundary.html)`. | July 14, 2022 |
| [AWSSSOServiceRolePolicy](#security-iam-awsmanpol-AWSSSOServiceRolePolicy) | This policy now includes new permissions that allow calls to [ListAWSServiceAccessForOrganization](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAWSServiceAccessForOrganization.html) and [ListDelegatedAdministrators](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedAdministrators.html) in AWS Organizations. | May 11, 2022 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator) [AWSSSOReadOnly](#security-iam-awsmanpol-AWSSSOReadOnly) | Add IAM Access Analyzer permissions that allow a principal to use the policy checks for validation. | April 28, 2022 |
| [AWSSSOMasterAccountAdministrator](#security-iam-awsmanpol-AWSSSOMasterAccountAdministrator) | This policy now allows all IAM Identity Center Identity Store service actions. For information about the actions available in the IAM Identity Center Identity Store service, see the [IAM Identity Center Identity Store API Reference](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html). | March 29, 2022 |
| [AWSSSOMemberAccountAdministrator](#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator) | This policy now allows all IAM Identity Center Identity Store service actions. | March 29, 2022 |
| [AWSSSODirectoryAdministrator](#security-iam-awsmanpol-AWSSSODirectoryAdministrator) | This policy now allows all IAM Identity Center Identity Store service actions. | March 29, 2022 |
| [AWSSSODirectoryReadOnly](#security-iam-awsmanpol-AWSSSODirectoryReadOnly) | This policy now grants access to the IAM Identity Center Identity Store service read actions. This access is required to retrieve user and group information from the IAM Identity Center Identity Store service. | March 29, 2022 |
| [AWSIdentitySyncFullAccess](#security-iam-awsmanpol-AWSIdentitySyncFullAccess) | This policy allows full access to identity-sync permissions. | March 3, 2022 |
| [AWSIdentitySyncReadOnlyAccess](#security-iam-awsmanpol-AWSIdentitySyncReadOnlyAccess) | This policy grants read-only permissions that allow a principal to view identity-sync settings. | March 3, 2022 |
| [AWSSSOReadOnly](#security-iam-awsmanpol-AWSSSOReadOnly) | This policy grants read-only permissions that allow a principal to view IAM Identity Center configuration settings. | August 4, 2021 |
| IAM Identity Center started tracking changes | IAM Identity Center started tracking changes for AWS managed policies. | August 4, 2021 |