Skip to content

Policy: AWSControlTowerServiceRolePolicy

ARN: arn:aws:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy

Allowed Actions

Actions Services
account:EnableRegion account
account:GetRegionOptStatus account
account:ListRegions account
cloudformation:ActivateType cloudformation
cloudformation:CreateStack cloudformation
cloudformation:CreateStack cloudformation
cloudformation:CreateStackInstances cloudformation
cloudformation:CreateStackInstances cloudformation
cloudformation:CreateStackSet cloudformation
cloudformation:CreateStackSet cloudformation
cloudformation:DeactivateType cloudformation
cloudformation:DeleteStack cloudformation
cloudformation:DeleteStack cloudformation
cloudformation:DeleteStackInstances cloudformation
cloudformation:DeleteStackInstances cloudformation
cloudformation:DeleteStackSet cloudformation
cloudformation:DeleteStackSet cloudformation
cloudformation:DescribeStackInstance cloudformation
cloudformation:DescribeStackInstance cloudformation
cloudformation:DescribeStackSet cloudformation
cloudformation:DescribeStackSet cloudformation
cloudformation:DescribeStackSetOperation cloudformation
cloudformation:DescribeStackSetOperation cloudformation
cloudformation:DescribeStacks cloudformation
cloudformation:DescribeStacks cloudformation
cloudformation:GetTemplate cloudformation
cloudformation:ListStackInstances cloudformation
cloudformation:ListStackInstances cloudformation
cloudformation:SetTypeConfiguration cloudformation
cloudformation:UpdateStack cloudformation
cloudformation:UpdateStack cloudformation
cloudformation:UpdateStackInstances cloudformation
cloudformation:UpdateStackInstances cloudformation
cloudformation:UpdateStackSet cloudformation
cloudformation:UpdateStackSet cloudformation
cloudtrail:CreateTrail cloudtrail
cloudtrail:DeleteTrail cloudtrail
cloudtrail:DescribeTrails cloudtrail
cloudtrail:GetTrailStatus cloudtrail
cloudtrail:PutEventSelectors cloudtrail
cloudtrail:StartLogging cloudtrail
cloudtrail:StopLogging cloudtrail
cloudtrail:UpdateTrail cloudtrail
config:DeleteConfigurationAggregator config
config:PutConfigurationAggregator config
config:TagResource config
ec2:DescribeAvailabilityZones ec2
iam:CreateServiceLinkedRole iam
iam:GetRole iam
iam:GetRolePolicy iam
iam:GetUser iam
iam:ListAttachedRolePolicies iam
iam:ListRoles iam
iam:PassRole iam
logs:CreateLogGroup logs
logs:CreateLogStream logs
logs:DescribeLogGroups logs
logs:PutLogEvents logs
logs:PutRetentionPolicy logs
organizations:CreateAccount organizations
organizations:DescribeAccount organizations
organizations:DescribeCreateAccountStatus organizations
organizations:DescribeOrganization organizations
organizations:DescribeOrganizationalUnit organizations
organizations:DescribePolicy organizations
organizations:DisableAWSServiceAccess organizations
organizations:EnableAWSServiceAccess organizations
organizations:ListAWSServiceAccessForOrganization organizations
organizations:ListAccounts organizations
organizations:ListAccountsForParent organizations
organizations:ListChildren organizations
organizations:ListOrganizationalUnitsForParent organizations
organizations:ListParents organizations
organizations:ListPoliciesForTarget organizations
organizations:ListRoots organizations
organizations:ListTargetsForPolicy organizations
organizations:MoveAccount organizations
s3:GetObject s3
servicecatalog:AssociatePrincipalWithPortfolio servicecatalog
sts:AssumeRole sts