AWS Security ChangesHomeSearch

AWS singlesignon high security documentation change

Service: singlesignon · 2025-04-03 · Security-related high

File: singlesignon/latest/userguide/awsapps.md

Summary

Added example SCP policy to restrict IAM Identity Center access to designated accounts

Security assessment

The added SCP example explicitly shows how to restrict sensitive identity store operations (identitystore, sso, sso-directory, sso-oidc) to specific accounts, which directly addresses potential overprivileged access security risks

Diff

diff --git a/singlesignon/latest/userguide/awsapps.md b/singlesignon/latest/userguide/awsapps.md
index 46c5350b2..c8df743e9 100644
--- a//singlesignon/latest/userguide/awsapps.md
+++ b//singlesignon/latest/userguide/awsapps.md
@@ -78 +78,24 @@ Whichever identity source you choose, IAM Identity Center can share the user and
-When you enable IAM Identity Center for the first time, AWS allows the use of AWS managed applications automatically in all accounts in AWS Organizations. To constrain applications, you must implement service control policies (SCPs). SCPs are a feature of AWS Organizations that you can use to centrally control the maximum permissions that identities (users and roles) in your organization can have. You can use SCPs to block access to the IAM Identity Center user and group information and to prevent the application from being started, except in designated accounts. For more information, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the _AWS Organizations User Guide._
+When you first enable IAM Identity Center, it becomes available as an identity source for AWS managed applications across all accounts in your AWS Organizations. To constrain applications, you must implement service control policies (SCPs). SCPs are a feature of AWS Organizations that you can use to centrally control the maximum permissions that identities (users and roles) in your organization can have. You can use SCPs to block access to the IAM Identity Center user and group information and to prevent the application from being started, except in designated accounts. For more information, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the _AWS Organizations User Guide._
+
+The following SCP example blocks access to the IAM Identity Center user and group information and prevents the application from being started, except in designated accounts (111111111111 and 222222222222):
+    
+    
+    {
+      "Sid": "DenyIdCExceptInDesignatedAWSAccounts",
+      "Effect": "Deny",
+      "Action": [
+        "identitystore:*"
+        "sso:*",
+        "sso-directory:*",
+        "sso-oidc:*"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringNotEquals": {
+          "aws:PrincipalAccount": [
+            "111111111111",
+            "222222222222"
+          ]
+        }
+      }
+    }