AWS singlesignon documentation change
Summary
Changed header from 'Create an account instance' to 'Delete your IAM Identity Center instance'
Security assessment
This appears to be a section header correction without security implications. No evidence of security context in this specific change.
Diff
diff --git a/singlesignon/latest/userguide/control-account-instance.md b/singlesignon/latest/userguide/control-account-instance.md index 6ce919bda..0b4219417 100644 --- a//singlesignon/latest/userguide/control-account-instance.md +++ b//singlesignon/latest/userguide/control-account-instance.md @@ -9 +9 @@ Prevent account instancesLimit account instances -If you enabled IAM Identity Center after November 15, 2023, member account administrators can create an instance of IAM Identity Center that's bound to a single AWS account, called an [account instance of IAM Identity Center](./account-instances-identity-center.html), by default. The management account organization instance of IAM Identity Center can use Service Control Policies (SCPs) to prevent all member accounts from creating account instances or to identify specific member accounts that are permitted to create account instances. +The ability for member accounts to create account instances depends on when you enabled IAM Identity Center: @@ -11 +11,3 @@ If you enabled IAM Identity Center after November 15, 2023, member account admin - 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). + * Before November 2023 – You must [permit account instance creation in member accounts](./enable-account-instance-console.html), which is an action that can't be reversed. + + * After November 15, 2023 – Member accounts can create account instances by default. @@ -13 +14,0 @@ If you enabled IAM Identity Center after November 15, 2023, member account admin - 2. On the **Dashboard** , in the **Central management** section, choose the **Prevent account instances** button. @@ -15 +15,0 @@ If you enabled IAM Identity Center after November 15, 2023, member account admin - 3. In the **Attach SCP to prevent creation of new account instances** dialog box, an SCP is provided for you. Copy the SCP and choose the **Go to SCP dashboard** button. You'll be directed to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) to create the SCP or attach it as a statement to an existing SCP. @@ -17 +16,0 @@ If you enabled IAM Identity Center after November 15, 2023, member account admin -Service control policies are a feature of AWS Organizations. For instructions on attaching an SCP, see [Attaching and detaching service control policies](/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) in the _AWS Organizations User Guide._ @@ -18,0 +18 @@ Service control policies are a feature of AWS Organizations. For instructions on +In either case, you can use Service Control Policies (SCPs) to: @@ -19,0 +20 @@ Service control policies are a feature of AWS Organizations. For instructions on + * Prevent all member accounts from creating account instances. @@ -20,0 +22 @@ Service control policies are a feature of AWS Organizations. For instructions on + * Allow only specific member accounts to create account instances. @@ -22 +23,0 @@ Service control policies are a feature of AWS Organizations. For instructions on -Rather than prevent account instance creation, you can limit account instance creation to a specific AWS account within your organization: @@ -24 +24,0 @@ Rather than prevent account instance creation, you can limit account instance cr -If you enabled IAM Identity Center before November 2023, you can choose whether [member accounts can create an account instance of IAM Identity Center](./enable-account-instance-console.html), which is an instance of IAM Identity Center that's bound to a single AWS account. Otherwise, by default, member accounts in your organization already have the option to [create an account instance](./create-account-instance.html). Enabling member accounts to create account instances isn't reversible, but you can use a Service Control Policy (SCP) to prevent or limit account instance creation. @@ -26 +25,0 @@ If you enabled IAM Identity Center before November 2023, you can choose whether -SCPs are a feature of AWS Organizations. For instructions on attaching an SCP, see [Attaching and detaching service control policies](/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) in the _AWS Organizations User Guide._ @@ -36 +35 @@ Use the following procedure to generate an SCP that prevents member accounts fro - 3. In the **Attach SCP to prevent creation of new account instances** dialog box, an SCP is provided for you. Copy the SCP and choose the **Go to SCP dashboard** button. You'll be directed to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) to create the SCP or attach it as a statement to an existing SCP. + 3. In the **Attach SCP to prevent creation of new account instances** dialog box, an SCP is provided for you. Copy the SCP and choose the **Go to SCP dashboard** button. You'll be directed to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) to create the SCP or attach it as a statement to an existing SCP. SCPs are a feature of AWS Organizations. For instructions on attaching an SCP, see [Attaching and detaching service control policies](/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) in the _AWS Organizations User Guide._ @@ -43 +42 @@ Use the following procedure to generate an SCP that prevents member accounts fro -Rather than prevent account instance creation, you can limit account instance creation to a specific AWS account within your organization: +Instead of preventing all account instance creation, this policy denies any attempt to create an account instance of IAM Identity Center for all AWS accounts except those explicitly listed in the `"<ALLOWED-ACCOUNT-ID>"` placeholder. @@ -45 +44 @@ Rather than prevent account instance creation, you can limit account instance cr -###### Example : SCP to control instance creation +###### Example : Deny policy to limit account instance creation @@ -65,0 +65,11 @@ Rather than prevent account instance creation, you can limit account instance cr + * Replace [`"<ALLOWED-ACCOUNT-ID>"`] with the actual AWS account ID(s) that you want to allow to create an account instance of IAM Identity Center. + + * You can list multiple allowed account IDs in the array format: [`"111122223333", "444455556666"`]. + + * Attach this policy to your organization SCP to enforce centralized control over IAM Identity Center account instance creation. + +For instructions on attaching an SCP, see [Attaching and detaching service control policies](/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) in the _AWS Organizations User Guide._ + + + + @@ -74 +84 @@ Permit account instance creation in member accounts -Create an account instance +Delete your IAM Identity Center instance