Account template creation - Permissions

Using Permissions, you can ~~restrict~~configure ~~which~~what ~~AWS~~the ~~services~~end users can and cannot do in their accounts.

Sandbox Studio uses IAM Identity Center Permissions Sets for permissions. You can see more details explaining each of the sections of this page at https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html

Default permissions

By default, "Administrator Access" is provided to end users.

Service Control Policies (SCP) are still applied on the accounts and even with Administrator access, some resources and actions ~~are~~may ~~allowed~~be ~~for~~blocked ~~users~~by ~~once~~your ~~they~~Administrators.

~~access~~

If ~~their~~the ~~AWS~~default ~~account~~configuration ~~through~~suits ~~Sandbox~~your ~~Studio.~~needs, proceed ~~Each~~to the next step Account ~~Template~~template ~~can~~creation ~~have~~- ~~different~~Roles & Access

Customise permissions

For more granular permissions ~~associated with it~~

~~On accessing the Permissions Page~~configuration, you can ~~either select~~customise the ~~Yes, use default~~ permissions ~~(The default is~~ ~~Administrator Access~~ ~~which means full access.) or~~ you ~~can~~provide ~~select~~to the end users by selecting No, I want to customise ~~permissions.~~permissions:

InThe ~~the~~following ~~event that~~ ~~No, I want to customise permissions (1)~~ ~~is selected, you~~sections can ~~either~~be ~~select~~configured:

~~from~~

~~the~~

~~standard~~

AWS Managed Policies

~~(2)~~

~~or ...~~

~~...~~default, the Administrator Access policy is applied but you can ~~Include~~select one or more policies from the list of AWS Managed policies. More details here about AWS Managed policies: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html

Customer Managed Policies

~~(2)~~

~~and~~

If /you orhave ~~Include~~pre-defined ~~Inline~~policies ~~Policy~~you ~~(2)~~manage, you can use them here. More details about Customer managed policies

~~Lastly~~

Inline policy

Finally, you can use inline policy (define the access directly in the section). More details about inline policies.

Example:

Permission Boundary:

Finally, and following the same principles as previous options, you have the option to include Permission ~~Boundarys.~~boundaries. OnMore ~~selecting~~details to ~~Include~~about Permission ~~Boundary~~boundaries.

~~(1)~~,

~~you~~

Note: ~~then~~Permission boundaries can ~~choose~~only ~~between~~be ~~(2) an~~ "AWS managed ~~policy~~policy" orOR "Customer managed policy" (Not both). In addition, you can only select ONE policy. to apply.

Having completed all the fields on the Permissions page as needed, click on Next to move to ~~section~~Account 5template creation - ~~Managers~~
Roles
& Access