Prerequisites and permissions for management policies for Amazon Organizations - Amazon Organizations
Prerequisites for management policiesPermissions for management policies
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Prerequisites and permissions for management policies for Amazon Organizations

This page describes the prerequisites and required permissions for management policies for Amazon Organizations.

Prerequisites for management policies

Using management policies for an organization requires the following:

  • Your organization must have all features enabled.

  • You must be signed in to your organization's management account or be a delegated administrator.

  • Your Amazon Identity and Access Management (IAM) user or role must have the permissions that are listed in the following section.

Permissions for management policies

The following example IAM policy provides permissions to use all aspects of management policies in an organization.

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OrganizationPolicies",
            "Effect": "Allow",
            "Action": [
                "organizations:AttachPolicy",
                "organizations:CreatePolicy",
                "organizations:DeletePolicy",
                "organizations:DescribeAccount",
                "organizations:DescribeCreateAccountStatus",
                "organizations:DescribeEffectivePolicy",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribePolicy",
                "organizations:DetachPolicy",
                "organizations:DisableAWSServiceAccess",
                "organizations:DisablePolicyType",
                "organizations:EnableAWSServiceAccess",
                "organizations:EnablePolicyType",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:ListCreateAccountStatus",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListParents",
                "organizations:ListPolicies",
                "organizations:ListPoliciesForTarget",
                "organizations:ListRoots",
                "organizations:ListTargetsForPolicy",
                "organizations:UpdatePolicy"
            ],
            "Resource": "*"
        }
    ]
}

For more information about IAM policies and permissions, see the IAM User Guide.