Using identity-based policies (IAM policies) for Amazon Organizations
As an administrator of the management account of an organization, you can control access to Amazon resources by attaching permissions policies to Amazon Identity and Access Management (IAM) identities (users, groups, and roles) within the organization. When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources. If the permissions are granted to a role, that role can be assumed by users in other accounts in the organization.
By default, a user has no permissions of any kind. All permissions must be explicitly granted by a policy. If a permission isn't explicitly granted, it's implicitly denied. If a permission is explicitly denied, that overrules any other policy that might have allowed it. In other words, a user has only those permissions that are explicitly granted and that aren't explicitly denied.
In addition to the basic techniques described in this topic, you can control access to your organization by using the tags applied to the resources in your organization: the organization root, organizational units (OU), accounts, and policies. For more information, see Attribute-based access control with tags and Amazon Organizations.
Granting full admin permissions to a user
You can create an IAM policy that grants full Amazon Organizations administrator permissions to an IAM user in your organization. You can do this using the JSON policy editor in the IAM console.
To use the JSON policy editor to create a policy
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane on the left, choose Policies.
If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.
-
At the top of the page, choose Create policy.
-
In the Policy editor section, choose the JSON option.
-
Enter the following JSON policy document:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "organizations:*", "Resource": "*" } }
-
Choose Next.
Note
You can switch between the Visual and JSON editor options anytime. However, if you make changes or choose Next in the Visual editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.
-
On the Review and create page, enter a Policy name and a Description (optional) for the policy that you are creating. Review Permissions defined in this policy to see the permissions that are granted by your policy.
-
Choose Create policy to save your new policy.
To learn more about creating an IAM policy, see Creating IAM policies in the IAM User Guide.
Granting limited access by actions
If you want to grant limited permissions instead of full permissions, you can create a
policy that lists individual permissions that you want to allow in the
Action
element of the IAM permissions policy. As shown in the
following example, you can use wildcard (*) characters to grant only the
Describe*
and List*
permissions, essentially providing
read-only access to the organization.
Note
In a service control policy (SCP), the wildcard (*) character in an
Action
element can be used only by itself or at the end of the
string. It can't appear at the beginning or middle of the string. Therefore,
"servicename:action*"
is valid, but
"servicename:*action"
and "servicename:some*action"
are both invalid in SCPs.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "organizations:Describe*", "organizations:List*" ], "Resource": "*" } }
For a list of all the permissions that are available to assign in an IAM policy, see Actions defined by Amazon Organizations in the Service Authorization Reference.
Granting access to specific resources
In addition to restricting access to specific actions, you can restrict access to
specific entities in your organization. The Resource
elements in the
examples in the preceding sections both specify the wildcard character ("*"), which
means "any resource that the action can access." Instead, you can replace the "*" with
the Amazon Resource Name (ARN) of specific entities to which you want to allow access.
Example: Granting permissions to a single OU
The first statement of the following policy allows an IAM user read access to the entire organization, but the second statement allows the user to perform Amazon Organizations administrative actions only within a single, specified organizational unit (OU). This does not extend to any child OUs. No billing access is granted. Note that this doesn't give you administrative access to the Amazon Web Services accounts in the OU. It grants only permissions to perform Amazon Organizations operations on the accounts within the specified OU:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:Describe*", "organizations:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "organizations:*", "Resource": "arn:aws:organizations::
<masterAccountId>
:ou/o-<organizationId>
/ou-<organizationalUnitId>
" } ] }
You get the IDs for the OU and the organization from the Amazon Organizations console or by
calling the List*
APIs. The user or group that you apply this policy to can
perform any action ("organizations:*"
) on any entity that is directly
contained in the specified OU. The OU is identified by the Amazon Resource Name (ARN).
For more information about the ARNs for various resources, see Resources types defined by Amazon Organizations in the Service Authorization Reference.
Granting the ability to enable trusted access to limited service principals
You can use the Condition
element of a policy statement to further limit
the circumstances where the policy statement matches.
Example: Granting permissions to enable trusted access to one specified service
The following statement shows how you can restrict the ability to enable trusted access to only those services that you specify. If the user tries to call the API with a different service principal than the one for Amazon IAM Identity Center, this policy doesn't match and the request is denied:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "organizations:EnableAWSServiceAccess", "Resource": "*", "Condition": { "StringEquals" : { "organizations:ServicePrincipal" : "sso.amazonaws.com" } } } ] }
For more information about the ARNs for various resources, see Resources types defined by Amazon Organizations in the Service Authorization Reference.