Managing access permissions for your Amazon organization - Amazon Organizations
Amazon Organizations resources and operationsUnderstanding resource ownershipManaging access to resourcesSpecifying policy elements: Actions, conditions, effects, and resources
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing access permissions for your Amazon organization

All Amazon resources, including the roots, OUs, accounts, and policies in an organization, are owned by an Amazon Web Services account, and permissions to create or access a resource are governed by permissions policies. For an organization, its management account owns all resources. An account administrator can control access to Amazon resources by attaching permissions policies to IAM identities (users, groups, and roles).

Note

An account administrator (or administrator user) is a user with administrator permissions. For more information, see Security best practices in IAM in the IAM User Guide.

When granting permissions, you decide who is getting the permissions, the resources that they get permissions for, and the specific actions that you want to allow on those resources.

By default, IAM users, groups, and roles have no permissions. As an administrator in the management account of an organization, you can perform administrative tasks or delegate administrator permissions to other IAM users or roles in the management account. To do this, you attach an IAM permissions policy to an IAM user, group, or role. By default, a user has no permissions at all; this is sometimes called an implicit deny. The policy overrides the implicit deny with an explicit allow that specifies which actions the user can perform, and which resources they can perform the actions on. If the permissions are granted to a role, users in other accounts in the organization can assume that role.

Amazon Organizations resources and operations

This section discusses how Amazon Organizations concepts map to their IAM-equivalent concepts.

Resources

In Amazon Organizations, you can control access to the following resources:

  • The root and the OUs that make up the hierarchical structure of an organization

  • The accounts that are members of the organization

  • The policies that you attach to the entities in the organization

  • The handshakes that you use to change the state of the organization

Each of these resources has a unique Amazon Resource Name (ARN) associated with it. You control access to a resource by specifying its ARN in the Resource element of an IAM permission policy. For a complete list of the ARN formats for resources that are used in Amazon Organizations, see Resources types defined by Amazon Organizations in the Service Authorization Reference.

Operations

Amazon provides a set of operations to work with the resources in an organization. They enable you to do things like create, list, modify, access the contents of, and delete resources. Most operations can be referenced in the Action element of an IAM policy to control who can use that operation. For a list of Amazon Organizations operations that can be used as permissions in an IAM policy, see Actions defined by Amazon Organizations in the Service Authorization Reference.

When you combine an Action and a Resource in a single permission policy Statement, you control exactly which resources that particular set of actions can be used on.

Condition keys

Amazon provides condition keys that you can query to provide more granular control over certain actions. You can reference these condition keys in the Condition element of an IAM policy to specify the additional circumstances that must be met for the statement to be considered a match.

The following condition keys are especially useful with Amazon Organizations:

  • aws:PrincipalOrgID – Simplifies specifying the Principal element in a resource-based policy. This global key provides an alternative to listing all the account IDs for all Amazon Web Services accounts in an organization. Instead of listing all of the accounts that are members of an organization, you can specify the organization ID in the Condition element.

    Note

    This global condition also applies to the management account of an organization.

    For more information, see the description of PrincipalOrgID in Amazon global condition context keys in the IAM User Guide.

  • aws:PrincipalOrgPaths – Use this condition key to match members of a specific organization root, an OU, or its children. The aws:PrincipalOrgPaths condition key returns true when the principal (root user, IAM user, or role) making the request is in the specified organization path. A path is a text representation of the structure of an Amazon Organizations entity. For more information about paths, see Understand the Amazon Organizations entity path in the IAM User Guide. For more information about using this condition key, see aws:PrincipalOrgPaths in the IAM User Guide.

    For example, the following condition element matches for members of either of two OUs in the same organization.

                "Condition": {
                "ForAnyValue:StringLike": {
                    "aws:PrincipalOrgPaths": [
                        "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/",
                        "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-jkl0-awsddddd/"
                    ]
                }
            }

  • organizations:PolicyType – You can use this condition key to restrict the Organizations policy-related API operations to work on only Organizations policies of the specified type. You can apply this condition key to any policy statement that includes an action that interacts with Organizations policies.

    You can use the following values with this condition key:

    • AISERVICES_OPT_OUT_POLICY

    • BACKUP_POLICY

    • SERVICE_CONTROL_POLICY

    • TAG_POLICY

    For example, the following example policy allows the user to perform any Organizations operation. However, if the user performs an operation that takes a policy argument, the operation is allowed only if the specified policy is a tagging policy. The operation fails if the user specifies any other type of policy.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IfTaggingAPIThenAllowOnOnlyTaggingPolicies",
            "Effect": "Allow",
            "Action": "organizations:*",
            "Resource": "*",
            "Condition": { 
                "StringLikeIfExists": {
                    "organizations:PolicyType": [ "TAG_POLICY" ]
                }
            }
        }
    ]
}

  • organizations:ServicePrincipal – Available as a condition if you use the EnableAWSServiceAccess or DisableAWSServiceAccess operations to enable or disable trusted access with other Amazon services. You can use organizations:ServicePrincipal to restrict requests that those operations make to a list of approved service principal names.

    For example, the following policy allows the user to specify only Amazon Firewall Manager when enabling and disabling trusted access with Amazon Organizations.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowOnlyAWSFirewallIntegration",
            "Effect": "Allow",
            "Action": [
                "organizations:EnableAWSServiceAccess",
                "organizations:DisableAWSServiceAccess"
            ],
            "Resource": "*",
            "Condition": { 
                "StringLikeIfExists": {
                    "organizations:ServicePrincipal": [ "fms.amazonaws.com" ]
                }
            }
        }
    ]
}

For a list of all of the Amazon Organizations–specific condition keys that can be used as permissions in an IAM policy, see Condition keys for Amazon Organizations in the Service Authorization Reference.

Understanding resource ownership

The Amazon Web Services account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the Amazon Web Services account of the principal entity (that is, the root user, an IAM user, or an IAM role) that authenticates the resource creation request. For an Amazon organization, that is always the management account. You can't call most operations that create or access organization resources from the member accounts. The following examples illustrate how this works:

  • If you use the root account credentials of your management account to create an OU, your management account is the owner of the resource. (In Amazon Organizations, the resource is the OU.)

  • If you create an IAM user in your management account and grant permissions to create an OU to that user, the user can create an OU. However, the management account, to which the user belongs, owns the OU resource.

  • If you create an IAM role in your management account with permissions to create an OU, anyone who can assume the role can create an OU. The management account, to which the role (not the assuming user) belongs, owns the OU resource.

Managing access to resources

A permissions policy describes who has access to what. The following section explains the available options for creating permissions policies.

Note

This section discusses using IAM in the context of Amazon Organizations. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see the IAM User Guide. For information about IAM policy syntax and descriptions, see the IAM JSON policy reference in the IAM User Guide.

Policies that are attached to an IAM identity are referred to as identity-based policies (IAM policies). Policies that are attached to a resource are referred to as resource-based policies. Amazon Organizations supports only identity-based policies (IAM policies).

Identity-based permission policies (IAM policies)

You can attach policies to IAM identities to allow those identities to perform operations on Amazon resources. For example, you can do the following:

  • Attach a permissions policy to a user or a group in your account – To grant a user permissions to create an Amazon Organizations resource, such as a service control policy (SCP) or an OU, you can attach a permissions policy to a user or a group that the user belongs to. The user or group must be in the organization's management account.

  • Attach a permissions policy to a role (grant cross-account permissions) – You can attach an identity-based permissions policy to an IAM role to grant cross-account access to an organization. For example, the administrator in the management account can create a role to grant cross-account permissions to a user in a member account as follows:

    1. The management account administrator creates an IAM role and attaches a permissions policy to the role that grants permissions to the organization's resources.

    2. The management account administrator attaches a trust policy to the role that identifies the member account ID as the Principal who can assume the role.

    3. The member account administrator can then delegate permissions to assume the role to any users in the member account. Doing this allows users in the member account to create or access resources in the management account and the organization. The principal in the trust policy can also be an Amazon service principal if you want to grant permissions to an Amazon service to assume the role.

    For more information about using IAM to delegate permissions, see Access Management in the IAM User Guide.

The following are examples of policies that allows a user to perform the CreateAccount action in your organization.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"Stmt1OrgPermissions",
         "Effect":"Allow",
         "Action":[
            "organizations:CreateAccount"
         ],
         "Resource":"*"
      }
   ]
}

You can also provide a partial ARN in the Resource element of the policy to indicate the type of resource.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"AllowCreatingAccountsOnResource",
         "Effect":"Allow",
         "Action":"organizations:CreateAccount",
         "Resource":"arn:aws:organizations::*:account/*"
      }
   ]
}

You can also deny the creation of accounts that do not include specific tags to the account being created.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyCreatingAccountsOnResourceBasedOnTag",
         "Effect":"Deny",
         "Action":"organizations:CreateAccount",
         "Resource":"*",
         "Condition":{
            "StringEquals":{
               "aws:ResourceTag/key":"value"
            }
         }
      }
   ]
}

For more information about users, groups, roles, and permissions, see IAM identities (users, user groups, and roles) in the IAM User Guide.

Resource-based policies

Some services, such as Amazon S3, support resource-based permissions policies. For example, you can attach a policy to an Amazon S3 bucket to manage access permissions to that bucket. Amazon Organizations currently doesn't support resource-based policies.

Specifying policy elements: Actions, conditions, effects, and resources

For each Amazon Organizations resource, the service defines a set of API operations, or actions, that can interact with or manipulate that resource in some way. To grant permissions for these operations, Amazon Organizations defines a set of actions that you can specify in a policy. For example, for the OU resource, Amazon Organizations defines actions like the following:

  • AttachPolicy and DetachPolicy

  • CreateOrganizationalUnit and DeleteOrganizationalUnit

  • ListOrganizationalUnits and DescribeOrganizationalUnit

In some cases, performing an API operation might require permissions to more than one action and might require permissions to more than one resource.

The following are the most basic elements that you can use in an IAM permission policy:

  • Action – Use this keyword to identify the operations (actions) that you want to allow or deny. For example, depending on the specified Effect, organizations:CreateAccount allows or denies the user permissions to perform the Amazon Organizations CreateAccount operation. For more information, see IAM JSON policy elements: Action in the IAM User Guide.

  • Resource – Use this keyword to specify the ARN of the resource that the policy statement applies to. For more information, see IAM JSON policy elements: Resource in the IAM User Guide.

  • Condition – Use this keyword to specify a condition that must be met for the policy statement to apply. Condition usually specifies additional circumstances that must be true for the policy to match. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.

  • Effect – Use this keyword to specify whether the policy statement allows or denies the action on the resource. If you don't explicitly grant access to (or allow) a resource, access is implicitly denied. You also can explicitly deny access to a resource, which you might do to ensure that a user can't perform the specified action on the specified resource, even if a different policy grants access. For more information, see IAM JSON policy elements: Effect in the IAM User Guide.

  • Principal – In identity-based policies (IAM policies), the user that the policy is attached to is automatically and implicitly the principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). Amazon Organizations currently supports only identity-based policies, not resource-based policies.

To learn more about IAM policy syntax and descriptions, see the IAM JSON policy reference in the IAM User Guide.