Amazon Identity and Access Management and Amazon Organizations
Access to Amazon Organizations requires credentials. Those credentials must have permissions to access Amazon resources, such as an Amazon Simple Storage Service (Amazon S3) bucket, an Amazon Elastic Compute Cloud (Amazon EC2) instance, or an Amazon Organizations organizational unit (OU). The following sections provide details on how you can use Amazon Identity and Access Management (IAM) to help secure access to your organization and control who can administer it.
To determine who can administer which parts of your organization, Amazon Organizations uses the same IAM-based permissions model as other Amazon services. As an administrator in the management account of an organization, you can grant IAM-based permissions to perform Amazon Organizations tasks by attaching policies to users, groups, and roles in the management account. Those policies specify the actions that those principals can perform. You attach an IAM permissions policy to a group that the user is a member of or directly to a user or role. As a best practice, we recommend that you attach policies to groups instead of users. You also have the option to grant full administrator permissions to others.
For most administrator operations for Amazon Organizations, you need to attach permissions to users or groups in the management account. If a user in a member account needs to perform administrator operations for your organization, you need to grant the Amazon Organizations permissions to an IAM role in the management account and enable the user in the member account to assume the role. For general information about IAM permissions policies, see Overview of IAM Policies in the IAM User Guide.
Topics
Authentication
You can access Amazon as any of the following types of identities:
-
Amazon Web Services account root user – When you sign up for Amazon, you provide an email address and password that is associated with your Amazon Web Services account. These are your root credentials, and they provide complete access to all of your Amazon resources.
Important
When you sign up for an Amazon Web Services account, an Amazon Web Services account root user is created. The root user has access to all Amazon Web Services and resources in the account. As a security best practice, assign administrative access to an administrative user, and use only the root user to perform tasks that require root user access.
-
IAM user – An IAM user is simply an identity within your Amazon Web Services account that has specific custom permissions (for example, permissions to create a file system in Amazon Elastic File System). You can use an IAM user name and password to sign in to secure Amazon webpages like the Amazon Web Services Management Console
, Amazon Discussion Forums , or the Amazon Support Center . In addition to a user name and password, you can generate access keys for each user. You can use these keys when you access Amazon services programmatically, either through one of the several SDKs
or by using the Amazon Command Line Interface (Amazon CLI) . The SDK and Amazon CLI tools use the access keys to cryptographically sign your request. If you don't use the Amazon tools, you must sign the request yourself. Amazon Organizations supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signing Amazon API requests in the IAM User Guide. -
IAM role – An IAM role is another IAM identity you can create in your account that has specific permissions. It is similar to an IAM user, but it isn't associated with a specific person. An IAM role allows you to obtain temporary access keys that can access Amazon services and resources. IAM roles with temporary credentials are useful in the following situations:
-
Federated user access – Instead of creating an IAM user, you can use preexisting user identities from Amazon Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. Amazon assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated users and roles in the IAM User Guide.
-
Cross-account access – You can use an IAM role in your account to grant another Amazon Web Services account permissions to access your account's resources. For an example, see Tutorial: Delegate access across Amazon Web Services accounts using IAM roles in the IAM User Guide.
-
Amazon service access – You can use an IAM role in your account to grant an Amazon service permissions to access your account's resources. For example, you can create a role that allows Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data stored in the bucket into an Amazon Redshift cluster. For more information, see Creating a role to delegate permissions to an Amazon service in the IAM User Guide.
-
Applications running on Amazon EC2 – Instead of storing access keys in the EC2 instance for use by applications running on the instance and making Amazon API requests, you can use an IAM role to manage temporary credentials for these applications. To assign an Amazon role to an EC2 instance and make it available to all of its applications, you can create an instance profile that is attached to the instance. An instance profile contains the role and enables programs running on the EC2 instance to get temporary credentials. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances in the IAM User Guide.
-
Access control
You can have valid credentials to authenticate your requests, but unless you have permissions, you can't administer or access Amazon Organizations resources. For example, you must have permissions to create an OU or to attach a service control policy (SCP) to an account.
The following sections describe how to manage permissions for Amazon Organizations.