AWS Organizations
User Guide

Using Identity-Based Policies (IAM Policies) for AWS Organizations

As an administrator of the master account of an organization, you can control access to AWS resources by attaching permissions policies to IAM identities (users, groups, and roles) within the organization. When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources. If the permissions are granted to a role, that role can be assumed by users in other accounts in the organization.

By default, a user has no permissions of any kind. All permissions must be explicitly granted by a policy. If a permission is not explicitly granted, then it is implicitly denied. If a permission is explicitly denied, then that overrules any other policy that might have allowed it. In other words, a user has only those permissions that are explicitly granted and that are not explicitly denied.

Granting Full Admin Permissions to a User

Complete the following steps to grant full AWS Organizations administrator permissions to an IAM user in your organization.

To grant full admin permissions to an IAM user in your organization

  1. Sign in to the Identity and Access Management (IAM) console at Sign in as a user in the master account who has permissions to create IAM policies and attach them to other IAM users.

    In the IAM console, navigate to Policies, Create Policy, Create Your Own Policy.

  2. Specify a policy name and description in Policy Name, Description, and then copy and paste the following code into the Policy Document field:

    { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "organizations:*", "Resource": "*" } }

    This policy enables the user to perform any operation associated with the AWS Organizations service.

  3. Navigate to Groups, and then choose Create New Group.

  4. On the Set Group Name page, type a name for the group, such as OrganizationAdmins, and then choose Next Step.

  5. On the Attach Policy page, select the policy that you just created. You can filter the list by setting Policy Type to Customer Managed Policies, or by typing the first few letters of the policy name in the filter box. Choose Next Step, and then Create Group.

  6. Choose the new group from the list, and then on the Users tab, choose Add Users to Group.

  7. Choose the users that you want to grant administrator permissions to, and then choose Add Users.

Granting Limited Access by Actions

If you want to grant limited permissions instead of full permissions, you can create a policy that lists individual permissions that you want to allow in the "Action" element of the IAM permissions policy. As shown in the following example, you can use wildcard (*) characters to grant only the Describe* and List* permissions, essentially providing read-only access to the organization:

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "organizations:Describe*", "organizations:List*" ], "Resource": "*" } }

For a list of all the permissions that are available to assign in an IAM policy, see Permissions You Can Use in an IAM Policy for AWS Organizations.

Granting Limited Access to Resources

In addition to restricting access to specific actions, you also can restrict access to specific entities in your organization. The Resource elements in the examples in the preceding sections both specify the wildcard character ("*"), which means "any resource that the action can access". Instead, you can replace the "*" with the Amazon Resource Name (ARN) of specific entities to which you want to allow access.

Example: Granting permissions to a single OU

The first statement of the following policy allows an IAM user read access to the entire organization, but the second statement allows the user to perform Organizations administrative actions only within a single, specified organizational unit (OU). No billing access is granted. Note that this does not give you administrative access to the accounts in the OU; it grants only permissions to perform Organizations operations on the accounts and child OUs within the specified OU:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:Describe*", "organizations:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "organizations:*", "Resource": "arn:aws:organizations::<masterAccountId>:ou/o-<organizationId>/ou-<organizationalUnitId>" } ] }

You get the IDs for the OU and the organization from the AWS Organizations console or by calling the List* APIs. The user or group that you apply this policy to can perform any action ("organizations:*") on any entity that is contained by the OU. The OU is identified by the Amazon Resource Name (ARN).

For more information about the ARNs for various resources, see ARN Formats Supported by AWS Organizations.