AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Organizations

AWS Organizations (service prefix: organizations) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Organizations

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptHandshake Grants permission to send a response to the originator of a handshake agreeing to the action proposed by the handshake request. Write

handshake*

AttachPolicy Grants permission to attach a policy to a root, an organizational unit, or an individual account. Write

policy*

account

organizationalunit

root

CancelHandshake Grants permission to cancel a handshake. Write

handshake*

CreateAccount Grants permission to create an AWS account that is automatically a member of the organization with the credentials that made the request. Write
CreateOrganization Grants permission to create an organization. The account with the credentials that calls the CreateOrganization operation automatically becomes the master account of the new organization. Write
CreateOrganizationalUnit Grants permission to create an organizational unit (OU) within a root or parent OU. Write

organizationalunit

root

CreatePolicy Grants permission to create a policy that you can attach to a root, an organizational unit (OU), or an individual AWS account. Write
DeclineHandshake Grants permission to decline a handshake request. This sets the handshake state to DECLINED and effectively deactivates the request. Write

handshake*

DeleteOrganization Grants permission to delete the organization. Write
DeleteOrganizationalUnit Grants permission to delete an organizational unit from a root or another OU. Write

organizationalunit*

DeletePolicy Grants permission to delete a policy from your organization. Write

policy*

DescribeAccount Grants permission to retrieve Organizations-related details about the specified account. Read

account*

DescribeCreateAccountStatus Grants permission to retrieve the current status of an asynchronous request to create an account. Read
DescribeHandshake Grants permission to retrieve details about a previously requested handshake. Read

handshake*

DescribeOrganization Grants permission to retrieves details about the organization that the calling credentials belong to. Read
DescribeOrganizationalUnit Grants permission to retrieve details about an organizational unit (OU). Read

organizationalunit*

DescribePolicy Grants permission to retrieves details about a policy. Read

policy*

DetachPolicy Grants permission to detach a policy from a target root, organizational unit, or account. Write

policy*

account

organizationalunit

root

DisableAWSServiceAccess Grants permission to disable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations. Write

organizations:ServicePrincipal

DisablePolicyType Grants permission to disable an organization policy type in a root. Write

root*

EnableAWSServiceAccess Grants permission to enable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations. Write

organizations:ServicePrincipal

EnableAllFeatures Grants permission to start the process to enable all features in an organization, upgrading it from supporting only Consolidated Billing features. Write
EnablePolicyType Grants permission to enable a policy type in a root. Write

root*

InviteAccountToOrganization Grants permission to send an invitation to another AWS account, asking it to join your organization as a member account. Write

account

LeaveOrganization Grants permission to remove a member account from its parent organization. Write
ListAWSServiceAccessForOrganization Grants permission to retrieve the list of the AWS services for which you enabled integration with your organization. List
ListAccounts Grants permission to list all of the the accounts in the organization. List
ListAccountsForParent Grants permission to list the accounts in an organization that are contained by a root or organizational unit (OU). List

organizationalunit

root

ListChildren Grants permission to list all of the OUs or accounts that are contained in a parent OU or root. List

organizationalunit

root

ListCreateAccountStatus Grants permission to list the asynchronous account creation requests that are currently being tracked for the organization. List
ListHandshakesForAccount Grants permission to list all of the handshakes that are associated with an account. List
ListHandshakesForOrganization Grants permission to list the handshakes that are associated with the organization. List
ListOrganizationalUnitsForParent Grants permission to lists all of the organizational units (OUs) in a parent organizational unit or root. List

organizationalunit

root

ListParents Grants permission to list the root or organizational units (OUs) that serve as the immediate parent of a child OU or account. List

account

organizationalunit

ListPolicies Grants permission to list all of the policies in an organization. List
ListPoliciesForTarget Grants permission to list all of the policies that are directly attached to a root, organizational unit (OU), or account. List

account

organizationalunit

root

ListRoots Grants permission to list all of the roots that are defined in the organization. List
ListTargetsForPolicy Grants permission to list all the roots, OUs, and accounts to which a policy is attached. List

policy*

MoveAccount Grants permission to move an account from its current root or OU to another parent root or OU. Write

account*

organizationalunit

root

RemoveAccountFromOrganization Grants permission to removes the specified account from the organization. Write

account*

UpdateOrganizationalUnit Grants permission to rename an organizational unit (OU). Write

organizationalunit*

UpdatePolicy Grants permission to update an existing policy with a new name, description, or content. Write

policy*

Resources Defined by Organizations

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
account arn:${Partition}:organizations::${MasterAccountId}:account/o-${OrganizationId}/${AccountId}
handshake arn:${Partition}:organizations::${MasterAccountId}:handshake/o-${OrganizationId}/${HandshakeType}/h-${HandshakeId}
organization arn:${Partition}:organizations::${MasterAccountId}:organization/o-${OrganizationId}
organizationalunit arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}
policy arn:${Partition}:organizations::${MasterAccountId}:policy/o-${OrganizationId}/${PolicyType}/p-${PolicyId}
awspolicy arn:${Partition}:organizations::aws:policy/${PolicyType}/p-${PolicyId}
root arn:${Partition}:organizations::${MasterAccountId}:root/o-${OrganizationId}/r-${RootId}

Condition Keys for AWS Organizations

AWS Organizations defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
organizations:ServicePrincipal Enables you to filter the request to only the specified service principal names. String