Actions, resources, and condition keys for AWS Organizations - Service Authorization Reference

Actions, resources, and condition keys for AWS Organizations

AWS Organizations (service prefix: organizations) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Organizations

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptHandshake Grants permission to send a response to the originator of a handshake agreeing to the action proposed by the handshake request Write

handshake*

iam:CreateServiceLinkedRole

AttachPolicy Grants permission to attach a policy to a root, an organizational unit, or an individual account Write

policy*

account

organizationalunit

root

organizations:PolicyType

CancelHandshake Grants permission to cancel a handshake Write

handshake*

CloseAccount Grants permission to close an AWS account that is now a part of an Organizations, either created within the organization, or invited to join the organization Write

account*

CreateAccount Grants permission to create an AWS account that is automatically a member of the organization with the credentials that made the request Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateGovCloudAccount Grants permission to create an AWS GovCloud (US) account Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateOrganization Grants permission to create an organization. The account with the credentials that calls the CreateOrganization operation automatically becomes the management account of the new organization Write

iam:CreateServiceLinkedRole

CreateOrganizationalUnit Grants permission to create an organizational unit (OU) within a root or parent OU Write

organizationalunit

root

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePolicy Grants permission to create a policy that you can attach to a root, an organizational unit (OU), or an individual AWS account Write

organizations:PolicyType

aws:RequestTag/${TagKey}

aws:TagKeys

DeclineHandshake Grants permission to decline a handshake request. This sets the handshake state to DECLINED and effectively deactivates the request Write

handshake*

DeleteOrganization Grants permission to delete the organization Write
DeleteOrganizationalUnit Grants permission to delete an organizational unit from a root or another OU Write

organizationalunit*

DeletePolicy Grants permission to delete a policy from your organization Write

policy*

organizations:PolicyType

DeleteResourcePolicy Grants permission to delete a resource policy from your organization Write
DeregisterDelegatedAdministrator Grants permission to deregister the specified member AWS account as a delegated administrator for the AWS service that is specified by ServicePrincipal Write

account*

organizations:ServicePrincipal

DescribeAccount Grants permission to retrieve Organizations-related details about the specified account Read

account*

DescribeCreateAccountStatus Grants permission to retrieve the current status of an asynchronous request to create an account Read
DescribeEffectivePolicy Grants permission to retrieve the effective policy for an account Read

account*

organizations:PolicyType

DescribeHandshake Grants permission to retrieve details about a previously requested handshake Read

handshake*

DescribeOrganization Grants permission to retrieves details about the organization that the calling credentials belong to Read
DescribeOrganizationalUnit Grants permission to retrieve details about an organizational unit (OU) Read

organizationalunit*

DescribePolicy Grants permission to retrieves details about a policy Read

policy*

organizations:PolicyType

DescribeResourcePolicy Grants permission to retrieve information about a resource policy Read
DetachPolicy Grants permission to detach a policy from a target root, organizational unit, or account Write

policy*

account

organizationalunit

root

organizations:PolicyType

DisableAWSServiceAccess Grants permission to disable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations Write

organizations:ServicePrincipal

DisablePolicyType Grants permission to disable an organization policy type in a root Write

root*

organizations:PolicyType

EnableAWSServiceAccess Grants permission to enable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations Write

organizations:ServicePrincipal

EnableAllFeatures Grants permission to start the process to enable all features in an organization, upgrading it from supporting only Consolidated Billing features Write
EnablePolicyType Grants permission to enable a policy type in a root Write

root*

organizations:PolicyType

InviteAccountToOrganization Grants permission to send an invitation to another AWS account, asking it to join your organization as a member account Write

account

aws:RequestTag/${TagKey}

aws:TagKeys

LeaveOrganization Grants permission to remove a member account from its parent organization Write
ListAWSServiceAccessForOrganization Grants permission to retrieve the list of the AWS services for which you enabled integration with your organization List
ListAccounts Grants permission to list all of the the accounts in the organization List
ListAccountsForParent Grants permission to list the accounts in an organization that are contained by a root or organizational unit (OU) List

organizationalunit

root

ListChildren Grants permission to list all of the OUs or accounts that are contained in a parent OU or root List

organizationalunit

root

ListCreateAccountStatus Grants permission to list the asynchronous account creation requests that are currently being tracked for the organization List
ListDelegatedAdministrators Grants permission to list the AWS accounts that are designated as delegated administrators in this organization List

organizations:ServicePrincipal

ListDelegatedServicesForAccount Grants permission to list the AWS services for which the specified account is a delegated administrator in this organization List

account*

ListHandshakesForAccount Grants permission to list all of the handshakes that are associated with an account List
ListHandshakesForOrganization Grants permission to list the handshakes that are associated with the organization List
ListOrganizationalUnitsForParent Grants permission to lists all of the organizational units (OUs) in a parent organizational unit or root List

organizationalunit

root

ListParents Grants permission to list the root or organizational units (OUs) that serve as the immediate parent of a child OU or account List

account

organizationalunit

ListPolicies Grants permission to list all of the policies in an organization List

organizations:PolicyType

ListPoliciesForTarget Grants permission to list all of the policies that are directly attached to a root, organizational unit (OU), or account List

account

organizationalunit

root

organizations:PolicyType

ListRoots Grants permission to list all of the roots that are defined in the organization List
ListTagsForResource Grants permission to list all tags for the specified resource List

account

organizationalunit

policy

resourcepolicy

root

ListTargetsForPolicy Grants permission to list all the roots, OUs, and accounts to which a policy is attached List

policy*

organizations:PolicyType

MoveAccount Grants permission to move an account from its current root or OU to another parent root or OU Write

account*

organizationalunit*

root*

PutResourcePolicy Grants permission to create or update a resource policy Write

resourcepolicy*

aws:RequestTag/${TagKey}

aws:TagKeys

RegisterDelegatedAdministrator Grants permission to register the specified member account to administer the Organizations features of the AWS service that is specified by ServicePrincipal Write

account*

organizations:ServicePrincipal

RemoveAccountFromOrganization Grants permission to removes the specified account from the organization Write

account*

TagResource Grants permission to add one or more tags to the specified resource Tagging

account

organizationalunit

policy

resourcepolicy

root

aws:TagKeys

aws:RequestTag/${TagKey}

UntagResource Grants permission to remove one or more tags from the specified resource Tagging

account

organizationalunit

policy

resourcepolicy

root

aws:TagKeys

UpdateOrganizationalUnit Grants permission to rename an organizational unit (OU) Write

organizationalunit*

UpdatePolicy Grants permission to update an existing policy with a new name, description, or content Write

policy*

organizations:PolicyType

Resource types defined by AWS Organizations

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
account arn:${Partition}:organizations::${Account}:account/o-${OrganizationId}/${AccountId}

aws:ResourceTag/${TagKey}

handshake arn:${Partition}:organizations::${Account}:handshake/o-${OrganizationId}/${HandshakeType}/h-${HandshakeId}
organization arn:${Partition}:organizations::${Account}:organization/o-${OrganizationId}
organizationalunit arn:${Partition}:organizations::${Account}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}

aws:ResourceTag/${TagKey}

policy arn:${Partition}:organizations::${Account}:policy/o-${OrganizationId}/${PolicyType}/p-${PolicyId}

aws:ResourceTag/${TagKey}

resourcepolicy arn:${Partition}:organizations::${Account}:resourcepolicy/o-${OrganizationId}/rp-${ResourcePolicyId}

aws:ResourceTag/${TagKey}

awspolicy arn:${Partition}:organizations::aws:policy/${PolicyType}/p-${PolicyId}
root arn:${Partition}:organizations::${Account}:root/o-${OrganizationId}/r-${RootId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Organizations

AWS Organizations defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:TagKeys Filters access by the tag keys that are passed in the request ArrayOfString
organizations:PolicyType Filters access by the specified policy type names String
organizations:ServicePrincipal Filters access by the specified service principal names String