Create or update a resource-based delegation policy with AWS Organizations
From the management account, create or update a resource-based delegation policy for your organization and add a statement that specifies which member accounts can perform actions on policies. You can add multiple statements in the policy to denote a different set of permissions to member accounts.
Minimum permissions
To create or update the resource-based delegation policy, you need permissions to run the following actions:
-
organizations:PutResourcePolicy
-
organizations:DescribeResourcePolicy
Additionally, you must grant roles and users in the delegated administrator account the corresponding IAM permissions to the required actions. Without IAM permissions, it is assumed that the calling principal doesn’t have the required permissions to manage AWS Organizations policies.
Supported delegation policy actions
The following actions are supported for delegation policy:
-
AttachPolicy
-
CreatePolicy
-
DeletePolicy
-
DescribeAccount
-
DescribeCreateAccountStatus
-
DescribeEffectivePolicy
-
DescribeHandshake
-
DescribeOrganization
-
DescribeOrganizationalUnit
-
DescribePolicy
-
DescribeResourcePolicy
-
DetachPolicy
-
DisablePolicyType
-
EnablePolicyType
-
ListAccounts
-
ListAccountsForParent
-
ListAWSServiceAccessForOrganization
-
ListChildren
-
ListCreateAccountStatus
-
ListDelegatedAdministrators
-
ListDelegatedServicesForAccount
-
ListHandshakesForAccount
-
ListHandshakesForOrganization
-
ListOrganizationalUnitsForParent
-
ListParents
-
ListPolicies
-
ListPoliciesForTarget
-
ListRoots
-
ListTagsForResource
-
ListTargetsForPolicy
-
TagResource
-
UntagResource
-
UpdatePolicy
Supported condition keys
Only condition keys supported by AWS Organizations can be used for delegation policy. For more information, see Condition keys for AWS Organizations in the Service Authorization Reference.