Delegated administrator for AWS Organizations
We recommend that you use the AWS Organizations management account and its users and roles only for
tasks that must be performed by that account. We also recommend that you store your AWS resources in other
member accounts in the organization and keep them out of the management account. This is because security features
like Organizations service control policies (SCPs) do not restrict users or roles in the management account.
From the organization's management account, you can delegate policy management for Organizations to specified member accounts
to perform policy actions that are by default available only to the management account.
Create or update a resource-based delegation policy
From the management account, create or update a resource-based delegation policy for
your organization and add a statement that specifies which member accounts can perform
actions on policies. You can add multiple statements in the policy to denote a different
set of permissions to member accounts.
To create or update the resource-based delegation policy, you need permissions to
run the following actions:
Additionally, you must grant roles and users in the delegated administrator
account the corresponding IAM permissions to the required actions. Without IAM
permissions, it is assumed that the calling principal doesn’t have the required
permissions to manage AWS Organizations policies.
- AWS Management Console
-
Add statements to the resource-based delegation policy in the AWS Management Console using one of the following methods:
-
JSON policy – Paste and customize an example resource-based delegation policy to use in your account,
or type your own JSON policy document in the JSON editor.
-
Visual editor – Construct a new delegation policy in the visual
editor, which guides you in creating a delegation policy without having to
write JSON syntax.
Use the JSON policy editor to create or update a delegation policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
Choose Settings.
-
In the Delegated administrator for AWS Organizations
section, choose Delegate to create the Organizations
delegation policy. To update an existing delegation policy, choose Edit.
-
Type or paste a JSON policy document. For details about the IAM policy language, see IAM JSON policy reference.
-
Resolve any security warnings, errors, or general warnings generated during policy validation,
and then choose Create policy to save your work.
Use the visual editor to create or update a delegation policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
Choose Settings.
-
In the Delegated administrator for AWS Organizations
section, choose Delegate to create the Organizations
delegation policy. To update an existing delegation policy, choose
Edit.
-
On the Create Delegation policy page, choose
Add new statement.
-
Set Effect to Allow
.
-
Add Principal
to define the member accounts to which
you want to delegate. For details about syntax, see the Example resource-based delegation policies.
-
From the list of Actions, choose the actions you want to delegate. You can use Filter actions to narrow down the choices.
-
To specify if the delegated member account can attach policies to
the organization root or organizational units (OUs), set
Resources
. You must also select policy
as a resource type. For additional details, see the Example resource-based delegation policies. You
can specify resources in the following ways:
Choose Add a resource and construct the Amazon Resource Name (ARN) by
following the prompts in the dialog box.
List resource ARNs manually in the editor. For more information about ARN syntax, see Amazon Resource Name (ARN) in the AWS General
Reference Guide. For information about using ARNs in the
resource element of a policy, see IAM JSON policy elements: Resource.
-
Choose Add a condition to specify other
conditions, including the policy type you want to delegate. Choose
the condition's Condition key, Tag
key, Qualifier, and
Operator, and then type a
Value
. For additional details, see Example resource-based delegation policies. When
you're finished, choose Add condition. For more
information about the Condition element, see
IAM JSON policy elements: Condition in the IAM JSON
policy reference.
-
To add more permission blocks, choose Add new statement. For each block, repeat steps 5 through 9.
-
Resolve any security warnings, errors, or general warnings generated during policy validation,
and then choose Create policy to save your work.
- AWS CLI & AWS SDKs
-
Create or update a delegation policy
You can use the following command to create or update a delegation policy:
-
AWS CLI: put-resource-policy
The following example creates or updates the delegation policy.
$
aws organizations put-resource-policy --content
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Fully_manage_backup_policies",
"Effect": "Allow",
"Principal": {
"AWS": "135791357913
"
}
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:CreatePolicy",
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": [
"arn:aws:organizations::246802468024
:root/o-abcdef
/r-pqrstu
",
"arn:aws:organizations::246802468024
:ou/o-abcdef
/*",
"arn:aws:organizations::246802468024
:account/o-abcdef
/*",
"arn:aws:organizations::246802468024
:organization/policy/backup_policy/*",
],
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": [
"BACKUP_POLICY"
]
}
}
}
]
}
Supported delegation policy actions
The following actions are supported for delegation policy:
AttachPolicy
CreatePolicy
DeletePolicy
DescribeAccount
DescribeCreateAccountStatus
DescribeEffectivePolicy
DescribeHandshake
DescribeOrganization
DescribeOrganizationalUnit
DescribePolicy
DescribeResourcePolicy
DetachPolicy
DisablePolicyType
EnablePolicyType
ListAccounts
ListAccountsForParent
ListAWSServiceAccessForOrganization
ListChildren
ListCreateAccountStatus
ListDelegatedAdministrators
ListDelegatedServicesForAccount
ListHandshakesForAccount
ListHandshakesForOrganization
ListOrganizationalUnitsForParent
ListParents
ListPolicies
ListPoliciesForTarget
ListRoots
ListTagsForResource
ListTargetsForPolicy
TagResource
UntagResource
UpdatePolicy
View a resource-based delegation
policy
From the management account, view your organization’s resource-based delegation policy to understand which delegated administrators have access to manage which policy types.
To view the resource-based delegation policy, you need permissions to run the following action:
organizations:DescribeResourcePolicy
.
- AWS Management Console
-
To view a delegation policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
Choose Settings.
-
In the Delegated administrator for AWS Organizations section, scroll to view the full delegation policy.
- AWS CLI & AWS SDKs
-
View a delegation policy
You can use the following command to view a delegation policy:
-
AWS CLI: describe-resource-policy
The following example retrieves the policy.
$
aws organizations describe-resource-policy
Delete a resource-based
delegation policy
When you no longer need to delegate the management of policies in your organization, you can delete the resource-based delegation policy from the organization's management account.
If you delete your resource-based delegation policy, you can't recover it.
To delete the resource-based delegation policy, you need permissions to run the following action:
organizations:DeleteResourcePolicy
.
- AWS Management Console
-
To delete a delegation policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
Choose Settings.
-
In the Delegated administrator for AWS Organizations section, choose Delete.
-
In the Delete policy confirmation dialog box, type delete
. Then, choose Delete policy.
- AWS CLI & AWS SDKs
-
Delete a delegation policy
You can use the following command to delete a delegation policy:
-
AWS CLI: delete-resource-policy
The following example deletes the policy.
$
aws organizations delete-resource-policy