AWS managed IAM policies AWS managed service control policies

AWS managed policies available for use with AWS Organizations

This section identifies the AWS-managed policies provided for your use to manage your organization. You can't modify or delete an AWS managed policy, but you can attach or detach them to entities in your organization as needed.

AWS Organizations managed policies for use with AWS Identity and Access Management (IAM)

An IAM managed policy is provided and maintained by AWS. A managed policy provides permissions for common tasks that you can assign to your users by attaching the managed policy to the appropriate IAM user or role object. You don't have to write the policy yourself, and when AWS updates the policy as appropriate to support new services, you automatically and immediately get the benefit of the update. You can see the list of AWS managed policies in Policies page on the IAM console. Use the Filter policies drop-down to select AWS managed.

You can use the following managed policies to grant permissions to users in your organization.

Policy name Description ARN

Policy name	Description	ARN
AWSOrganizationsFullAccess	Provides all of the permissions required to create and fully administer an organization. The content of this policy statement is shown in the following snippet: { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSOrganizationsFullAccess", "Effect": "Allow", "Action": "organizations:", "Resource": "" }, { "Sid": "AWSOrganizationsFullAccessAccount", "Effect": "Allow", "Action": [ "account:PutAlternateContact", "account:DeleteAlternateContact", "account:GetAlternateContact", "account:GetContactInformation", "account:PutContactInformation", "account:ListRegions", "account:EnableRegion", "account:DisableRegion" ], "Resource": "" }, { "Sid": "AWSOrganizationsFullAccessCreateSLR", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "", "Condition": { "StringEquals": { "iam:AWSServiceName": "organizations.amazonaws.com" } } } ] }	arn:aws:iam::aws:policy/AWSOrganizationsFullAccess
AWSOrganizationsReadOnlyAccess	Provides read only access to information about the organization. It doesn't permit the user to make any changes. The content of this policy statement is shown in the following snippet: `{ "Version":"2012-10-17", "Statement":[ { "Sid": "AWSOrganizationsReadOnly", "Effect":"Allow", "Action":[ "organizations:Describe", "organizations:List" ], "Resource": "" }, { "Sid": "AWSOrganizationsReadOnlyAccount", "Effect":"Allow", "Action":[ "account:GetAlternateContact", "account:GetContactInformation", "account:ListRegions" ], "Resource": "" } ] }`	arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess

AWSOrganizationsFullAccess

Provides all of the permissions required to create and fully administer an organization. The content of this policy statement is shown in the following snippet:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSOrganizationsFullAccess",
            "Effect": "Allow",
            "Action": "organizations:*",
            "Resource": "*"
        },
        {
            "Sid": "AWSOrganizationsFullAccessAccount",
            "Effect": "Allow",
            "Action": [
                "account:PutAlternateContact",
                "account:DeleteAlternateContact",
                "account:GetAlternateContact",
                "account:GetContactInformation",
                "account:PutContactInformation",
                "account:ListRegions",
                "account:EnableRegion",
                "account:DisableRegion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AWSOrganizationsFullAccessCreateSLR",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "organizations.amazonaws.com"
                }
            }
        }
    ]
}

arn:aws:iam::aws:policy/AWSOrganizationsFullAccess

AWSOrganizationsReadOnlyAccess

Provides read only access to information about the organization. It doesn't permit the user to make any changes. The content of this policy statement is shown in the following snippet:


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid": "AWSOrganizationsReadOnly",
         "Effect":"Allow",
         "Action":[
            "organizations:Describe*",
            "organizations:List*"
         ],
         "Resource": "*"
      },
      {
         "Sid": "AWSOrganizationsReadOnlyAccount",
         "Effect":"Allow",
         "Action":[
            "account:GetAlternateContact",
            "account:GetContactInformation",
            "account:ListRegions"
         ],
         "Resource": "*"
      }
   ]
}

arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess

Updates to Organizations AWS managed policies

The following table details updates to AWS managed policies since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Organizations Document History page.

Change	Description	Date
AWSOrganizationsFullAccess – updated to include `Sid` elements that describe the policy statement.	Organizations added `Sid` elements for the `AWSOrganizationsFullAccess` managed policy.	February 6, 2024
AWSOrganizationsReadOnlyAccess – updated to include `Sid` elements that describe the policy statement.	Organizations added `Sid` elements for the `AWSOrganizationsReadOnlyAccess` managed policy.	February 6, 2024
AWSOrganizationsFullAccess – updated to allow account API permissions required to enable or disable AWS Regions via the Organizations console.	Organizations added the `account:ListRegions`, `account:EnableRegion` and `account:DisableRegion` action to the policy to enable write access to enable or disable Regions for an account.	December 22, 2022
AWSOrganizationsReadOnlyAccess – updated to allow account API permissions required to list AWS Regions via the Organizations console.	Organizations added the `account:ListRegions` action to the policy to enable access to view Regions for an account.	December 22, 2022
AWSOrganizationsFullAccess – updated to allow account API permissions required to add or edit account contacts via the Organizations console.	Organizations added the `account:GetContactInformation` and `account:PutContactInformation` action to the policy to enable write access to modify contacts for an account.	October 21, 2022
AWSOrganizationsReadOnlyAccess – updated to allow account API permissions required to view account contacts via the Organizations console.	Organizations added the `account:GetContactInformation` action to the policy to enable access to view contacts for an account.	October 21, 2022
AWSOrganizationsFullAccess – updated to allow creating an organization.	Organizations added the `CreateServiceLinkedRole` permission to the policy to enable creating the service linked role required to create an organization. The permission is restricted to creating a role that can be used only by the `organizations.amazonaws.com` service.	August 24, 2022
AWSOrganizationsFullAccess – updated to allow account API permissions required to add, edit, or delete account alternate contacts via the Organizations console.	Organizations added the `account:GetAlternateContact`, `account:DeleteAlternateContact`, `account:PutAlternateContact` actions to the policy to enable write access to modify alternate contacts for an account.	February 7, 2022
AWSOrganizationsReadOnlyAccess – updated to allow account API permissions required to view account alternate contacts via the Organizations console.	Organizations added the `account:GetAlternateContact` action to the policy to enable access to view alternate contacts for an account.	February 7, 2022

AWS Organizations managed service control policies

Service control policies (SCPs) are similar to IAM permission policies, but are a feature of AWS Organizations rather than IAM. You use SCPs to specify maximum permissions for affected entities. You can attach SCPs to roots, organizational units (OUs), or accounts in your organization. You can create your own, or you can use the policies that IAM defines. You can see the list of policies in your organization on the Policies page on the Organizations console.

Important

Every root, OU, and account must have at least one SCP attached at all times.

Policy name	Description	ARN
FullAWSAccess	Provides AWS Organizations management account access to member accounts.	arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Quotas for AWS Organizations

Troubleshooting AWS Organizations