Create a resource-based delegation
policy with AWS Organizations
From the management account, create a resource-based delegation policy for
your organization and add a statement that specifies which member accounts can perform
actions on policies. You can add multiple statements in the policy to denote a different
set of permissions to member accounts.
To create the resource-based delegation policy, you need permissions to
run the following actions:
Additionally, you must grant roles and users in the delegated administrator
account the corresponding IAM permissions to the required actions. Without IAM
permissions, it is assumed that the calling principal doesn’t have the required
permissions to manage AWS Organizations policies.
- AWS Management Console
-
Add statements to the resource-based delegation policy in the AWS Management Console
using one of the following methods:
-
JSON policy – Paste and
customize an example resource-based delegation policy to use in your
account, or type your own JSON policy document in the JSON
editor.
-
Visual editor – Construct
a new delegation policy in the visual editor, which guides you in
creating a delegation policy without having to write JSON
syntax.
Use the JSON policy editor to create a delegation
policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
Choose Settings.
-
In the Delegated administrator for AWS Organizations
section, choose Delegate to create the Organizations
delegation policy.
-
Enter a JSON policy document. For details about the IAM
policy language, see IAM JSON
policy reference.
-
Resolve any security warnings, errors, or general warnings
generated during policy validation, and then choose Create
policy to save your work.
Use the visual editor to create a delegation policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
Choose Settings.
-
In the Delegated administrator for AWS Organizations
section, choose Delegate to create the Organizations
delegation policy.
-
On the Create Delegation policy page, choose
Add new statement.
-
Set Effect to Allow.
-
Add Principal to define the member accounts to which
you want to delegate.
-
From the list of Actions, choose the actions
you want to delegate. You can use Filter
actions to narrow down the choices.
-
To specify if the delegated member account can attach policies to
the organization root or organizational units (OUs), set
Resources. You must also select policy
as a resource type. You
can specify resources in the following ways:
-
Choose Add a resource and construct
the Amazon Resource Name (ARN) by following the prompts in
the dialog box.
-
List resource ARNs manually in the editor. For more
information about ARN syntax, see Amazon Resource Name (ARN) in the AWS General
Reference Guide. For information about using ARNs in the
resource element of a policy, see IAM JSON policy elements: Resource.
-
Choose Add a condition to specify other
conditions, including the policy type you want to delegate. Choose
the condition's Condition key, Tag
key, Qualifier, and
Operator, and then type a
Value. When
you're finished, choose Add condition. For more
information about the Condition element, see
IAM JSON policy elements: Condition in the IAM JSON
policy reference.
-
To add more permission blocks, choose Add new
statement. For each block, repeat steps 5 through
9.
-
Resolve any security warnings, errors, or general warnings
generated during policy validation, and then choose Create
policy to save your work.
- AWS CLI & AWS SDKs
-
Create a delegation policy
You can use the following command to create a delegation
policy:
-
AWS CLI: put-resource-policy
The following example creates a delegation
policy.
$ aws organizations put-resource-policy --content
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Fully_manage_backup_policies",
"Effect": "Allow",
"Principal": {
"AWS": "135791357913"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:CreatePolicy",
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": [
"arn:aws:organizations::246802468024:root/o-abcdef/r-pqrstu",
"arn:aws:organizations::246802468024:ou/o-abcdef/*",
"arn:aws:organizations::246802468024:account/o-abcdef/*",
"arn:aws:organizations::246802468024:organization/policy/backup_policy/*",
],
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": [
"BACKUP_POLICY"
]
}
}
}
]
}
Supported delegation policy actions
The following actions are supported for delegation policy:
-
AttachPolicy
-
CreatePolicy
-
DeletePolicy
-
DescribeAccount
-
DescribeCreateAccountStatus
-
DescribeEffectivePolicy
-
DescribeHandshake
-
DescribeOrganization
-
DescribeOrganizationalUnit
-
DescribePolicy
-
DescribeResourcePolicy
-
DetachPolicy
-
DisablePolicyType
-
EnablePolicyType
-
ListAccounts
-
ListAccountsForParent
-
ListAWSServiceAccessForOrganization
-
ListChildren
-
ListCreateAccountStatus
-
ListDelegatedAdministrators
-
ListDelegatedServicesForAccount
-
ListHandshakesForAccount
-
ListHandshakesForOrganization
-
ListOrganizationalUnitsForParent
-
ListParents
-
ListPolicies
-
ListPoliciesForTarget
-
ListRoots
-
ListTagsForResource
-
ListTargetsForPolicy
-
TagResource
-
UntagResource
-
UpdatePolicy
Supported condition keys
Only condition keys supported by AWS Organizations can be used for delegation policy. For
more information, see Condition keys for AWS Organizations in the Service Authorization
Reference.
