Using AWS Organizations with other AWS services
You can use trusted access to enable a supported AWS service that you specify, called the trusted service, to perform tasks in your organization and its accounts on your behalf. This involves granting permissions to the trusted service but does not otherwise affect the permissions for users or roles. When you enable access, the trusted service can create an IAM role called a service-linked role in every account in your organization whenever that role is needed. That role has a permissions policy that allows the trusted service to do the tasks that are described in that service's documentation. This enables you to specify settings and configuration details that you would like the trusted service to maintain in your organization's accounts on your behalf. The trusted service only creates service-linked roles when it needs to perform management actions on accounts, and not necessarily in all accounts of the organization.
Important
We strongly recommend that, when the option is available, you enable and disable trusted access by using only the trusted service's console, or its AWS CLI or API operation equivalents. This lets the trusted service perform any required initialization when enabling trusted access, such as creating any required resources and any required clean up of resources when disabling trusted access.
For information about how to enable or disable trusted service access to your organization using the trusted service, see the Learn more link under the Supports Trusted Access column at AWS services that you can use with AWS Organizations.
If you disable access by using the Organizations console, CLI commands, or API operations, it causes the following actions to occur:
-
The service can no longer create a service-linked role in the accounts in your organization. This means that the service can't perform operations on your behalf on any new accounts in your organization. The service can still perform operations in older accounts until the service completes its clean-up from AWS Organizations.
-
The service can no longer perform tasks in the member accounts in the organization, unless those operations are explicitly permitted by the IAM policies that are attached to your roles. This includes any data aggregation from the member accounts to the management account, or to a delegated administrator account, where relevant.
-
Some services detect this and clean up any remaining data or resources related to the integration, while other services stop accessing the organization but leave any historical data and configuration in place to support a possible re-enabling of the integration.
Instead, using the other service's console or commands to disable the integration ensures that the other service can clean up any resources that are required only for the integration. How the service cleans up its resources in the organization's accounts depends on that service. For more information, see the documentation for the other AWS service.
Permissions required to enable trusted access
Trusted access requires permissions for two services: AWS Organizations and the trusted service. To enable trusted access, choose one of the following scenarios:
-
If you have credentials with permissions in both AWS Organizations and the trusted service, enable access by using the tools (console or AWS CLI) provided by the trusted service. This allows the service to enable trusted access in AWS Organizations on your behalf and to create any resources required for the service to operate in your organization.
The minimum permissions for these credentials are the following:
-
organizations:EnableAWSServiceAccess
. You can also use theorganizations:ServicePrincipal
condition key with this operation to limit requests that those operations make to a list of approved service principal names. For more information, see Condition keys. -
organizations:ListAWSServiceAccessForOrganization
– Required if you use the AWS Organizations console. -
The minimum permissions that are required by the trusted service depend on the service. For more information, see the trusted service's documentation.
-
-
If one person has credentials with permissions in AWS Organizations but someone else has credentials with permissions in the trusted service, perform these steps in the following order:
-
The person who has credentials with permissions in AWS Organizations should use the AWS Organizations console, the AWS CLI, or an AWS SDK to enable trusted access for the trusted service. This grants permission to the other service to perform its required configuration in the organization when the following step (step 2) is performed.
The minimum AWS Organizations permissions are the following:
-
organizations:EnableAWSServiceAccess
-
organizations:ListAWSServiceAccessForOrganization
– Required only if you use the AWS Organizations console
For the steps to enable trusted access in AWS Organizations, see How to enable or disable trusted access.
-
-
The person who has credentials with permissions in the trusted service enables that service to work with AWS Organizations. This instructs the service to perform any required initialization, such as creating any resources that are required for the trusted service to operate in the organization. For more information, see the service-specific instructions at AWS services that you can use with AWS Organizations.
-
Permissions required to disable trusted access
When you no longer want to allow the trusted service to operate on your organization or its accounts, choose one of the following scenarios.
Important
Disabling trusted service access does not prevent users and roles with appropriate permissions from using that service. To completely block users and roles from accessing an AWS service, you can remove the IAM permissions that grant that access, or you can use service control policies (SCPs) in AWS Organizations.
You can apply SCPs to only member accounts. SCPs don't apply to the management account. We recommend that you don’t run services in the management account. Instead, run them in member accounts where you can control the security by using SCPs.
-
If you have credentials with permissions in both AWS Organizations and the trusted service, disable access by using the tools (console or AWS CLI) that are available for the trusted service. The service then cleans up by removing resources that are no longer required and by disabling trusted access for the service in AWS Organizations on your behalf.
The minimum permissions for these credentials are the following:
-
organizations:DisableAWSServiceAccess
. You can also use theorganizations:ServicePrincipal
condition key with this operation to limit requests that those operations make to a list of approved service principal names. For more information, see Condition keys. -
organizations:ListAWSServiceAccessForOrganization
– Required if you use the AWS Organizations console. -
The minimum permissions required by the trusted service depend on the service. For more information, see the trusted service's documentation.
-
-
If the credentials with permissions in AWS Organizations aren't the credentials with permissions in the trusted service, perform these steps in the following order:
-
The person with permissions in the trusted service first disables access using that service. This instructs the trusted service to clean up by removing the resources required for trusted access. For more information, see the service-specific instructions at AWS services that you can use with AWS Organizations.
-
The person with permissions in AWS Organizations can then use the AWS Organizations console, AWS CLI, or an AWS SDK to disable access for the trusted service. This removes the permissions for the trusted service from the organization and its accounts.
The minimum AWS Organizations permissions are the following:
-
organizations:DisableAWSServiceAccess
-
organizations:ListAWSServiceAccessForOrganization
– Required only if you use the AWS Organizations console
For the steps to disable trusted access in AWS Organizations, see How to enable or disable trusted access.
-
-
How to enable or disable trusted access
If you have permissions only for AWS Organizations and you want to enable or disable trusted access to your organization on behalf of the administrator of the other AWS service, use the following procedure.
Important
We strongly recommend that, when the option is available, you enable and disable trusted access by using only the trusted service's console, or its AWS CLI or API operation equivalents. This lets the trusted service perform any required initialization when enabling trusted access, such as creating any required resources and any required clean up of resources when disabling trusted access.
For information about how to enable or disable trusted service access to your organization using the trusted service, see the Learn more link under the Supports Trusted Access column at AWS services that you can use with AWS Organizations.
If you disable access by using the Organizations console, CLI commands, or API operations, it causes the following actions to occur:
-
The service can no longer create a service-linked role in the accounts in your organization. This means that the service can't perform operations on your behalf on any new accounts in your organization. The service can still perform operations in older accounts until the service completes its clean-up from AWS Organizations.
-
The service can no longer perform tasks in the member accounts in the organization, unless those operations are explicitly permitted by the IAM policies that are attached to your roles. This includes any data aggregation from the member accounts to the management account, or to a delegated administrator account, where relevant.
-
Some services detect this and clean up any remaining data or resources related to the integration, while other services stop accessing the organization but leave any historical data and configuration in place to support a possible re-enabling of the integration.
Instead, using the other service's console or commands to disable the integration ensures that the other service can clean up any resources that are required only for the integration. How the service cleans up its resources in the organization's accounts depends on that service. For more information, see the documentation for the other AWS service.
AWS Organizations and service-linked roles
AWS Organizations uses IAM service-linked roles
To make all of this possible, when you create an account in an organization or you
accept an invitation to join your existing account to an organization, AWS Organizations
provisions the member account with a service-linked role named
AWSServiceRoleForOrganizations
. Only the AWS Organizations service itself can
assume this role. The role has permissions that allow AWS Organizations to create service-linked
roles for other AWS services. This service-linked role is present in all
organizations.
Although we don't recommend it, if your organization has only consolidated billing features enabled, the
service-linked role named AWSServiceRoleForOrganizations
is never used, and
you can delete it. If you later want to enable all
features in your organization, the role is required, and you must restore it.
The following checks occur when you begin the process to enable all features:
-
For each member account that was invited to join the organization – The account administrator receives a request to agree to enable all features. To successfully agree to the request, the administrator must have both
organizations:AcceptHandshake
andiam:CreateServiceLinkedRole
permissions if the service-linked role (AWSServiceRoleForOrganizations
) doesn't already exist. If theAWSServiceRoleForOrganizations
role already exists, the administrator needs only theorganizations:AcceptHandshake
permission to agree to the request. When the administrator agrees to the request, AWS Organizations creates the service-linked role if it doesn't already exist. -
For each member account that was created in the organization – The account administrator receives a request to recreate the service-linked role. (The administrator of the member account doesn't receive a request to enable all features because the administrator of the management account (formerly known as the "master account") is considered the owner of the created member accounts.) AWS Organizations creates the service-linked role when the member account administrator agrees to the request. The administrator must have both
organizations:AcceptHandshake
andiam:CreateServiceLinkedRole
permissions to successfully accept the handshake.
After you enable all features in your organization, you no longer can delete the
AWSServiceRoleForOrganizations
service-linked role from any
account.
Important
AWS Organizations SCPs never affect service-linked roles. These roles are exempt from any SCP restrictions.
Using the AWSServiceRoleForDeclarativePoliciesEC2Report service-linked role
TheAWSServiceRoleForDeclarativePoliciesEC2Report
service-linked role is used by Organizations to describe account attribute states for member accounts to create Declarative Policies reports. The role's permissions are defined in the
AWS managed policy: DeclarativePoliciesEC2Report.