# Security in AWS Organizations
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS compliance programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to AWS Organizations, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Organizations. The following topics show you how to configure Organizations to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Organizations resources.
**Topics**
+ [AWS PrivateLink for AWS Organizations](orgs_security_privatelink.md)
+ [Identity and Access Management for AWS Organizations](orgs_security_iam.md)
+ [Logging and monitoring in AWS Organizations](orgs_security_incident-response.md)
+ [Compliance validation for AWS Organizations](orgs_security_compliance-validation.md)
+ [Resilience in AWS Organizations](orgs_security_disaster-recovery-resiliency.md)
+ [Infrastructure security in AWS Organizations](orgs_security_infrastructure.md)
# AWS PrivateLink for AWS Organizations
With AWS PrivateLink for AWS Organizations, you can access the AWS Organizations service from within the Virtual Private Cloud (VPC) without having to cross the public internet.
Amazon VPC lets you launch AWS resources in a custom virtual network. You can use a VPC to control your network settings, such as the IP address range, subnets, route tables, and network gateways. For more information about VPCs, see the [https://docs.aws.amazon.com/vpc/latest/userguide/](https://docs.aws.amazon.com/vpc/latest/userguide/).
To connect your Amazon VPC to AWS Organizations, you must first define an interface VPC endpoint (interface endpoints). Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your VPC. Requests from your VPC to AWS Organizations over interface endpoints stay on the Amazon network.
For general information about interface endpoints, see [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#vpce-interface-limitations) in the *Amazon VPC User Guide*.
**Topics**
+ [Limitations and restrictions of AWS PrivateLink for AWS Organizations](#limits-restrictions-privatelink)
+ [Creating a VPC endpoint](create-vpc-endpoint.md)
+ [Creating a VPC endpoint policy](create-vpc-endpoint-policy.md)
## Limitations and restrictions of AWS PrivateLink for AWS Organizations
VPC limitations apply to AWS PrivateLink for AWS Organizations. For more information, see [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#vpce-interface-limitations) and [AWS PrivateLink quotas](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-limits-endpoints.html) in the *Amazon VPC User Guide*. In addition, the following restrictions apply:
+ Only available in the `us-east-1` region
+ Doesn’t support Transport Layer Security (TLS) 1.1
# Creating a VPC endpoint for AWS Organizations
You can create an AWS Organizations endpoint in your VPC using the Amazon VPC Console, the AWS Command Line Interface (AWS CLI) or CloudFormation.
For information about creating and configuring an endpoint using the Amazon VPC console or the AWS CLI, see [Create a VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the *Amazon VPC User Guide*. For information about creating and configuring an endpoint using CloudFormation, see the [AWS::EC2::VPCEndpoint](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html) resource in the *AWS CloudFormation User Guide*.
When you create an AWS Organizations endpoint, use the following as the service name:
```
com.amazonaws.us-east-1.organizations
```
If you require FIPS 140-2 validated cryptographic modules when accessing AWS, use the following AWS Organizations FIPS service name:
```
com.amazonaws.us-east-1.organizations-fips
```
# Creating a VPC endpoint policy for AWS Organizations
You can attach an endpoint policy to your VPC endpoint that controls access to Organizations. The policy specifies the following information:
+ The principal that can perform actions.
+ The actions that can be performed.
+ The resources on which actions can be performed.
For more information, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the *Amazon VPC User Guide*.
## Example: VPC endpoint policy for AWS Organizations actions
```
{
"Statement":[
{
"Principal":"*",
"Effect":"Allow",
"Action":[
"Organizations:DescribeAccount"
],
"Resource":"*"
}
]
}
```
# Identity and Access Management for AWS Organizations
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Organizations resources. IAM is an AWS service that you can use with no additional charge.
**Topics**
+ [Audience](#security_iam_audience)
+ [Authenticating with identities](#security_iam_authentication)
+ [Managing access using policies](#security_iam_access-manage)
+ [How AWS Organizations works with IAM](security_iam_service-with-iam.md)
+ [Managing access permissions for an organization](orgs_permissions_overview.md)
+ [Identity-based policy examples](security_iam_id-based-policy-examples.md)
+ [Resource-based policy examples](security_iam_resource-based-policy-examples.md)
+ [AWS managed policies](orgs_reference_available-policies.md)
+ [Attribute-based access control with tags](orgs_tagging_abac.md)
+ [Troubleshooting](security_iam_troubleshoot.md)
## Audience
How you use AWS Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting AWS Organizations identity and access](security_iam_troubleshoot.md))
+ **Service administrator** - determine user access and submit permission requests (see [How AWS Organizations works with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [Identity-based policy examples for AWS Organizations](security_iam_id-based-policy-examples.md))
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### Federated identity
As a best practice, require human users to use federation with an identity provider to access AWS services using temporary credentials.
A *federated identity* is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials.
For centralized access management, we recommend AWS IAM Identity Center. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
### Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
### Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
### Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
### Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
# How AWS Organizations works with IAM
Before you use IAM to manage access to Organizations, learn what IAM features are available to use with Organizations.
| IAM feature | Organizations support |
| --- | --- |
| [Identity-based policies](#security_iam_service-with-iam-id-based-policies) | Yes |
| [Resource-based policies](#security_iam_service-with-iam-resource-based-policies) | Yes |
| [Policy actions](#security_iam_service-with-iam-id-based-policies-actions) | Yes |
| [Policy resources](#security_iam_service-with-iam-id-based-policies-resources) | Yes |
| [Policy condition keys (service-specific)](#security_iam_service-with-iam-id-based-policies-conditionkeys) | Yes |
| [ACLs](#security_iam_service-with-iam-acls) | No |
| [ABAC (tags in policies)](#security_iam_service-with-iam-tags) | Yes |
| [Temporary credentials](#security_iam_service-with-iam-roles-tempcreds) | No |
| [Forward access sessions (FAS)](#security_iam_service-with-iam-principal-permissions) | Yes |
| [Service roles](#security_iam_service-with-iam-roles-service) | Yes |
| [Service-linked roles](#security_iam_service-with-iam-roles-service-linked) | Yes |
To get a high-level view of how Organizations and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
## Identity-based policies for Organizations
**Supports identity-based policies:** Yes
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
### Identity-based policy examples for Organizations
To view examples of Organizations identity-based policies, see [Identity-based policy examples for AWS Organizations](security_iam_id-based-policy-examples.md).
## Resource-based policies within Organizations
**Supports resource-based policies:** Yes
Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Principals can include accounts, users, roles, federated users, or AWS services.
To enable cross-account access, you can specify an entire account or IAM entities in another account as the principal in a resource-based policy. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
The Organizations service supports only one type of resource-based policy called a *resource-based delegation policy*, which specifies which member accounts can perform actions on policies. You can add multiple statements in the policy to denote a different set of permissions to member accounts.
For more information, see [Delegated administrator for AWS Organizations](orgs_delegate_policies.md).
### Resource-based policy examples within Organizations
To view examples of Organizations resource-based policies, see [Resource-based policy examples for AWS Organizations](security_iam_resource-based-policy-examples.md),
## Policy actions for Organizations
**Supports policy actions:** Yes
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
To see a list of Organizations actions, see [Actions defined by AWS Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#your_service-actions-as-permissions) in the *Service Authorization Reference*.
Policy actions in Organizations use the following prefix before the action:
```
organizations
```
To specify multiple actions in a single statement, separate them with commas.
```
"Action": [
"organizations:action1",
"organizations:action2"
]
```
To view examples of Organizations identity-based policies, see [Identity-based policy examples for AWS Organizations](security_iam_id-based-policy-examples.md).
## Policy resources for Organizations
**Supports policy resources:** Yes
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
To see a list of Organizations resource types and their ARNs, see [Resources defined by AWS Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#your_service-resources-for-iam-policies) in the *Service Authorization Reference*. To learn with which actions you can specify the ARN of each resource, see [Actions defined by AWS Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#your_service-actions-as-permissions).
To view examples of Organizations identity-based policies, see [Identity-based policy examples for AWS Organizations](security_iam_id-based-policy-examples.md).
## Policy condition keys for Organizations
**Supports service-specific policy condition keys:** Yes
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
To see a list of Organizations condition keys, see [Condition keys for AWS Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#your_service-policy-keys) in the *Service Authorization Reference*. To learn with which actions and resources you can use a condition key, see [Actions defined by AWS Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#your_service-actions-as-permissions).
To view examples of Organizations identity-based policies, see [Identity-based policy examples for AWS Organizations](security_iam_id-based-policy-examples.md).
## ACLs in Organizations
**Supports ACLs:** No
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
## ABAC with Organizations
**Supports ABAC (tags in policies):** Yes
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes called tags. You can attach tags to IAM entities and AWS resources, then design ABAC policies to allow operations when the principal's tag matches the tag on the resource.
To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys.
If a service supports all three condition keys for every resource type, then the value is **Yes** for the service. If a service supports all three condition keys for only some resource types, then the value is **Partial**.
For more information about ABAC, see [Define permissions with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [Use attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.
## Using temporary credentials with Organizations
**Supports temporary credentials:** No
Temporary credentials provide short-term access to AWS resources and are automatically created when you use federation or switch roles. AWS recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) and [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
## Forward access sessions for Organizations
**Supports forward access sessions (FAS):** Yes
Forward access sessions (FAS) use the permissions of the principal calling an AWS service, combined with the requesting AWS service to make requests to downstream services. For policy details when making FAS requests, see [Forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html).
## Service roles for Organizations
**Supports service roles:** Yes
A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
**Warning**
Changing the permissions for a service role might break Organizations functionality. Edit service roles only when Organizations provides guidance to do so.
## Service-linked roles for Organizations
**Supports service-linked roles:** Yes
A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
For details about creating or managing service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). Find a service in the table that includes a `Yes` in the **Service-linked role** column. Choose the **Yes** link to view the service-linked role documentation for that service.
# Managing access permissions for an organization with AWS Organizations
All AWS resources, including the roots, OUs, accounts, and policies in an organization, are owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. For an organization, its management account owns all resources. An account administrator can control access to AWS resources by attaching permissions policies to IAM identities (users, groups, and roles).
**Note**
An *account administrator* (or administrator user) is a user with administrator permissions. For more information, see [Security best practices in IAM](https://docs.aws.amazon.com/accounts/latest/reference/getting-started-step4.html) in the *AWS Account Management Reference Guide*.
When granting permissions, you decide who is getting the permissions, the resources that they get permissions for, and the specific actions that you want to allow on those resources.
By default, IAM users, groups, and roles have no permissions. As an administrator in the management account of an organization, you can perform administrative tasks or delegate administrator permissions to other IAM users or roles in the management account. To do this, you attach an IAM permissions policy to an IAM user, group, or role. By default, a user has no permissions at all; this is sometimes called an *implicit deny*. The policy overrides the implicit deny with an *explicit allow* that specifies which actions the user can perform, and which resources they can perform the actions on. If the permissions are granted to a role, users in other accounts in the organization can assume that role.
## AWS Organizations resources and operations
This section discusses how AWS Organizations concepts map to their IAM-equivalent concepts.
### Resources
In AWS Organizations, you can control access to the following resources:
+ The root and the OUs that make up the hierarchical structure of an organization
+ The accounts that are members of the organization
+ The policies that you attach to the entities in the organization
+ The handshakes that you use to change the state of the organization
Each of these resources has a unique Amazon Resource Name (ARN) associated with it. You control access to a resource by specifying its ARN in the `Resource` element of an IAM permission policy. For a complete list of the ARN formats for resources that are used in AWS Organizations, see [Resources types defined by AWS Organizations](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsorganizations.html#awsorganizations-resources-for-iam-policies) in the *Service Authorization Reference*.
### Operations
AWS provides a set of operations to work with the resources in an organization. They enable you to do things like create, list, modify, access the contents of, and delete resources. Most operations can be referenced in the `Action` element of an IAM policy to control who can use that operation. For a list of AWS Organizations operations that can be used as permissions in an IAM policy, see [Actions defined by organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#awsorganizations-actions-as-permissions) in the *Service Authorization Reference*.
When you combine an `Action` and a `Resource` in a single permission policy `Statement`, you control exactly which resources that particular set of actions can be used on.
### Condition keys
AWS provides condition keys that you can query to provide more granular control over certain actions. You can reference these condition keys in the `Condition` element of an IAM policy to specify the additional circumstances that must be met for the statement to be considered a match.
The following condition keys are especially useful with AWS Organizations:
+ `aws:PrincipalOrgID` – Simplifies specifying the `Principal` element in a resource-based policy. This global key provides an alternative to listing all the account IDs for all AWS accounts in an organization. Instead of listing all of the accounts that are members of an organization, you can specify the [organization ID](orgs_manage_org.md) in the `Condition` element.
**Note**
This global condition also applies to the management account of an organization.
For more information, see the description of `PrincipalOrgID` in [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
+ `aws:PrincipalOrgPaths` – Use this condition key to match members of a specific organization root, an OU, or its children. The `aws:PrincipalOrgPaths` condition key returns true when the principal (root user, IAM user, or role) making the request is in the specified organization path. A path is a text representation of the structure of an AWS Organizations entity. For more information about paths, see [Understand the AWS Organizations entity path](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data-orgs.html#access_policies_access-advisor-viewing-orgs-entity-path) in the *IAM User Guide*. For more information about using this condition key, see [aws:PrincipalOrgPaths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principal-org-paths) in the *IAM User Guide*.
For example, the following condition element matches for members of either of two OUs in the same organization.
```
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": [
"o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/",
"o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-jkl0-awsddddd/"
]
}
}
```
+ `organizations:PolicyType` – You can use this condition key to restrict the Organizations policy-related API operations to work on only Organizations policies of the specified type. You can apply this condition key to any policy statement that includes an action that interacts with Organizations policies.
You can use the following values with this condition key:
+ `SERVICE_CONTROL_POLICY`
+ `RESOURCE_CONTROL_POLICY`
+ `DECLARATIVE_POLICY_EC2`
+ `BACKUP_POLICY`
+ `TAG_POLICY`
+ `CHATBOT_POLICY`
+ `AISERVICES_OPT_OUT_POLICY`
For example, the following example policy allows the user to perform any Organizations operation. However, if the user performs an operation that takes a policy argument, the operation is allowed only if the specified policy is a tagging policy. The operation fails if the user specifies any other type of policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "IfTaggingAPIThenAllowOnOnlyTaggingPolicies",
"Effect": "Allow",
"Action": "organizations:*",
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": [ "TAG_POLICY" ]
}
}
}
]
}
```
------
+ `organizations:ServicePrincipal` – Available as a condition if you use the [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) or [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html) operations to enable or disable [trusted access](orgs_integrate_services.md) with other AWS services. You can use `organizations:ServicePrincipal` to restrict requests that those operations make to a list of approved service principal names.
For example, the following policy allows the user to specify only AWS Firewall Manager when enabling and disabling trusted access with AWS Organizations.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyAWSFirewallIntegration",
"Effect": "Allow",
"Action": [
"organizations:EnableAWSServiceAccess",
"organizations:DisableAWSServiceAccess"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"organizations:ServicePrincipal": [ "fms.amazonaws.com" ]
}
}
}
]
}
```
------
For a list of all of the AWS Organizations–specific condition keys that can be used as permissions in an IAM policy, see [Condition keys for AWS Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#awsorganizations-policy-keys) in the *Service Authorization Reference*.
## Understanding resource ownership
The AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the [principal entity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) (that is, the root user, an IAM user, or an IAM role) that authenticates the resource creation request. For an organization, that is ***always*** the management account. You can't call most operations that create or access organization resources from the member accounts. The following examples illustrate how this works:
+ If you use the root account credentials of your management account to create an OU, your management account is the owner of the resource. (In AWS Organizations, the resource is the OU).
+ If you create an IAM user in your management account and grant permissions to create an OU to that user, the user can create an OU. However, the management account, to which the user belongs, owns the OU resource.
+ If you create an IAM role in your management account with permissions to create an OU, anyone who can assume the role can create an OU. The management account, to which the role (not the assuming user) belongs, owns the OU resource.
## Managing access to resources
A *permissions policy* describes who has access to what. The following section explains the available options for creating permissions policies.
**Note**
This section discusses using IAM in the context of AWS Organizations. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html). For information about IAM policy syntax and descriptions, see the [IAM JSON policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
Policies that are attached to an IAM identity are referred to as *identity-based* policies (IAM policies). Policies that are attached to a resource are referred to as *resource-based* policies.
**Topics**
+ [Identity-based permission policies (IAM policies)](#orgs-access-control-iam-policies)
### Identity-based permission policies (IAM policies)
You can attach policies to IAM identities to allow those identities to perform operations on AWS resources. For example, you can do the following:
+ **Attach a permissions policy to a user or a group in your account** – To grant a user permissions to create an AWS Organizations resource, such as a [service control policy (SCP)](orgs_manage_policies_scps.md) or an OU, you can attach a permissions policy to a user or a group that the user belongs to. The user or group must be in the organization's management account.
+ **Attach a permissions policy to a role (grant cross-account permissions)** – You can attach an identity-based permissions policy to an IAM role to grant cross-account access to an organization. For example, the administrator in the management account can create a role to grant cross-account permissions to a user in a member account as follows:
1. The management account administrator creates an IAM role and attaches a permissions policy to the role that grants permissions to the organization's resources.
1. The management account administrator attaches a trust policy to the role that identifies the member account ID as the `Principal` who can assume the role.
1. The member account administrator can then delegate permissions to assume the role to any users in the member account. Doing this allows users in the member account to create or access resources in the management account and the organization. The principal in the trust policy can also be an AWS service principal if you want to grant permissions to an AWS service to assume the role.
For more information about using IAM to delegate permissions, see [Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*.
The following are examples of policies that allows a user to perform the `CreateAccount` action in your organization.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"Stmt1OrgPermissions",
"Effect":"Allow",
"Action":[
"organizations:CreateAccount"
],
"Resource":"*"
}
]
}
```
------
You can also provide a partial ARN in the `Resource` element of the policy to indicate the type of resource.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowCreatingAccountsOnResource",
"Effect":"Allow",
"Action":"organizations:CreateAccount",
"Resource":"arn:aws:organizations::*:account/*"
}
]
}
```
------
You can also deny the creation of accounts that do not include specific tags to the account being created.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyCreatingAccountsOnResourceBasedOnTag",
"Effect":"Deny",
"Action":"organizations:CreateAccount",
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:ResourceTag/key":"value"
}
}
}
]
}
```
------
For more information about users, groups, roles, and permissions, see [IAM identities (users, user groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.
## Specifying policy elements: Actions, conditions, effects, and resources
For each AWS Organizations resource, the service defines a set of API operations, or actions, that can interact with or manipulate that resource in some way. To grant permissions for these operations, AWS Organizations defines a set of actions that you can specify in a policy. For example, for the OU resource, AWS Organizations defines actions like the following:
+ `AttachPolicy` and `DetachPolicy`
+ `CreateOrganizationalUnit` and `DeleteOrganizationalUnit`
+ `ListOrganizationalUnits` and `DescribeOrganizationalUnit`
In some cases, performing an API operation might require permissions to more than one action and might require permissions to more than one resource.
The following are the most basic elements that you can use in an IAM permission policy:
+ **Action** – Use this keyword to identify the operations (actions) that you want to allow or deny. For example, depending on the specified `Effect`, `organizations:CreateAccount` allows or denies the user permissions to perform the AWS Organizations `CreateAccount` operation. For more information, see [IAM JSON policy elements: Action](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html) in the *IAM User Guide*.
+ **Resource** – Use this keyword to specify the ARN of the resource that the policy statement applies to. For more information, see [IAM JSON policy elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) in the *IAM User Guide*.
+ **Condition** – Use this keyword to specify a condition that must be met for the policy statement to apply. `Condition` usually specifies additional circumstances that must be true for the policy to match. For more information, see [IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Effect** – Use this keyword to specify whether the policy statement allows or denies the action on the resource. If you don't explicitly grant access to (or allow) a resource, access is implicitly denied. You also can explicitly deny access to a resource, which you might do to ensure that a user can't perform the specified action on the specified resource, even if a different policy grants access. For more information, see [IAM JSON policy elements: Effect](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html) in the *IAM User Guide*.
+ **Principal** – In identity-based policies (IAM policies), the user that the policy is attached to is automatically and implicitly the principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only).
To learn more about IAM policy syntax and descriptions, see the [IAM JSON policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
# Identity-based policy examples for AWS Organizations
By default, users and roles don't have permission to create or modify Organizations resources. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies.
To learn how to create an IAM identity-based policy by using these example JSON policy documents, see [Create IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) in the *IAM User Guide*.
For details about actions and resource types defined by Organizations, including the format of the ARNs for each of the resource types, see [Actions, resources, and condition keys for AWS Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html) in the *Service Authorization Reference*.
**Topics**
+ [Policy best practices](#security_iam_service-with-iam-policy-best-practices)
+ [Using the console](#security_iam_id-based-policy-examples-console)
+ [Allow users to view their own permissions](#security_iam_id-based-policy-examples-view-own-permissions)
+ [Granting full admin permissions to a user](#orgs_permissions_grant-admin-actions)
+ [Granting limited access by actions](#orgs_permissions_grant-limited-actions)
+ [Granting access to specific resources](#orgs_permissions_grant-limited-resources)
+ [Granting the ability to enable trusted access to limited service principals](#orgs_permissions_grant-trusted-access-condition)
## Policy best practices
Identity-based policies determine whether someone can create, access, or delete Organizations resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
## Using the Organizations console
To access the AWS Organizations console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Organizations resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.
You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that they're trying to perform.
To ensure that users and roles can still use the Organizations console, also attach the Organizations [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsFullAccess.html) or [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsReadOnlyAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsReadOnlyAccess.html) AWS managed policy to the entities. For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
## Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
## Granting full admin permissions to a user
You can create an IAM policy that grants full AWS Organizations administrator permissions to an IAM user in your organization. You can do this using the JSON policy editor in the IAM console.
**To use the JSON policy editor to create a policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**.
If this is your first time choosing **Policies**, the **Welcome to Managed Policies** page appears. Choose **Get Started**.
1. At the top of the page, choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Enter the following JSON policy document:
```
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "organizations:*",
"Resource": "*"
}
}
```
1. Choose **Next**.
**Note**
You can switch between the **Visual** and **JSON** editor options anytime. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html#troubleshoot_viseditor-restructure) in the *IAM User Guide*.
1. On the **Review and create** page, enter a **Policy name** and a **Description** (optional) for the policy that you are creating. Review **Permissions defined in this policy** to see the permissions that are granted by your policy.
1. Choose **Create policy** to save your new policy.
To learn more about creating an IAM policy, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
## Granting limited access by actions
If you want to grant limited permissions instead of full permissions, you can create a policy that lists individual permissions that you want to allow in the `Action` element of the IAM permissions policy. As shown in the following example, you can use wildcard (\$1) characters to grant only the `Describe*` and `List*` permissions, essentially providing read-only access to the organization.
**Note**
In a service control policy (SCP), the wildcard (\$1) character in an `Action` element can be used only by itself or at the end of the string. It can't appear at the beginning or middle of the string. Therefore, `"servicename:action*"` is valid, but `"servicename:*action"` and `"servicename:some*action"` are both invalid in SCPs.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
}
}
```
------
For a list of all the permissions that are available to assign in an IAM policy, see [Actions defined by AWS Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#awsorganizations-actions-as-permissions) in the *Service Authorization Reference*.
## Granting access to specific resources
In addition to restricting access to specific actions, you can restrict access to specific entities in your organization. The `Resource` elements in the examples in the preceding sections both specify the wildcard character ("\$1"), which means "any resource that the action can access." Instead, you can replace the "\$1" with the Amazon Resource Name (ARN) of specific entities to which you want to allow access.
**Example: Granting permissions to a single OU**
The first statement of the following policy allows an IAM user read access to the entire organization, but the second statement allows the user to perform AWS Organizations administrative actions only within a single, specified organizational unit (OU). This does not extend to any child OUs. No billing access is granted. Note that this doesn't give you administrative access to the AWS accounts in the OU. It grants only permissions to perform AWS Organizations operations on the accounts within the specified OU:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "organizations:*",
"Resource": "arn:aws:organizations::123456789012:ou/o-/ou-"
}
]
}
```
------
You get the IDs for the OU and the organization from the AWS Organizations console or by calling the `List*` APIs. The user or group that you apply this policy to can perform any action (`"organizations:*"`) on any entity that is directly contained in the specified OU. The OU is identified by the Amazon Resource Name (ARN).
For more information about the ARNs for various resources, see [Resources types defined by AWS Organizations](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsorganizations.html#awsorganizations-resources-for-iam-policies) in the *Service Authorization Reference*.
## Granting the ability to enable trusted access to limited service principals
You can use the `Condition` element of a policy statement to further limit the circumstances where the policy statement matches.
**Example: Granting permissions to enable trusted access to one specified service**
The following statement shows how you can restrict the ability to enable trusted access to only those services that you specify. If the user tries to call the API with a different service principal than the one for AWS IAM Identity Center, this policy doesn't match and the request is denied:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "organizations:EnableAWSServiceAccess",
"Resource": "*",
"Condition": {
"StringEquals" : {
"organizations:ServicePrincipal" : "sso.amazonaws.com"
}
}
}
]
}
```
------
For more information about the ARNs for various resources, see [Resources types defined by AWS Organizations](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsorganizations.html#awsorganizations-resources-for-iam-policies) in the *Service Authorization Reference*.
# Resource-based policy examples for AWS Organizations
The following code examples show how you can use resource-based delegation policies. For more information, see [Delegated administrator for AWS Organizations](orgs_delegate_policies.md).
**Topics**
+ [View organization, OUs, accounts, and policies](#orgs_delegate_policies_example_view_accts_orgs)
+ [Create, read, update, and delete policies](#orgs_delegate_policies_example_crud_policies)
+ [Tag and untag policies](#orgs_delegate_policies_example_tag_untag_policies)
+ [Attach policies to a single OU or account](#orgs_delegate_policies_example_attach_policies)
+ [Consolidated permissions to manage an organization's backup policies](#orgs_delegate_policies_example_consolidate_permissions)
## Example: View organization, OUs, accounts, and policies
Before delegating the management of policies, you must delegate the permissions to navigate the structure of an organization and see the organizational units (OUs), accounts, and the policies attached to them.
This example shows how you might include these permissions in your resource-based delegation policy for the member account, *AccountId*.
**Important**
It is advisable that you include permissions to only the minimum required actions as shown in the example, although it's possible to delegate any Organizations read-only action using this policy.
This example delegation policy grants the permissions necessary to complete actions programmatically from the AWS API or AWS CLI. To use this delegation policy, replace the AWS [placeholder text](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) for *AccountId* with your own information. Then, follow the directions in [Delegated administrator for AWS Organizations](orgs_delegate_policies.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
------
## Example: Create, read, update, and delete policies
You can create a resource-based delegation policy that allows the management account to delegate `create`, `read`, `update`, and `delete` actions for any policy type. This example shows how you might delegate these actions for service control policies to the member account, *MemberAccountId*. The two resources shown in the example grant access to customer managed and AWS managed service control policies respectively.
**Important**
This policy allows delegated administrators to perform specified actions on policies created by any account in the organization, including the management account.
It doesn't allow delegated administrators to attach or detach policies because it doesn't include the permissions required to perform `organizations:AttachPolicy` and `organizations:DetachPolicy` actions.
This example delegation policy grants the permissions necessary to complete actions programmatically from the AWS API or AWS CLI. Replace the AWS placeholder text for *MemberAccountId*, *ManagementAccountId*, and *OrganizationId* with your own information. Then, follow the directions in [Delegated administrator for AWS Organizations](orgs_delegate_policies.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DelegatingDescribeListActionsWithoutCondition",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "DelegatingPolicyActionsWithCondition",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": "SERVICE_CONTROL_POLICY"
}
}
},
{
"Sid": "DelegatingMinimalActionsForSCPs",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:CreatePolicy",
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy"
],
"Resource": [
"arn:aws:organizations::111122223333:policy/o-OrganizationId/service_control_policy/*",
"arn:aws:organizations::aws:policy/service_control_policy/*"
]
}
]
}
```
------
## Example: Tag and untag policies
This example shows how you might create a resource-based delegation policy that allows delegated administrators to tag or untag backup policies. It grants the permissions necessary to complete actions programmatically from the AWS API or AWS CLI.
To use this delegation policy, replace the AWS placeholder text for *MemberAccountId*, *ManagementAccountId*, and *OrganizationId* with your own information. Then, follow the directions in [Delegated administrator for AWS Organizations](orgs_delegate_policies.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActionsWithoutCondition",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "DelegatingNecessaryDescribeListActionsWithCondition",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "DelegatingTaggingBackupPolicies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:TagResource",
"organizations:UntagResource"
],
"Resource": "arn:aws:organizations::111122223333:policy/o-OrganizationId/backup_policy/*"
}
]
}
```
------
## Example: Attach policies to a single OU or account
This example shows how you might create a resource-based delegation policy that allows delegated administrators to `attach` or `detach` Organizations policies from a specified organizational unit (OU) or a specified account. Before delegating these actions, you must delegate the permissions to navigate the structure of an organization and see the accounts under it. For details, see [Example: View organization, OUs, accounts, and policies](#orgs_delegate_policies_example_view_accts_orgs)
**Important**
While this policy allows attaching or detaching policies from the specified OU or account, it excludes child OUs and accounts under child OUs.
This policy allows delegated administrators to perform the specified actions on policies created by any account in the organization, including the management account.
This example delegation policy grants the permissions necessary to complete actions programmatically from the AWS API or AWS CLI. To use this delegation policy, replace the AWS placeholder text for *MemberAccountId*, *ManagementAccountId*, *OrganizationId*, and *TargetAccountId* with your own information. Then, follow the directions in [Delegated administrator for AWS Organizations](orgs_delegate_policies.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy",
"organizations:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "AttachDetachPoliciesSpecifiedAccountOU",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": [
"arn:aws:organizations::111122223333:ou/o-OrganizationId/ou-OUId",
"arn:aws:organizations::111122223333:account/o-OrganizationId/TargetAccountId",
"arn:aws:organizations::111122223333:policy/o-OrganizationId/backup_policy/*"
]
}
]
}
```
------
To delegate attaching and detaching policies to any OU or account in the organizations, replace the resource in the previous example with the following resources:
```
"Resource": [
"arn:aws:organizations::ManagementAccountId:ou/o-OrganizationId/*",
"arn:aws:organizations::ManagementAccountId:account/o-OrganizationId/*",
"arn:aws:organizations::ManagementAccountId:policy/o-OrganizationId/backup_policy/*"
]
```
## Example: Consolidated permissions to manage an organization's backup policies
This example shows how you might create a resource-based delegation policy that allows the management account to delegate full permissions necessary to manage backup policies within the organization, including `create`, `read`, `update`, and `delete` actions, as well as `attach` and `detach` policy actions.
**Important**
This policy allows delegated administrators to perform the specified actions on policies created by any account in the organization, including the management account.
This example delegation policy grants the permissions necessary to complete actions programmatically from the AWS API or AWS CLI. To use this delegation policy, replace the AWS [placeholder text](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) for *MemberAccountId*, *ManagementAccountId*, *OrganizationId*, and *RootId* with your own information. Then, follow the directions in [Delegated administrator for AWS Organizations](orgs_delegate_policies.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "DelegatingNecessaryDescribeListActionsForSpecificPolicyType",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "DelegatingAllActionsForBackupPolicies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:CreatePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy",
"organizations:EnablePolicyType",
"organizations:DisablePolicyType"
],
"Resource": [
"arn:aws:organizations::111122223333:root/o-OrganizationId/r-RootId",
"arn:aws:organizations::111122223333:ou/o-OrganizationId/*",
"arn:aws:organizations::111122223333:account/o-OrganizationId/*",
"arn:aws:organizations::111122223333:policy/o-OrganizationId/backup_policy/*"
],
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
}
]
}
```
------
# AWS managed policies for AWS Organizations
This section identifies the AWS-managed policies provided for your use to manage your organization. You can't modify or delete an AWS managed policy, but you can attach or detach them to entities in your organization as needed.
## AWS Organizations managed policies for use with AWS Identity and Access Management (IAM)
An IAM managed policy is provided and maintained by AWS. A managed policy provides permissions for common tasks that you can assign to your users by attaching the managed policy to the appropriate IAM user or role object. You don't have to write the policy yourself, and when AWS updates the policy as appropriate to support new services, you automatically and immediately get the benefit of the update.
You can see the list of AWS managed policies in [Policies](https://console.aws.amazon.com/iam/home?#/policies) page on the IAM console. Use the **Filter policies** drop-down to select **AWS managed**.
You can use the following managed policies to grant permissions to users in your organization.
### AWS managed policy: AWSOrganizationsFullAccess
Provides all of the permissions required to create and fully administer an organization.
View the policy: [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsFullAccess.html).
### AWS managed policy: AWSOrganizationsReadOnlyAccess
Provides read only access to information about the organization. It doesn't permit the user to make any changes.
View the policy: [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsReadOnlyAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsReadOnlyAccess.html).
### AWS managed policy: DeclarativePoliciesEC2Report
This policy is used by the [AWSServiceRoleForDeclarativePoliciesEC2Report](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#ec2-report-policy) service-linked role to enable it to describe account attribute states for member accounts.
View the policy: [DeclarativePoliciesEC2Report](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/DeclarativePoliciesEC2Report.html).
## Updates to Organizations AWS managed policies
The following table details updates to AWS managed policies since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the [Document History](document-history.md) page.
****
| Change | Description | Date |
| --- | --- | --- |
| [AWSOrganizationsFullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsFullAccess$jsonEditor) – updated to allow account API permissions required to view or modify an account name via the Organizations console. | Added the `account:GetAccountInformation` action to enable access to view the account name of any account in an organization and the `account:PutAccountName` action to enable access to modify any account name in an organization. | April 22, 2025 |
| [DeclarativePoliciesEC2Report](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/DeclarativePoliciesEC2Report$jsonEditor) – New managed policy | Added the `DeclarativePoliciesEC2Report` policy to enable the functionality of the `AWSServiceRoleForDeclarativePoliciesEC2Report` service-linked role. | November 22, 2024 |
| [AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to view a root user email address. | Added the `account:GetPrimaryEmail` action to enable access to view the root user email address for any member account in an organization and the `account:GetRegionOptStatus`action to enable access to view the enabled Regions for any member account in an organization. | June 6, 2024 |
| [AWSOrganizationsFullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsFullAccess$jsonEditor) – updated to include `Sid` elements that describe the policy statement. | Added `Sid` elements for the `AWSOrganizationsFullAccess` managed policy. | February 6, 2024 |
| [AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to include `Sid` elements that describe the policy statement. | Added `Sid` elements for the `AWSOrganizationsReadOnlyAccess` managed policy. | February 6, 2024 |
| [AWSOrganizationsFullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsFullAccess$jsonEditor) – updated to allow account API permissions required to enable or disable AWS Regions via the Organizations console. | Added the `account:ListRegions`, `account:EnableRegion` and `account:DisableRegion` action to the policy to enable write access to enable or disable Regions for an account. | December 22, 2022 |
| [AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to list AWS Regions via the Organizations console. | Added the `account:ListRegions` action to the policy to enable access to view Regions for an account. | December 22, 2022 |
| [AWSOrganizationsFullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsFullAccess$jsonEditor) – updated to allow account API permissions required to add or edit account contacts via the Organizations console. | Added the `account:GetContactInformation` and `account:PutContactInformation` action to the policy to enable write access to modify contacts for an account. | October 21, 2022 |
| [AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to view account contacts via the Organizations console. | Added the `account:GetContactInformation` action to the policy to enable access to view contacts for an account. | October 21, 2022 |
| [AWSOrganizationsFullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsFullAccess$jsonEditor) – updated to allow creating an organization. | Added the `CreateServiceLinkedRole` permission to the policy to enable creating the service linked role required to create an organization. The permission is restricted to creating a role that can be used only by the `organizations.amazonaws.com` service. | August 24, 2022 |
| [AWSOrganizationsFullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsFullAccess$jsonEditor) – updated to allow account API permissions required to add, edit, or delete account alternate contacts via the Organizations console. | Added the `account:GetAlternateContact`, `account:DeleteAlternateContact`, `account:PutAlternateContact` actions to the policy to enable write access to modify alternate contacts for an account. | February 7, 2022 |
| [AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to view account alternate contacts via the Organizations console. | Added the `account:GetAlternateContact` action to the policy to enable access to view alternate contacts for an account. | February 7, 2022 |
## AWS managed authorization policies
[Authorization policies](orgs_manage_policies_authorization_policies.md) are similar to IAM permission policies, but are a feature of AWS Organizations rather than IAM. You use authorization policies to centrally configure and manage access for principals and resources in your member accounts.
You can see the list of policies in your organization on the [Policies](https://console.aws.amazon.com/organizations/?#/policies) page on the Organizations console.
****
| Policy name | Description | ARN |
| --- | --- | --- |
| [FullAWSAccess](https://console.aws.amazon.com/organizations/v2/home/policies/service-control-policy/p-FullAWSAccess) | Allows access to every operation. | arn:aws:organizations::aws:policy/service\$1control\$1policy/p-FullAWSAccess |
| [RCPFullAWSAccess](https://console.aws.amazon.com/organizations/v2/home/policies/resource-control-policy/p-RCPFullAWSAccess) | Allows access to every resource. | arn:aws:organizations::aws:policy/resource\$1control\$1policy/p-RCPFullAWSAccess |
# Attribute-based access control with tags for AWS Organizations
*[Attribute-based access control](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html)* let you use administrator-managed attributes such as [tags](https://docs.aws.amazon.com/ARG/latest/userguide/tag-editor.html) attached to both AWS resources and AWS identities to control access to those resources. For example, you can specify that a user can access a resource when both the user and the resource have the same value for a certain tag.
AWS Organizations taggable resources include AWS accounts, the organization's root, organizational units (OUs), or policies. When you attach tags to Organizations resources, you can then use those tags to control who can access those resources. You do this by adding `Condition` elements to your AWS Identity and Access Management (IAM) permissions policy statements that check whether certain tag keys and values are present before allowing the action. This enables you to create an IAM policy that effectively says "Allow the user to manage only those OUs that have a tag with a key `X` and a value `Y`" or "Allow the user to manage only those OUs that are tagged with a key `Z` that has the same value as the user's attached tag key `Z`."
You can base your `Condition` tests on different types of tag references in an IAM policy.
+ [Checking the tags that are attached to resources specified in the request](#abac-resource)
+ [Checking the tags that are attached to the IAM user or role who is making the request](#abac-prin)
+ [Check the tags that are included as parameters in the request](#abac-request)
For more information about using tags for access control in policies, see [Controlling access to and for IAM users and roles using resource tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html). For complete syntax of IAM permission policies, see the [IAM JSON Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html)
## Checking the tags that are attached to resources specified in the request
When you make a request by using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or one of the AWS SDKs, you specify what resources you want to access with that request. Whether you are trying to list available resources of a given type, read a resource, or write to, modify, or update a resource, you specify the resource to access as a parameter in the request. Such requests are controlled by IAM permissions policies that you attach to your users and roles. In these policies, you can compare the tags attached to the requested resource and choose to allow or deny access based on the keys and values of those tags.
To check a tag that is attached to the resource, you reference the tag in a `Condition` element by prefacing the tag key name with the following string: `aws:ResourceTag/`
For example, the following sample policy allows the user or role to perform any AWS Organizations operation ***unless*** that resource has a tag with the key `department` and the value `security`. If that key and value is present, then the policy explicitly denies the `UntagResource` operation.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : "organizations:*",
"Resource" : "*"
},
{
"Effect" : "Deny",
"Action" : "organizations:UntagResource",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/department" : "security"
}
}
}
]
}
```
------
For more information about how to use this element, see [Controlling access to resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html#access_iam-tags_control-resources) and [aws:ResourceTag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) in the *IAM User Guide*.
## Checking the tags that are attached to the IAM user or role who is making the request
You can control what the person making the request (the principal) is allowed to do based on the tags that are attached to that person's IAM user or role. To do this, use the `aws:PrincipalTag/key-name` condition key to specify which tag and value must be attached to the calling user or role.
The following example shows how to allow an action only when the specified tag (`cost-center`) has the same value on both the principal calling the operation, and the resource being accessed by the operation. In this example, the calling user can start and stop an Amazon EC2 instance only if the instance is tagged with the same `cost-center` value as the user.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:startInstances",
"ec2:stopInstances"
],
"Resource": "*",
"Condition": {"StringEquals":
{"ec2:ResourceTag/cost-center": "${aws:PrincipalTag/cost-center}"}}
}
}
```
------
For more information about how to use this element, see [Controlling access for IAM principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html#access_iam-tags_control-principals) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag) in the *IAM User Guide*.
## Check the tags that are included as parameters in the request
Several operations enable you to specify tags as part of the request. For example, when you create a resource you can specify the tags that are attached to the new resource. You can specify a `Condition` element that uses `aws:TagKeys` to allow or deny the operation based on whether a specific tag key, or a set of keys, is included in the request. This comparison operator doesn't care what value the tag contains. It only checks whether a tag with the specified key is present.
To check the tag key, or a list of keys, specify a `Condition` element with the following syntax:
```
"aws:TagKeys": [ "tag-key-1", "tag-key-2", ... , "tag-key-n" ]
```
You can use [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multi-key-or-value-conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multi-key-or-value-conditions) to preface the comparison operator to ensure that all of the keys in the request must match one of the keys specified in the policy. For example, the following sample policy allows any Organizations operation only if all tags present in the request are a***subset of the three*** tags in this policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "organizations:*",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"department",
"costcenter",
"manager"
]
}
}
}
}
```
------
Alternatively, you can use [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multi-key-or-value-conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multi-key-or-value-conditions) to preface a comparison operator to ensure that at least one of the keys in the request must match one of the keys specified in the policy. For example, the following policy allows an Organizations operation only if ***at least one*** of the specified tag keys is present in the request.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "organizations:*",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"stage",
"us-east-1",
"domain"
]
}
}
}
}
```
------
Several operations enable you to specify tags in the request. For example, when you create a resource you can specify the tags that are attached to the new resource. You can compare a tag key-value pair in the policy with a key-value pair that is included with the request. To do this, reference the tag in a `Condition` element by prefacing the tag key name with the following string: `aws:RequestTag/key-name` and then specify the tag value that must be present.
For example, the following sample policy denies any request by the user or role to create an AWS account where the request is either missing the `costcenter` tag, or provides that tag with a value other than `1`, `2`, or `3`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "organizations:CreateAccount",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/costcenter": "true"
}
}
},
{
"Effect": "Deny",
"Action": "organizations:CreateAccount",
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotEquals": {
"aws:RequestTag/costcenter": [
"1",
"2",
"3"
]
}
}
}
]
}
```
------
For more information about how to use these elements, see [aws:TagKeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) and [aws:RequestTag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) in the *IAM User Guide*.
# Troubleshooting AWS Organizations identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with Organizations and IAM.
**Topics**
+ [I am not authorized to perform an action in Organizations](#security_iam_troubleshoot-no-permissions)
+ [I am not authorized to perform iam:PassRole](#security_iam_troubleshoot-passrole)
+ [I want to allow people outside of my AWS account to access my Organizations resources](#security_iam_troubleshoot-cross-account-access)
## I am not authorized to perform an action in Organizations
If you receive an error that you're not authorized to perform an action, your policies must be updated to allow you to perform the action.
The following example error occurs when the `mateojackson` IAM user tries to use the console to view details about a fictional `my-example-widget` resource but doesn't have the fictional `organizations:GetWidget` permissions.
```
User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: organizations:GetWidget on resource: my-example-widget
```
In this case, the policy for the `mateojackson` user must be updated to allow access to the `my-example-widget` resource by using the `organizations:GetWidget` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I am not authorized to perform iam:PassRole
If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Organizations.
Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.
The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Organizations. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.
```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```
In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I want to allow people outside of my AWS account to access my Organizations resources
You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
To learn more, consult the following:
+ To learn whether Organizations supports these features, see [How AWS Organizations works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
# Logging and monitoring in AWS Organizations
As a best practice, you should monitor your organization to ensure that changes are logged. This helps you to ensure that any unexpected change can be investigated and unwanted changes can be rolled back. AWS Organizations currently supports two AWS services that enable you to monitor your organization and the activity that happens within it.
**Topics**
+ [AWS CloudTrail](orgs_cloudtrail-integration.md)
+ [Amazon EventBridge](orgs_cloudwatch-integration.md)
# Logging API calls with AWS CloudTrail for AWS Organizations
AWS Organizations is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Organizations. CloudTrail captures all API calls for AWS Organizations as events, including calls from the AWS Organizations console and from code calls to the AWS Organizations APIs. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Organizations. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to AWS Organizations, the IP address it was made from, who made it, when it was made, and additional details.
To learn more about CloudTrail, see the *AWS CloudTrail User Guide*.
**Important**
You can view all CloudTrail information for AWS Organizations only in the US East (N. Virginia) Region. If you don't see your AWS Organizations activity in the CloudTrail console, set your console to **US East (N. Virginia)** using the menu in the upper-right corner. If you query CloudTrail with the AWS CLI or SDK tools, direct your query to the US East (N. Virginia) endpoint.
## AWS Organizations information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in AWS Organizations, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for AWS Organizations, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. When CloudTrail logging is enabled in your AWS account, API calls made to AWS Organizations actions are tracked in CloudTrail log files, where they are written with other AWS service records. You can configure other AWS services to further analyze and act on the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
All AWS Organizations actions are logged by CloudTrail and are documented in the [AWS Organizations API Reference](https://docs.aws.amazon.com/organizations/latest/APIReference/). For example, calls to `CreateAccount` (including the `CreateAccountResult` event), `ListHandshakesForAccount`, `CreatePolicy`, and `InviteAccountToOrganization` generate entries in the CloudTrail log files.
Every log entry contains information about who generated the request. The user identity information in the log entry helps you determine the following:
+ Whether the request was made with root user or IAM user credentials
+ Whether the request was made with temporary security credentials for an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) or a [federated user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html)
+ Whether the request was made by another AWS service
For more information, see the [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
**Note**
CloudTrail will log events in the account that takes a given action (i.e. in member account rather than management account if member account took the action). For example, a member account leaving an organization will be logged in member account trail, and a management account removing a member account will be logged in management account trail.
## Understanding AWS Organizations log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
### Example log entries: CloseAccount
The following example shows a CloudTrail log entry for a sample `CloseAccount` call that is generated when the API is called and the workflow to close the account starts processing in the background.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE:my-admin-role",
"arn": "arn:aws:sts::111122223333:assumed-role/my-admin-role/my-session-id",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/my-admin-role",
"accountId": "111122223333",
"userName": "my-session-id"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2022-03-18T18:17:06Z"
}
}
},
"eventTime": "2022-03-18T18:17:06Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CloseAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.0.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": {
"accountId": "555555555555"
},
"responseElements": null,
"requestID": "e28932f8-d5da-4d7a-8238-ef74f3d5c09a",
"eventID": "19fe4c10-f57e-4cb7-a2bc-6b5c30233592",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
The following example shows a CloudTrail log entry for a `CloseAccountResult` call after the background workflow to close the account successfully completes.
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "organizations.amazonaws.com"
},
"eventTime": "2022-03-18T18:17:06Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CloseAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "organizations.amazonaws.com",
"userAgent": "organizations.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"closeAccountStatus": {
"accountId": "555555555555",
"state": "SUCCEEDED",
"requestedTimestamp": "Mar 18, 2022 6:16:58 PM",
"completedTimestamp": "Mar 18, 2022 6:16:58 PM"
}
},
"eventCategory": "Management"
}
```
### Example log entries: CreateAccount
The following example shows a CloudTrail log entry for a sample `CreateAccount` call that is generated when the API is called and the workflow to create the account starts processing in the background.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE:my-admin-role",
"arn": "arn:aws:sts::111122223333:assumed-role/my-admin-role/my-session-id",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/my-admin-role",
"accountId": "111122223333",
"userName": "my-session-id"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-09-16T21:16:45Z"
}
}
},
"eventTime": "2018-06-21T22:06:27Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.0.1",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...",
"requestParameters": {
"tags": [],
"email": "****",
"accountName": "****"
},
"responseElements": {
"createAccountStatus": {
"accountName": "****",
"state": "IN_PROGRESS",
"id": "car-examplecreateaccountrequestid111",
"requestedTimestamp": "Sep 16, 2020 9:20:50 PM"
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
The following example shows a CloudTrail log entry for a `CreateAccount` call after the background workflow to create the account successfully completes.
```
{
"eventVersion": "1.05",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "..."
},
"eventTime": "2020-09-16T21:20:53Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "....",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"createAccountStatus": {
"id": "car-examplecreateaccountrequestid111",
"state": "SUCCEEDED",
"accountName": "****",
"accountId": "444455556666",
"requestedTimestamp": "Sep 16, 2020 9:20:50 PM",
"completedTimestamp": "Sep 16, 2020 9:20:53 PM"
}
}
}
```
The following example shows a CloudTrail log entry that is generated after a `CreateAccount` background workflow fails to create the account.
```
{
"eventVersion": "1.06",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-06-21T22:06:27Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"createAccountStatus": {
"id": "car-examplecreateaccountrequestid111",
"state": "FAILED",
"accountName": "****",
"failureReason": "EMAIL_ALREADY_EXISTS",
"requestedTimestamp": Jun 21, 2018 10:06:27 PM,
"completedTimestamp": Jun 21, 2018 10:07:15 PM
}
}
}
```
### Example log entry: CreateOrganizationalUnit
The following example shows a CloudTrail log entry for a sample `CreateOrganizationalUnit` call.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:40:11Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateOrganizationalUnit",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"requestParameters": {
"name": "OU-Developers-1",
"parentId": "r-a1b2"
},
"responseElements": {
"organizationalUnit": {
"arn": "arn:aws:organizations::111111111111:ou/o-aa111bb222/ou-examplerootid111-exampleouid111",
"id": "ou-examplerootid111-exampleouid111",
"name": "test-cloud-trail",
"path": "o-aa111bb222/r-a1b2/ou-examplerootid111-exampleouid111/"
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### Example log entry: InviteAccountToOrganization
The following example shows a CloudTrail log entry for a sample `InviteAccountToOrganization` call.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:41:17Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "InviteAccountToOrganization",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"requestParameters": {
"notes": "This is a request for Mary's account to join Diego's organization.",
"target": {
"type": "ACCOUNT",
"id": "111111111111"
}
},
"responseElements": {
"handshake": {
"requestedTimestamp": "Jan 18, 2017 9:41:16 PM",
"state": "OPEN",
"arn": "arn:aws:organizations::111111111111:handshake/o-aa111bb222/invite/h-examplehandshakeid111",
"id": "h-examplehandshakeid111",
"parties": [
{
"type": "ORGANIZATION",
"id": "o-aa111bb222"
},
{
"type": "ACCOUNT",
"id": "222222222222"
}
],
"action": "invite",
"expirationTimestamp": "Feb 2, 2017 9:41:16 PM",
"resources": [
{
"resources": [
{
"type": "MASTER_EMAIL",
"value": "diego@example.com"
},
{
"type": "MASTER_NAME",
"value": "Management account for organization"
},
{
"type": "ORGANIZATION_FEATURE_SET",
"value": "ALL"
}
],
"type": "ORGANIZATION",
"value": "o-aa111bb222"
},
{
"type": "ACCOUNT",
"value": "222222222222"
},
{
"type": "NOTES",
"value": "This is a request for Mary's account to join Diego's organization."
}
]
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### Example log entry: AttachPolicy
The following example shows a CloudTrail log entry for a sample `AttachPolicy` call. The response indicates that the call failed because the requested policy type isn't enabled in the root where the request to attach was attempted.
```
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:42:44Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "AttachPolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"errorCode": "PolicyTypeNotEnabledException",
"errorMessage": "The given policy type ServiceControlPolicy is not enabled on the current view",
"requestParameters": {
"policyId": "p-examplepolicyid111",
"targetId": "ou-examplerootid111-exampleouid111"
},
"responseElements": null,
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### Example log entry: Invalid effective policy
The following example shows a CloudTrail log entry for a sample `EffectivePolicyValidation` event. This event is emitted to the management account of the organization whenever an update in the organization creates an invalid effective policy on any account.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-07-17T14:53:40Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "EffectivePolicyValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111111111111",
"serviceEventDetails": {
"accountId": "111111111111",
"policyType": "BACKUP_POLICY",
"state": "INVALID",
"requestTimestamp": "Jul 17, 2025, 2:53:40 PM",
"info": "All validation errors listed",
"validationErrors": [
{
"accountPath": "o-aa111bb222/r-a1b2/111111111111/",
"evaluationTimestamp": "Jul 17, 2025, 2:53:40 PM",
"errorCode": "ELEMENTS_TOO_MANY",
"errorMessage": "'hourly_rule' exceeds the allowed maximum limit 10",
"pathToError": "plans/hourly-backup/rules/hourly_rule",
"contributingPolicies": [
"p-examplepolicyid111"
]
}
]
},
"eventCategory": "Management"
}
```
### Example log entry: Valid effective policy
The following example shows a CloudTrail log entry for a sample `EffectivePolicyValidation` event. This event is emitted to the management account of the organization whenever an update in the organization fixes an effective policy on an account which was invalid previously.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111111111111",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-07-17T14:54:40Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "EffectivePolicyValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111111111111",
"serviceEventDetails": {
"accountId": "111111111111",
"policyType": "BACKUP_POLICY",
"state": "VALID",
"requestTimestamp": "Jul 17, 2025, 2:54:40 PM",
"info": "Previous effective policy validation error(s) resolved for this account/policyType"
},
"eventCategory": "Management"
}
```
# Amazon EventBridge and AWS Organizations
AWS Organizations can work with Amazon EventBridge, formerly Amazon CloudWatch Events, to raise events when administrator-specified actions occur in an organization. For example, because of the sensitivity of such actions, most administrators would want to be warned every time someone creates a new account in the organization or when an administrator of a member account attempts to leave the organization. You can configure EventBridge rules that look for these actions and then send the generated events to administrator-defined targets. Targets can be an Amazon SNS topic that emails or text messages its subscribers. You could also create an AWS Lambda function that logs the details of the action for your later review.
For a tutorial that shows how to enable EventBridge to monitor key activity in your organization, see [Tutorial: Monitor important changes to your organization with Amazon EventBridge](orgs_tutorials_cwe.md).
**Important**
Currently, AWS Organizations is hosted in only the US East (N. Virginia) Region (even though it is available globally). To perform the steps in this tutorial, you must configure the AWS Management Console to use that region.
To learn more about EventBridge, including how to configure and enable it, see the *[Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/)*.
# Compliance validation for AWS Organizations
To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/).
# Resilience in AWS Organizations
The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
# Infrastructure security in AWS Organizations
As a managed service, AWS Organizations is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access Organizations through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-2](https://aws.amazon.com/compliance/fips/).