Hi, We want to use the delegated administrator for organisation using the resource based delegations policy feature .
Our use case is following :
- We separate BU. (business units) by OUs in our organisation structure. Now we want a delegated admin account to manage the SCPS(create,delete,update,attach,detach) only. for certain OUs. Here is the example
{ "Version": "2012-10-17", "Statement": [ { "Sid": “statement1, "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::(delegatedadminaccount):root" }, "Action": "organizations:UpdatePolicy", "Resource": [ "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-aspwa9idi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asad9idi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9gdi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idd”, "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idb”, "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9ide” ], "Condition": { "StringNotLike": { "aws:aws:PrincipalARN": [ "arn:aws:iam::(delegatedadminaccount):roleabc/efg/iam_admin" ] } } }, { "Sid": "Statement2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::(delegatedadminaccount):root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribePolicy", "organizations:CreatePolicy", "organizations:DetachPolicy", ], "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-abcdf42x6c" }, "StringNotLike": { "aws:aws:PrincipalARN": [ "arn:aws:iam::(delegatedadminaccount):role/abc/efg/iam_admin" ] }, "StringEqualsIfExists": { "organizations:PolicyType": "SERVICE_CONTROL_POLICY" } } } ] }
However , i am not sure how to restrict the delegated admins to OU level ? .
