Delegate SCP administration of specific OU to IAM role of a member account

0

We have a shared Organization and would like to provide member accounts in an Organization to self manage SCPs on OUs where their accounts are located. We want to know if it is possible to do the following:

  1. An organization has OU-A, OU-B and OU-C etc.
  2. An account in OU-B wants to use IAM-User-B to create an SCP in the Management account and assign to OU-B
  3. IAM-USer-B must be have the ability to create/modify/delete SCPs in Organizations in the Management account, but can ONLY assign the SCP to OU-B.
  4. Any attempt to assign an SCP to OU-A or OU-C will be denied.
  5. Auditing is in place and a notification is triggered of any invalid attempt by IAM-User-B
  6. The same principle must be applied to users in OU-A and OU-C.

Any help is appreciated.

Thanks

1 Answer
1

Well, if I understand you correctly, when you assign the policy to the user or role the user assumes (do not use users please, use always temp credentials so assume roles), what you can define on that policy is with resource, so you limit the permissions you grant in the policy to that specific resource, here is the idea:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "organizations:Describe*", 
        "organizations:List*" 
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "organizations:AttachPolicy",
      "Resource": "arn:aws:organizations::<masterAccountId>:ou/o-<organizationId>/ou-<organizationalUnitId>"
    }
  ]
}

As you can see on the Resource line, you can restrict the OU in the resource line, to the attach policy permission. Hope this helps to build the desired policy, here is the documentation:

You can also play with some global conditions and ResourceOrgPaths here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

best.

answered 25 days ago
  • Thanks for you r reply @JuanEn_G I can see how that would restrict attachment, but what would they need to allow the IAM role to create/amend/delete SCPs in Organizations?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions