By using AWS re:Post, you agree to the Terms of Use
/Organisation ConformancePacks: s3 bucket policy for delegated administrator?/

Organisation ConformancePacks: s3 bucket policy for delegated administrator?


I am following the documented procedure to use a delegated administrator to deploy organisation-wide conformance packs:

When using the delegated account to put the packs I get an error:

An error occurred (InsufficientPermissionsException) when calling the PutOrganizationConformancePack operation: Insufficient permission to get S3 bucket ACL for awsconfigconforms-company-org The only way to make it work so far is to add this policy statement to allow the delegated account access to the ACL on the bucket:

            "Sid": "DelegatedAdministratorAllowGetBucketAcl",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:root"
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::awsconfigconforms-company-org",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-123456"

Is this how I can resolve the permission issue? Or is there a better way to give cross account access to the bucket in the master account?

Also: is it expected that the conformancePacks are created in the delegated account and not in the master account? aws configservice describe-organization-conformance-packs lists them for the delegated one, I guess that's expected as I'm delegating?

1 Answers

Delegated Administrator with AWS Organizations supports a list of compatible AWS services.

Take a look at How can I provide cross-account access to objects that are in Amazon S3 buckets on granting permissions cross-account.

answered 5 months ago
  • AWS Config is listed as a compatible service.

    AWSServiceRoleForConfigMultiAccountSetup is a service-linked role - so I cannot change it's permissions/policies.

    I guess I can modify the permissions/policies of the user executing PutOrganizationConformancePack - however that's a running through SSO in our case. So I believe my user is assuming a role that's then assuming the service linked role.

    I'll need to do more reading on that topic.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions