Organisation resource based policy for delegated admin account principles to limit actions for SCPs based on suborganisation id.

Question

Hi, We want to use the delegated administrator for organisation  using the resource based delegations policy feature .
Our use case is following :
1. We separate BU. (business units) by OUs in our organisation structure. Now we want a delegated admin account to manage the SCPS(create,delete,update,attach,detach) only. for certain OUs. Here is the example
`{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": “statement1,
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::(delegatedadminaccount):root"
            },
            "Action": "organizations:UpdatePolicy",
            "Resource": [
                "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idi",
                "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-aspwa9idi",
                "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asad9idi",
                "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9gdi",
                "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idd”,
                "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idb”,
                "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9ide”
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:aws:PrincipalARN": [
                        "arn:aws:iam::(delegatedadminaccount):roleabc/efg/iam_admin"
                    ]
                }
            }
        },
        {
            "Sid": "Statement2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::(delegatedadminaccount):root"
            },
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:DescribePolicy",
                "organizations:CreatePolicy",
                "organizations:DetachPolicy",
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-abcdf42x6c"
                },
                "StringNotLike": {
                    "aws:aws:PrincipalARN": [
                        "arn:aws:iam::(delegatedadminaccount):role/abc/efg/iam_admin"                    ]
                },
                "StringEqualsIfExists": {
                    "organizations:PolicyType": "SERVICE_CONTROL_POLICY"
                }
            }
        }
    ]
}` 
However , i am not sure how to restrict the delegated admins to OU level ? .

Answer

One option is to apply tags in each Organizational Unit, then in the delegation policy in AWS Organization Delegated Admin feature you can restrict access to the Organization Unit through their Tag in the Condition section of the policy.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#:~:text=aws%3AResourceTag/%24%7BTagKey%7D-,Condition%20keys%20for%20AWS%20Organizations,-AWS%20Organizations%20defines

Organisation resource based policy for delegated admin account principles to limit actions for SCPs based on suborganisation id.

Relevant content