Posted On: Feb 14, 2023
AWS Identity and Access Management (IAM) now supports the ability to refine permissions policies based on the organizational unit (OU) or organization ID in AWS Organizations of the principal or resource for IAM policies in the AWS China (Beijing) region, operated by Sinnet, and the AWS China (Ningxia) region, operated by NWCD. With these new IAM capabilities, you now can author IAM policies to enable your principals to access only resources inside specific OUs, or organizations.
The new capabilities include condition keys for the IAM policy language called aws:PrincipalOrgID, aws:PrincipalOrgPaths, aws:ResourceOrgID, and aws:ResourceOrgPaths. The new keys support a wide variety of services and actions, so you can apply similar controls across different use cases. For example, consider an Amazon Simple Storage Service (Amazon S3) bucket policy that you want to restrict access to principals associated with AWS accounts inside of your organization. Now, you can use the aws:PrincipalOrgID condition and set the value to your organization ID in the condition element of your policy.
For more information about the new condition keys, see the IAM documentation.