AWS Cloud Operations & Migrations Blog

Delegate AWS Organizations policy management in a multi-account environment

AWS Organizations helps you centrally manage and govern multiple AWS accounts within AWS. You can manage organization structure, add and remove accounts, define configuration using policies, handle consolidated billing, and control multi-account features of integrated AWS services. As your environment grows, your administrators have to manage more accounts and policies which often requires coordination between multiple teams.

Until recently, all policy management activities had to be done within the management account. The concentration of governance functionality in the management account would prevent administrators from allowing different teams to create and manage policies. In this post you will learn how to use the recently released delegated administrator for AWS Organization policies feature to delegate AWS Organizations policy management.

Delegated administrator for AWS Organizations policies

With delegated administrator for AWS Organizations policies, you can delegate the management of policies of each policy type to a designated member account. This includes support for existing organization policy types— backup policies, service control policies (SCPs), tag policies, and AI services opt-out policies — and specify permissible actions. You may want to delegate management of different policy types to different member accounts. For example, you may delegate service control policies (SCPs) to the team in charge of security accounts or delegate backup policies to the central backup team that operates within a backup account. Once access is delegated, users with the right permissions can access the delegated member account and manage policies that they have permissions for. In the following sections we will walk you through common delegation scenarios and provide sample policies to help you get started.

Configuring delegated administration

Delegated administration provides the capability for you to register a member account to manage aspects of AWS Organizations without accessing the management account. For delegating policies, you actually create an organizations delegation policy to define which accounts can manage which policy types.

To get started with delegating AWS Organizations policies, you can use the AWS Organizations console, Command Line Interface (CLI) or API to create or modify your delegation policy. You can write multiple policy statements, each defining a member account, delegated policy type and the allowed actions. For example, one statement can enable a member account to create and attach backup policies, while another statement can enable a member account to create and delete SCPs.

Example 1: Delegating management of Service Control Policies for the entire organization to a member account

You may want to delegate the management of SCPs to the security account so that the security team can manage these policies for the entire organization. Here are the steps to create a delegated administrator for this scenario. We also provide below an example policy in policy 1 that you can use:

A: Steps in organization’s management account:

  1. Sign in to AWS Organizations console with the management account. You should have a role with permissions for organizations:PutResourcePolicy and organizations:DescribeResourcePolicy
  2. Click on Settings on the left. On the settings page, in the section “Delegated administrator for AWS Organizations” click on “Delegate”

Figure 1. Delegated administrator for AWS Organizations configuration

Figure 1. Delegated administrator for AWS Organizations configuration

  1. In the editor that opens, copy the below policy in policy 1 and make the following modifications:
    1. Replace “AWS-member-account-ID” with the Account ID of the member account to which you want to delegate
    2. Replace “AWS-management-account-ID” with the Account ID of the management account
    3. Click on Save policy to save the policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOrganizationsRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:Describe*",
        "organizations:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowServiceControlPoliciesCreation",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:CreatePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "SERVICE_CONTROL_POLICY"
        }
      }
    },
    {
      "Sid": "AllowServiceControlPoliciesModification",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:DescribePolicy",
        "organizations:UpdatePolicy",
        "organizations:DeletePolicy"
      ],
      "Resource": [
        "arn:aws:organizations::AWS-management-account-ID:policy/*/service_control_policy/*",
        "arn:aws:organizations::aws:policy/service_control_policy/*"
      ],
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "SERVICE_CONTROL_POLICY"
        }
      }
    },
    {
      "Sid": "AllowSCPsAttachmentAndDetachmentForAllAccountsAndOUs",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:AttachPolicy",
        "organizations:DetachPolicy"
      ],
      "Resource": [
        "arn:aws:organizations::AWS-management-account-ID:root/*",
        "arn:aws:organizations::AWS-management-account-ID:ou/*",
        "arn:aws:organizations::AWS-management-account-ID:account/*",
        "arn:aws:organizations::AWS-management-account-ID:policy/*/service_control_policy/*",
        "arn:aws:organizations::aws:policy/service_control_policy/*"
        
      ],
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "SERVICE_CONTROL_POLICY"
        }
      }
    }
  ]
}

Policy 1. Sample policy to delegate SCPs management for entire organization to a member account

As specified in policy 1, when defining the policy, you should include at least one of the following, or both:(1) the condition key and/or (2) the policy resource that specifies a specific policy type. This ensures the delegated member account is ONLY delegated for the intended policy type.

B: Steps in delegated administrator member account:

  1. Sign in to AWS Organizations console of the member account as a role with permissions to perform the actions below:
    1. [Read actions to view the organization structure]: DescribeOrganizationalUnit, ListAccounts, ListAccountsForParent, ListChildren, ListOrganizationalUnitsForParent, ListParents, ListRoots, ListTagsForResource
    2. [Read actions for viewing policies]: DescribePolicy, ListPolicies, ListPoliciesForTarget, ListTargetsForPolicy
    3. [Write actions for managing policies]: CreatePolicy, DeletePolicy, AttachPolicy, DetachPolicy, UpdatePolicy
  1. The role will see the policy management option in the Organizations console as shown below. The role in the member account can now click on the policies link and manage the policies similar to how they would if they were in the management account.

Figure 2. AWS Organizations console

Figure 2. AWS Organizations console side menu

Example 2: Delegating management of Backup Policies for the entire organization to a member account

You may want to delegate the administration of backup policies to the backup account so the team in charge of backups can create and manage backup policies. In policy 2, you can see a sample policy that shows how backup policy management can be delegated to a member account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOrganizationsRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:Describe*",
        "organizations:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowBackupPoliciesCreation",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:CreatePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "BACKUP_POLICY"
        }
      }
    },
    {
      "Sid": "AllowBackupPoliciesModification",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:DescribePolicy",
        "organizations:UpdatePolicy",
        "organizations:DeletePolicy"
      ],
      "Resource": [
        "arn:aws:organizations::AWS-management-account-ID:policy/*/backup_policy/*"
      ],
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "BACKUP_POLICY"
        }
      }
    },
    {
      "Sid": "AllowBackupPoliciesAttachmentAndDetachmentToAllAccountsAndOUs",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:AttachPolicy",
        "organizations:DetachPolicy"
      ],
      "Resource": [
        "arn:aws:organizations::AWS-management-account-ID:root/*",
        "arn:aws:organizations::AWS-management-account-ID:ou/*",
        "arn:aws:organizations::AWS-management-account-ID:account/*",
        "arn:aws:organizations::AWS-management-account-ID:policy/*/backup_policy/*"
      ],
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "BACKUP_POLICY"
        }
      }
    }
  ]
}

Policy 2.  Sample policy to delegate backup policies management for entire organization to a member account

Example 3: Delegating management of Tag Policies for the entire organization to a member account

Here is an example in policy 3 that shows how you can delegate the management of tag policies to a member account, such as a shared services account which hosts services used by multiple applications in different accounts. Tag polices can be centrally managed from this account for the entire organization.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOrganizationsRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:Describe*",
        "organizations:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowTagPoliciesCreation",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:CreatePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "TAG_POLICY"
        }
      }
    },
    {
      "Sid": "AllowTagPoliciesModification",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:DescribePolicy",
        "organizations:UpdatePolicy",
        "organizations:DeletePolicy"
      ],
      "Resource": [
        "arn:aws:organizations::AWS-management-account-ID:policy/*/tag_policy/*"
      ],
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "TAG_POLICY"
        }
      }
    },
    {
      "Sid": "AllowTagPoliciesAttachementAndDetachmentToAllAccountsAndOUs",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:AttachPolicy",
        "organizations:DetachPolicy"
      ],
      "Resource": [
        "arn:aws:organizations::AWS-management-account-ID:root/*",
        "arn:aws:organizations::AWS-management-account-ID:ou/*",
        "arn:aws:organizations::AWS-management-account-ID:account/*",
        "arn:aws:organizations::AWS-management-account-ID:policy/*/tag_policy/*"],
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "TAG_POLICY"
        }
      }
    }
  ]
}

Policy 3: Sample policy to delegate tag policy management for entire organization to a member account

Example 4: Delegating management of AI services opt-out policies for the entire organization to a member account

In your organization, the AI services opt out policies may be managed by the security team, the shared services team or a central data science team. Depending on who defines the governance for this policy, you can delegate the management of AI services opt out policies to that member account using policy 4.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOrganizationsRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:Describe*",
        "organizations:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowAIServicesOptOutPoliciesCreation",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:CreatePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "AISERVICES_OPT_OUT_POLICY"
        }
      }
    },
    {
      "Sid": "AllowAIServicesOptOutPoliciesModification",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:DescribePolicy",
        "organizations:UpdatePolicy",
        "organizations:DeletePolicy"
      ],
      "Resource": [
        "arn:aws:organizations::AWS-management-account-ID:policy/*/aiservices_opt_out_policy/*"
      ],
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "AISERVICES_OPT_OUT_POLICY"
        }
      }
    },
    {
      "Sid": "AllowAIServicesOptOutPoliciesAttachmentAndDetachmentToAllAccountsAndOUs",
      "Effect": "Allow",
      "Principal": {
        "AWS": "AWS-member-account-ID"
      },
      "Action": [
        "organizations:AttachPolicy",
        "organizations:DetachPolicy"
      ],
      "Resource": [
        "arn:aws:organizations::AWS-management-account-ID:root/*",
        "arn:aws:organizations::AWS-management-account-ID:ou/*",
        "arn:aws:organizations::AWS-management-account-ID:account/*",
        "arn:aws:organizations::AWS-management-account-ID:policy/*/aiservices_opt_out_policy/*"],
      "Condition": {
        "StringEquals": {
          "organizations:PolicyType": "AISERVICES_OPT_OUT_POLICY"
        }
      }
    }
  ]
}

Policy 4. Sample policy to delegate AIServicesOptOut Policy management for entire organization to a member account

Conclusion and next steps

In this blog we discussed why you should consider delegated administrator for AWS Organizations policies and how you can apply necessary configurations via the Organizations policy to delegate administration of AWS Organizations policies to member accounts. This feature will allow you to decentralize the AWS Organizations policy management and improve the security posture by reducing access to the management account. To get started using the console you can go to https://console.aws.amazon.com/organizations. You can refer to the feature documentation for further help on this feature.

About the author:

Rajeswari Malladi

Rajeswari Malladi is a Principal Solutions Architect at AWS working with enterprise customers in US-East. She works with customers to build highly scalable, flexible, and resilient cloud architectures that address their business problems and accelerate the adoption of AWS services.