Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Current »

This section explains the policy configuration for an AWS account which is not an AWS management account.

If you are configuring a third party DNS provider from an AWS account which is not an AWS management account, a specific policy needs to be configured. To create or update the resource-based delegation policies, you need permissions to run the following actions:

  • organizations:PutResourcePolicy

  • organizations:DescribeResourcePolicy

Additionally, you must grant roles and users in the delegated administrator account with the corresponding IAM permissions for the required actions.

To create a delegation policy in the management account, do the following:

  1. Log in to the AWS Management Console.
    You must be logged in as an IAM user, assume an IAM role, or logged in as the root user in the organization’s management account with appropriate permissions that are stated above. For more information, see Safeguard your root user credentials.

  2. Go to the  AWS Organizations Service Console.

  3. Go to Settings.

  4. In the Delegated Administrator for AWS Organizations section, do one of the following:

    • To create the organization's delegation policy, choose Delegate.

    • To update an existing delegation policy, choose Edit.

  5. Type a JSON policy in the JSON editor or copy the below example policy and customize it for your account. Following is an example of a Delegated administrator for AWS Organizations policy:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "DelegatingNecessaryListActionsMultiAcc",
    "Effect": "Allow",
    "Principal": {
    "AWS": [
    "arn:aws:iam::<Parent_account_ID>:root",
    "arn:aws:iam::<Parent_account_ID>::root"
    ]
    },
    "Action": [
    "organizations:ListParents",
    "organizations:DescribeOrganizationalUnit",
    "organizations:DescribeAccount",
    "organizations:ListChildren"
    "organizations:ListAccountsForParent",
     "organizations:ListOrganizationalUnitsForParent"
    ],
    "Resource": "*"
    }
    ]
    }

  6. Resolve any security warnings, errors, or general warnings generated during policy validation.

  7. Choose Create policy to save your work.
    This provides the delegated administrator access to the management account.

The following configuration options are available:

  • No labels