How can I attach an AWS Organization policy to a child account or Organizational Unit (OU)?

DevOpsofworldDevOpsofworld
2 min read

Scenario:-
To attach a policy to a child account or an Organizational Unit (OU) in AWS Organizations, follow these steps:

  • Log In to AWS Management Console:

    • Use the management account or a delegated administrator account for AWS Organizations.

  • Navigate to AWS Organizations:

  • Access Policies:

    • In the left-hand menu, click on Policies and choose the type of policy (e.g., Service Control Policies, Tag Policies, etc.).

  • Select and Attach Policy:

    • Find the policy you want to attach and click on it.

    • Click Attach Policy, then select the target (OU or child account) from the list.

    • Confirm the action by clicking Attach again.

  • Review Effective Policies:

    • Navigate to the Accounts section in AWS Organizations.

    • Select the account or OU and click Effective Policies to verify the applied policies.

Scenario:

When you log in with a child account and attempt to add an organization-level policy, you receive the error:

"You don't have permission to see this page because the management account has not granted you permission to view policies."

Resolution:

This error occurs because organization-level policies can only be managed by the management account or delegated administrator accounts. Child accounts do not have default permissions to view or add these policies.

Steps to Resolve:

  1. Verify Account Roles and Permissions:

    • Ensure you are logged in with a child account.

    • Check if there are Service Control Policies (SCPs) applied to the child account that restrict access.

  2. Contact the Management Account Administrator:

    • Request the management account administrator to grant permissions to your child account for viewing policies.

Example SCP to allow policy viewing:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "organizations:DescribePolicy",
                    "organizations:ListPolicies",
                    "organizations:AttachPolicy"
                ],
                "Resource": "*"
            }
        ]
    }

  1. Use the Management Account for Policy Management:

    • If permissions cannot be granted, ask the management account administrator to log in and perform the required actions.

  2. Delegate Access with IAM Roles:

    • The management account can create a role with necessary permissions and allow the child account to assume the role.

    • Example Role Policy for Delegation:

    •     {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "organizations:DescribePolicy",
                    "organizations:ListPolicies",
                    "organizations:AttachPolicy"
                ],
                "Resource": "*"
            }
        ]
    }

  3. Attach Policies Through Delegated Access:

    • Once access is delegated, the child account can assume the role and attach policies to specific OUs or accounts.

Important Notes:

  • Policies must be attached from the management account unless permissions are explicitly delegated.

  • SCPs applied at the root or OU level might restrict child account permissions.

0
Subscribe to my newsletter

Read articles from DevOpsofworld directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSscpIAMorganization

Written by

DevOpsofworld
DevOpsofworld