AWS Organization Account Access Role

AWS has documentation about using the Organization Account Access Role:

AWS Organizations

Managing AWS accounts in your organization

Creating the OrganizationAccountAccessRole in an invited member account

Accessing member accounts in your organization

By default, if you create a member account as part of your organization, AWS automatically creates a role in the account that grants administrator permissions to IAM users in the management account who can assume the role. By default, that role is named OrganizationAccountAccessRole. For more information, see Accessing a member account that has a management account access role.

However, member accounts that you invite to join your organization do not automatically get an administrator role created, you must manually create the role. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of remembering.

Below is an overview of manually creating the role. Please refer to the above AWS documentation links for more information.

AWS ORG Management Account

These permission can either be applied to a group or user within the organization management account. If permissions are applied to a group make sure a user is added to the group.

User or Group Permissions needed:

AmazonEC2ReadOnlyAccess

AmazonVPCReadOnlyAccess

AWSOrganizationsReadOnlyAccess

Attach Custom Policy: Demo-org-access-custom-policy

Example of Group

Example of User

Example of attaching the custom policy

AWS Member Accounts

All member account use the built in role of OrganizationAccountAccessRole which uses the permission of AdministrativeAccess. If you would like to limit this access you will need to remove this permission and add the following permission to the role in each member account.

OrganizationAccountAccessRole Permissions needed:

AmazonEC2ReadOnlyAccess

AmazonVPCReadOnlyAccess

AWSDirectConnectReadOnlyAccess

Custom Policy: Demo-org-access-custom-policy

Trust Relationship of Member Accounts

By default AWS uses the following principal account

Implications: Any IAM user or role in the management account (237995348030) can assume the specified role in the member accounts, provided they have permissions to call sts:AssumeRole.

Recommended: To limit this to a user or role. Consult AWS Security Best practice guide for more info.