IAM Policies With Principal Org Ids

March 13, 2024

Let’s say you want to write an AWS IAM policy to allow anybody under your AWS organization to perform an action, like access s3 buckets.

You can do this by using the PrincipalOrgId condition.

{
  "Sid": "Allow org access to all s3 buckets",
  "Effect": "Allow",
  "Principal": {
    "AWS": "*"
  },
  "Action": ["s3:*"],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:PrincipalOrgID": "o-xxxxxxxxxxx"
    }
  }
}

Setting a condition like the above role will restrict access to only people within your organization. This is useful if you have multiple AWS accounts with shared resources, like a centralized ECR.

Master GitHub Actions with a Senior Infrastructure Engineer

As a senior staff infrastructure engineer, I share exclusive, behind-the-scenes insights that you won't find anywhere else. Get the strategies and techniques I've used to save companies $500k in CI costs and transform teams with GitOps best practices—delivered straight to your inbox.

Not sure yet? Check out the archive.

Unsubscribe at any time.