IAM Policies With Principal Org Ids


Let’s say you want to write an AWS IAM policy to allow anybody under your AWS organization to perform an action, like access s3 buckets.

You can do this by using the PrincipalOrgId condition.

  "Sid": "Allow org access to all s3 buckets",
  "Effect": "Allow",
  "Principal": {
    "AWS": "*"
  "Action": ["s3:*"],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:PrincipalOrgID": "o-xxxxxxxxxxx"

Setting a condition like the above role will restrict access to only people within your organization. This is useful if you have multiple AWS accounts with shared resources, like a centralized ECR.

Join the 80/20 DevOps Newsletter

If you're an engineering leader or developer, you should subscribe to my 80/20 DevOps Newsletter. Give me 1 minute of your day, and I'll teach you essential DevOps skills. I cover topics like Kubernetes, AWS, Infrastructure as Code, and more.

Not sure yet? Check out the archive.

Unsubscribe at any time.