Posted On: Feb 13, 2023

Amazon Identity and Access Management now supports the ability to refine permissions policies based on the organizational unit (OU) or organization ID in Amazon Organizations of the principal or resource. With these new IAM capabilities, you now can author IAM policies to enable your principals to access only resources inside specific OUs, or organizations.

The new capabilities include condition keys for the IAM policy language called aws:PrincipalOrgID, aws:PrincipalOrgPaths, aws:ResourceOrgID, and aws:ResourceOrgPaths. The new keys support a wide variety of services and actions, so you can apply similar controls across different use cases. For example, consider an Amazon S3 bucket policy that you want to restrict access to principals associated with Amazon Web Services accounts inside of your organization. Now, you can use the aws:PrincipalOrgID condition and set the value to your organization ID in the condition element of your policy.

For more information about the new condition keys, see the IAM documentation.