Skip to main content

Master Account Role

This role resides in the Master AWS Account and is assumed by the Main AWS Account.

Master Role Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${MainAccount}:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": ${ExternalId}
        }
      }
    }
  ]
}

Master Role Permissions

The follwing details the Managed and Inline Policy permissions needed.

Managed Policy: AWSOrganizationsFullAccess

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "organizations:*",
            "Resource": "*"
        }
    ]
}

danger

You should restricted the actions to createAccount, describeCreateAccountStatus and describeAccount only.

Inline Policy: sts:AssumeRole

This policy is for the controlling role between Master AWS Account and Master AWS Account:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::*:role/OrganizationAccountAccessRole"
    }
}

Master Role Trust Policy
Master Role Permissions
- Managed Policy: AWSOrganizationsFullAccess
- Inline Policy: sts:AssumeRole