Skip to main content

Master Account Role

This role resides in the Master AWS Account and is assumed by the Main AWS Account.

Master Role Trust Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${MainAccount}:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": ${ExternalId}
}
}
}
]
}

Master Role Permissions

The follwing details the Managed and Inline Policy permissions needed.

Managed Policy: AWSOrganizationsFullAccess

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "organizations:*",
"Resource": "*"
}
]
}
danger

You should restricted the actions to createAccount, describeCreateAccountStatus and describeAccount only.

Inline Policy: sts:AssumeRole

This policy is for the controlling role between Master AWS Account and Master AWS Account:

{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/OrganizationAccountAccessRole"
}
}