SSO : write a permission that limit actions to all accounts in OU


In IAM identity center (AWS SSO), I would like to create a permission that authorizes actions only on accounts belonging to a specific OU. What resources and conditions should I put in?

1 Answer


As far as I know, I don't think it's possible to allow an IAM identity center user to perform actions only on a specific OU.
IAM identity center users are allowed to perform actions on the AWS accounts they have been granted access to.
Therefore, I think it would be a good idea to not link the IAM identity center user to any AWS account other than the required AWS account.

profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions