AWS Certified Solutions Architect - Professional Exam: Minimum Permissions for Moving AWS Accounts among OUs

Minimum Permissions for Moving AWS Accounts among OUs

Q: You have signed in to an AWS Organization's master account using an admin IAM user.You need to move accounts to this Organization from one OU (Organizational Unit) to another or back to the root from an OU.However, the operation was disallowed due to a lack of permissions.So you started looking at the IAM policies attached to this user.What are the minimum permissions you need to move accounts among OUs? (Select TWO.)

organizations:DescribeOrganizationorganizations:MoveAccount

Prev Question Next Question

Question

You have signed in to an AWS Organization's master account using an admin IAM user.

You need to move accounts to this Organization from one OU (Organizational Unit) to another or back to the root from an OU.

However, the operation was disallowed due to a lack of permissions.

So you started looking at the IAM policies attached to this user.

What are the minimum permissions you need to move accounts among OUs? (Select TWO.)

Answers

A. organizations:DescribeAccount

B. organizations:DescribeOrganization

C. organizations:MoveAccount

D. organizations:AttachPolicy

E. organizations:*

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answer - B, C.

Users can move accounts between the Root and OUs in AWS Organization according to.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html.

However, permissions are needed to do that.

Option A is incorrect because organizations:DescribeAccount is used to retrieve Organization details about the account, which is not required.

Option B is CORRECT because organizations:DescribeOrganization is required if the move operation is done from console.

Option C is CORRECT because organizations:MoveAccount permits users to move accounts in an Organization.

Option D is incorrect because attaching SCP is not needed in this scenario.

Option E is incorrect: because this will allow all actions for Organizations, which will not meet the least privilege.

To move accounts between OUs in an AWS Organization, you need to have the appropriate permissions. The necessary permissions can be obtained by attaching the required policies to an IAM user or role. Here are the two minimum permissions that you need to move accounts among OUs:

organizations:DescribeAccount: This permission allows you to get information about the account that you want to move. It is necessary to determine the current location of the account and to ensure that you have the necessary permissions to move it.
organizations:MoveAccount: This permission allows you to move an account from one OU to another or back to the root. It is necessary to perform the actual move operation.

In addition to the two minimum permissions, there are other permissions that may be required depending on the scenario. For example, if you need to move an account to a different AWS Region, you will also need the organizations:EnableAWSServiceAccess permission.

The other answer options are as follows:

organizations:DescribeOrganization: This permission allows you to get information about the AWS Organization that you are working with. It is not necessary to move accounts among OUs.
organizations:AttachPolicy: This permission allows you to attach a policy to an AWS account or an OU. It is not necessary to move accounts among OUs.
organizations:*: This is a wildcard permission that grants all permissions for the AWS Organizations service. It is not necessary to move accounts among OUs, and it is generally not recommended to grant such broad permissions.

In summary, to move accounts among OUs in an AWS Organization, you need the organizations:DescribeAccount and organizations:MoveAccount permissions.

Prev Question Next Question