You must create a primary account policy for the primary amazon web service (AWS) account and a linked account policy for all the linked AWS accounts. You can use these policies to manage access in AWS.
Procedure
- In the AWS console, go to .
- In the Create policy page, click the JSON tab.
- In the JSON text box, enter a policy
Option Description Add a primary account policy Note: You must add the primary account policy in the primary AWS account.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListAccountAliases" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "*" }, { "Action": [ "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "organizations:ListAccounts" ], "Resource": "*" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "<Role ARNs>" } ] }
Add a linked account Note: You must add the linked account policy in all the linked accounts that are added in the primary AWS account.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListAccountAliases" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "*" }, { "Action": [ "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Effect": "Allow", "Resource": "*" } ] }
- Click Review policy.
- Under the Review policy section, enter a policy name and click Create policy.
What to do next
Note: If a role created in all the linked accounts already includes the standard policy permissions and trusts the primary account, skip this step.