This content originally appeared on DEV Community and was authored by Shuichi Takahashi
In AWS Organizations, the "management account" is a special account.
It owns all organizational settings and has powerful permissions.
By default, it can register and remove accounts from the organization, handle billing, and manage organization-wide settings.
Reference: AWS Organizations Management Account
Therefore, it is a best practice to limit management account access to a small number of people and delegate functions and operations whenever possible.
The functions that can be delegated are listed in the AWS Services integrated with Organizations documentation.
Functions with "Supports delegated administrator" set to "Yes" can be delegated to specified member accounts.
Reference: AWS Services Integrated with Organizations
Additionally, the management account is not subject to control policies such as SCPs, making it difficult to restrict.
Reference: Service Control Policies (SCP)
For cases where you cannot delegate everything and need to give access to the management account, you can use methods like assigning roles with limited permissions through IAM Identity Center.
Reference: AWS IAM Identity Center
However, the challenging part is when you need to grant IAM role creation permissions.
For example, consider a case where you need IAM roles to deploy lightweight serverless configurations.
There are various options, but this article explains permission control using Permission Boundary.
When Allowing iam:CreateRole
To create IAM roles for use with AWS Lambda, we allow iam:CreateRole.
However, with this iam:CreateRole permission, users can create IAM roles that have more permissions than their own.
When these IAM roles are used, the intended permission control becomes ineffective.
Allowing iam:CreateRole with Permission Boundary
When you want to grant IAM role creation permissions but prevent users from creating roles with excessive permissions, you can use Permission Boundaries for control.
Permission Boundary is a policy that defines the maximum permissions an IAM entity can have. By setting a policy that explicitly denies unwanted operations as a Permission Boundary and forcing the application of this Permission Boundary when creating IAM roles, you can control the upper limit of permissions.
Reference: IAM Permissions Boundaries
Other Methods
For permission control in the management account, there are other methods besides Permission Boundary:
- Data Migration: When data in the management account is needed, share or copy only the necessary parts of that data to member accounts and build solutions in the member accounts
- Work Separation: Have administrators or CI/CD pipelines handle IAM role creation and deployment work, and give general users only execution permissions
Considerations for Permission Boundary Usage
While Permission Boundaries can be used not only in management accounts but also in regular member accounts, they impose strong constraints on operations. When implementing Permission Boundaries, careful consideration of operational trade-offs is essential:
- Operational Complexity: Permission Boundaries add an additional layer of policy evaluation, which can make troubleshooting permission issues more complex
- Development Velocity: Strict boundaries may slow down development workflows, especially in environments requiring frequent role modifications
- Maintenance Overhead: Permission Boundary policies need to be maintained and updated as business requirements evolve
- User Experience: Developers may encounter unexpected permission denials, requiring additional training and documentation
Before implementing Permission Boundaries, evaluate whether the security benefits outweigh the operational constraints for your specific use case and organizational maturity.
Reference Links
AWS Organizations and IAM Related
- AWS Organizations Best Practices
- IAM Permissions Boundaries
- AWS Services Integrated with Organizations
AWS Well-Architected Related
- SEC03-BP02: Grant Least Privilege Access
- SEC01-BP01: Separate Workloads Using Accounts
- Security Pillar - AWS Well-Architected Framework
This content originally appeared on DEV Community and was authored by Shuichi Takahashi
Shuichi Takahashi | Sciencx (2025-09-30T14:18:06+00:00) Using Permission Boundaries for IAM Role Creation in AWS Organizations Management Account. Retrieved from https://www.scien.cx/2025/09/30/using-permission-boundaries-for-iam-role-creation-in-aws-organizations-management-account-2/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.