amazon-web-servicesaws-organizations

Cannot detach AWS-managed service control policy - access denied


I have the following statement in my IAM policy:

{
  "Sid" : "AllowDetachingAWSManagedPolicies",
  "Effect" : "Allow",
  "Action" : [
    "organizations:DetachPolicy"
  ],
  "Resource" : "*",
   "Condition" : {
     "StringEquals" : {
       "organizations:PolicyType" : "SERVICE_CONTROL_POLICY"
     }
   }
}

However, when I try to detach the FullAWSAccess policy from an AWS Organizations account, I get AccessDenied, as if my IAM policy wasn't sufficient. I have made sure that there is another SCP in addition to FullAWSAccess, so the issue is not that there would remain no SCPs attached to the account.

What is going wrong?


Solution

  • Strangely enough, the AWS-managed FullAWSAccess policy does not count as a SERVICE_CONTROL_POLICY even though it is listed as such on the AWS Organizations Policies page.

    When I removed the condition, I no longer got AccessDenied errors:

    {
      "Sid" : "AllowDetachingAWSManagedPolicies",
      "Effect" : "Allow",
      "Action" : [
        "organizations:DetachPolicy"
      ],
      "Resource" : "*"
    }
    

    Another thing I tried to do was to specify a resource that matched FullAWSAccess:

    "Resource": "arn:aws:organizations::aws:policy/service_control_policy/p-*"
    

    But that similarly resulted in an AccessDenied error. So I left it as:

    "Resource": "*"