#How to set up permissions/policies to enable renaming of OUs?

5 messages · Page 1 of 1 (latest)

steady temple
#

Hi fellow AWS users 👋 I'm trying to rename an OU and found that I require some permissions, but no matter how I try to get it done (via both AWS managed and customer managed policies), I still can't rename the OU. This goes for both root and admin users. Here's what I did for the admin user:

First, since I'm doing the renaming via the Organizations console, I thought I'd only need the organizations:DescribeOrganization permission, so I simply attached the AWS managed policy which apparently allowed it (didn't work).

Then, I thought maybe I also need the organizations:UpdateOrganizationalUnit permission too after all, so I created a customer managed policy with both permissions and attached that policy instead (still didn't work).

Am I going about this permissions/policies thing incorrectly? Thank you for any leads!

Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html#rename_ou

problem.png solution.png aws_managed_policy.png admin_with_aws_managed_policy.png admin_with_customer_managed_policy.png
Managing organizational units (OUs) - AWS Organizations

Use AWS Organizations to group and organize your AWS accounts. Organization units (OUs) enable you to treat a collection of accounts as a single entity for administration purposes.

agile pendant
#

Hi, I logged in my management account with full administrative access user (not root), clicked on OU from the organizational tree and there was renaming button in the top right corner. Renamed successfully.

#

Your second screenshot hints you that you need admin account with full permissions (or user with those specified policies as on the screenshot) instead of root user

steady temple
#

Hi @agile pendant, I hope you wouldn't mind me asking, but what you exactly mean by "full permissions"? Should I be adding a certain set of policies to my admin user in order for it to have "full permissions", and if yes, which ones?

I believe I'm already in my management account ("admin account"?) because I use its 12-digit account ID to log in to the console. Does the account not have "full permissions" by default?

agile pendant
#

Please navigate to IAM -> users in your management account (not SSO account) and see if any of your users has attached policy AdministratorAccess. If not, create a new user and attach this policy + enable MFA (recommended). Then login with this admin user and rename your OU.