Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About AWS Organizations

AWS Organizations evidence includes accounts, OUs, roots, SCPs, and related policies. The role must live in the management account - member accounts cannot enumerate the full org graph via these APIs.

How it works

Attach AWSOrganizationsReadOnlyAccess, or narrow to organizations:Describe* / organizations:List* via inline JSON.
DetailValue
CategoryCloud governance
AuthenticationCross-account IAM role (management account)

Prerequisites

  • IAM admin rights in the management account (not a workload member account).
  • Connector principal + external ID.

Connect AWS Organizations to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS Organizations

Find AWS Organizations (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in the management account

1

Start Create role

In the management account, open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the external ID from Iru.
3

Attach Organizations read permissions

Attach AWSOrganizationsReadOnlyAccess, or attach this inline policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "organizations:Describe*",
        "organizations:List*"
      ],
      "Resource": "*"
    }
  ]
}
4

Name the role and copy the ARN

Name the role, create it, and copy the Role ARN.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until AWS Organizations reads Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Confirm role creation happened in the management account.
External ID mismatch.

Considerations

Org APIs evolve: wildcard **Describe* / List***…

Org APIs evolve - wildcard Describe* / List* pairs reduce churn when AWS ships new read operations.

See also