You have signed in to an AWS Organization's master account using an admin IAM user.
You need to move accounts to this Organization from one OU (Organizational Unit) to another or back to the root from an OU.
However, the operation was disallowed due to a lack of permissions.
So you started looking at the IAM policies attached to this user.
What are the minimum permissions you need to move accounts among OUs? (Select TWO.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer - B, C.
Users can move accounts between the Root and OUs in AWS Organization according to.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html.However, permissions are needed to do that.
Option A is incorrect because organizations:DescribeAccount is used to retrieve Organization details about the account, which is not required.
Option B is CORRECT because organizations:DescribeOrganization is required if the move operation is done from console.
Option C is CORRECT because organizations:MoveAccount permits users to move accounts in an Organization.
Option D is incorrect because attaching SCP is not needed in this scenario.
Option E is incorrect: because this will allow all actions for Organizations, which will not meet the least privilege.
To move accounts between OUs within an AWS Organization, you need to have the following minimum permissions:
organizations:DescribeAccount: This permission allows the IAM user to view the details of the account being moved. This is a read-only permission and does not allow any modifications to be made.
organizations:MoveAccount: This permission allows the IAM user to move the account from one OU to another within the same organization. This permission should be added to the IAM policy attached to the admin user to enable the movement of accounts.
Option A (organizations:DescribeAccount) and Option C (organizations:MoveAccount) are the correct answers.
Option B (organizations:DescribeOrganization) is not required to move accounts between OUs, as it only allows viewing the details of the organization itself.
Option D (organizations:AttachPolicy) is also not required to move accounts between OUs, as it only allows attaching policies to entities within the organization.
Option E (organizations:*) grants all permissions for AWS Organizations, which is not the best practice as it grants excessive privileges and increases the risk of accidental or unauthorized actions. Therefore, it should be avoided whenever possible.