New organization-wide IAM condition keys to restrict AWS service-to-service requests
Today, AWS Identity and Access Management (IAM) launched two new global condition keys for IAM policies that enable you to scalably allow AWS services to access your resources only on your behalf. With this new IAM capability, you can simplify management of your resource-based policies to require that AWS services access your resources only when the request originates from your organization or organizational unit (OU) in AWS Organizations.
The new capability includes condition keys for the IAM policy language called aws:SourceOrgID and aws:SourceOrgPaths. These keys extend the capability of the existing aws:SourceAccount and aws:SourceArn condition keys to reference your organization or OU. The new keys are supported by a variety of services and actions, so you can apply similar controls across different use cases. For example, AWS CloudTrail records account activities and logs these events to an Amazon Simple Storage Service (S3) bucket. Now, you can use the aws:SourceOrgID condition key and set the value to your organization ID in the condition element of your S3 bucket policy. This ensures that CloudTrail can only write logs on behalf of accounts within your organization to your S3 bucket, preventing CloudTrail logs outside your organization from writing to your S3 bucket.
 
For more information about the new condition keys, see our blog post “Use scalable controls for AWS services accessing your resources” and the IAM documentation.