This resource-based policy contains invalid JSON.

Yes, your resource-based policy contains an invalid JSON structure due to the empty "Principal" field.

Issue in Your JSON Policy:

"Principal": {}

• The "Principal" field must specify an AWS principal (user, role, or account).
• Resource-based policies require a specific principal to define who is allowed to access the resource.

Corrected JSON Policy

Here’s the fixed version where the "Principal" is properly defined:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowOrganizationsAccess",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::ACCOUNT_ID:root"
			},
			"Action": [
				"organizations:*"
			],
			"Resource": "*"
		}
	]
}

Explanation of Fixes

1. Added a valid "Principal"

   • "Principal": { "AWS": "arn:aws:iam::ACCOUNT_ID:root" }
   • This ensures that only the specified AWS account has access.
   • Replace ACCOUNT_ID with the actual AWS account number.

2. Updated "Sid" for better readability

   • "Sid": "AllowOrganizationsAccess" to describe the rule clearly.

3. Kept "organizations:*" for full access

   • This allows all actions (organizations:*) on all AWS Organizations resources ("Resource": "*") within the AWS Organization.

Alternative: Allow Multiple Accounts

If you want to allow multiple AWS accounts instead of just one, modify "Principal" like this:

"Principal": {
	"AWS": [
		"arn:aws:iam::111122223333:root",
		"arn:aws:iam::444455556666:root"
	]
}

Final Thoughts

• If this policy is attached to an AWS Organizations resource, you need a valid principal (IAM user, role, or AWS account).
• If you are using IAM Policies, you don’t need the "Principal" field at all (IAM roles and users already define their own permissions).

Would you like help in deploying this policy using Terraform or AWS CLI?