cloudformation:DeactivateOrganizationsAccess is a Write access-level action in the cloudformation service. Grants permission to deactivate trusted access between StackSets and Organizations. If trusted access is deactivated, the management account does not have permissions to create and manage service-managed StackSets for your organization
This action does not support resource-level permissions; use "Resource": "*" in your policy.
No condition keys are documented for this action.
A minimal policy that allows cloudformation:DeactivateOrganizationsAccess. Replace "Resource": "*" with a specific ARN to follow least privilege.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudformationDeactivateOrganizationsAccess",
"Effect": "Allow",
"Action": "cloudformation:DeactivateOrganizationsAccess",
"Resource": "*"
}
]
}