fms:DisassociateAdminAccount is a Write access-level action in the fms service. Grants permission to disassociate the account that has been set as the AWS Firewall Manager administrator account and and disables the service in all organization accounts
This action does not support resource-level permissions; use "Resource": "*" in your policy.
No condition keys are documented for this action.
A minimal policy that allows fms:DisassociateAdminAccount. Replace "Resource": "*" with a specific ARN to follow least privilege.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFmsDisassociateAdminAccount",
"Effect": "Allow",
"Action": "fms:DisassociateAdminAccount",
"Resource": "*"
}
]
}