Menu
AWS Organizations API Reference
API Reference (API Version 2016-11-28)

AttachPolicy

Attaches a policy to a root, an organizational unit, or an individual account. How the policy affects accounts depends on the type of policy:

  • Service control policy (SCP) - An SCP specifies what permissions can be delegated to users in affected member accounts. The scope of influence for a policy depends on what you attach the policy to:

    • If you attach an SCP to a root, it affects all accounts in the organization.

    • If you attach an SCP to an OU, it affects all accounts in that OU and in any child OUs.

    • If you attach the policy directly to an account, then it affects only that account.

    SCPs essentially are permission "filters". When you attach one SCP to a higher level root or OU, and you also attach a different SCP to a child OU or to an account, the child policy can further restrict only the permissions that pass through the parent filter and are available to the child. An SCP that is attached to a child cannot grant a permission that is not already granted by the parent. For example, imagine that the parent SCP allows permissions A, B, C, D, and E. The child SCP allows C, D, E, F, and G. The result is that the accounts affected by the child SCP are allowed to use only C, D, and E. They cannot use A or B because they were filtered out by the child OU. They also cannot use F and G because they were filtered out by the parent OU. They cannot be granted back by the child SCP; child SCPs can only filter the permissions they receive from the parent SCP.

    AWS Organizations attaches a default SCP named "FullAWSAccess to every root, OU, and account. This default SCP allows all services and actions, enabling any new child OU or account to inherit the permissions of the parent root or OU. If you detach the default policy, you must replace it with a policy that specifies the permissions that you want to allow in that OU or account.

    For more information about how Organizations policies permissions work, see Using Service Control Policies in the AWS Organizations User Guide.

This operation can be called only from the organization's master account.

Request Syntax

{
   "PolicyId": "string",
   "TargetId": "string"
}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

PolicyId

The unique identifier (ID) of the policy that you want to attach to the target. You can get the ID for the policy by calling the ListPolicies operation.

The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lower-case letters or digits.

Type: String

Pattern: ^p-[0-9a-zA-Z_]{8,128}$

Required: Yes

TargetId

The unique identifier (ID) of the root, OU, or account that you want to attach the policy to. You can get the ID by calling the ListRoots, ListOrganizationalUnitsForParent, or ListAccounts operations.

The regex pattern for a target ID string requires one of the following:

  • Root: a string that begins with "r-" followed by from 4 to 32 lower-case letters or digits.

  • Account: a string that consists of exactly 12 digits.

  • Organizational unit (OU): a string that begins with "ou-" followed by from 4 to 32 lower-case letters or digits (the ID of the root that the OU is in) followed by a second "-" dash and from 8 to 32 additional lower-case letters or digits.

Type: String

Pattern: ^(r-[0-9a-z]{4,32})|(\d{12})|(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32})$

Required: Yes

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

You don't have permissions to perform the requested operation. The user or role that is making the request must have at least one IAM permissions policy attached that grants the required permissions. For more information, see Access Management in the IAM User Guide.

HTTP Status Code: 400

AWSOrganizationsNotInUseException

Your account is not a member of an organization. To make this request, you must use the credentials of an account that belongs to an organization.

HTTP Status Code: 400

ConcurrentModificationException

The target of the operation is currently being modified by a different request. Try again later.

HTTP Status Code: 400

ConstraintViolationException

Performing this operation violates a minimum or maximum value limit. For example, attempting to removing the last SCP from an OU or root, inviting or creating too many accounts to the organization, or attaching too many policies to an account, OU, or root. This exception includes a reason that contains additional information about the violated limit:

Note

Some of the reasons in the following list might not be applicable to this specific API or operation:

  • ACCOUNT_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the limit on the number of accounts in an organization. If you need more accounts, contact AWS Support to request an increase in your limit.

    Or, The number of invitations that you tried to send would cause you to exceed the limit of accounts in your organization. Send fewer invitations, or contact AWS Support to request an increase in the number of accounts.

    Note: deleted and closed accounts still count toward your limit.

    Important

    If you get an exception that indicates that you exceeded your account limits for the organization or that you can"t add an account because your organization is still initializing, please contact AWS Customer Support.

  • HANDSHAKE_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of handshakes you can send in one day.

  • OU_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the number of organizational units you can have in an organization.

  • OU_DEPTH_LIMIT_EXCEEDED: You attempted to create an organizational unit tree that is too many levels deep.

  • POLICY_NUMBER_LIMIT_EXCEEDED. You attempted to exceed the number of policies that you can have in an organization.

  • MAX_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to exceed the number of policies of a certain type that can be attached to an entity at one time.

  • MIN_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to detach a policy from an entity that would cause the entity to have fewer than the minimum number of policies of a certain type required.

  • ACCOUNT_CANNOT_LEAVE_WITHOUT_EULA: You attempted to remove an account from the organization that does not yet have enough information to exist as a stand-alone account. This account requires you to first agree to the AWS Customer Agreement. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.

  • ACCOUNT_CANNOT_LEAVE_WITHOUT_PHONE_VERIFICATION: You attempted to remove an account from the organization that does not yet have enough information to exist as a stand-alone account. This account requires you to first complete phone verification. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.

  • MASTER_ACCOUNT_PAYMENT_INSTRUMENT_REQUIRED: To create an organization with this account, you first must associate a payment instrument, such as a credit card, with the account. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.

  • MEMBER_ACCOUNT_PAYMENT_INSTRUMENT_REQUIRED: To complete this operation with this member account, you first must associate a payment instrument, such as a credit card, with the account. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.

  • ACCOUNT_CREATION_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of accounts that you can create in one day.

  • MASTER_ACCOUNT_ADDRESS_DOES_NOT_MATCH_MARKETPLACE: To create an account in this organization, you first must migrate the organization's master account to the marketplace that corresponds to the master account's address. For example, accounts with India addresses must be associated with the AISPL marketplace. All accounts in an organization must be associated with the same marketplace.

  • MASTER_ACCOUNT_MISSING_CONTACT_INFO: To complete this operation, you must first provide contact a valid address and phone number for the master account. Then try the operation again.

HTTP Status Code: 400

DuplicatePolicyAttachmentException

The selected policy is already attached to the specified target.

HTTP Status Code: 400

InvalidInputException

The requested operation failed because you provided invalid values for one or more of the request parameters. This exception includes a reason that contains additional information about the violated limit:

Note

Some of the reasons in the following list might not be applicable to this specific API or operation:

  • INVALID_PARTY_TYPE_TARGET: You specified the wrong type of entity (account, organization, or email) as a party.

  • INVALID_SYNTAX_ORGANIZATION_ARN: You specified an invalid ARN for the organization.

  • INVALID_SYNTAX_POLICY_ID: You specified an invalid policy ID.

  • INVALID_ENUM: You specified a value that is not valid for that parameter.

  • INVALID_FULL_NAME_TARGET: You specified a full name that contains invalid characters.

  • INVALID_LIST_MEMBER: You provided a list to a parameter that contains at least one invalid value.

  • MAX_LENGTH_EXCEEDED: You provided a string parameter that is longer than allowed.

  • MAX_VALUE_EXCEEDED: You provided a numeric parameter that has a larger value than allowed.

  • MIN_LENGTH_EXCEEDED: You provided a string parameter that is shorter than allowed.

  • MIN_VALUE_EXCEEDED: You provided a numeric parameter that has a smaller value than allowed.

  • IMMUTABLE_POLICY: You specified a policy that is managed by AWS and cannot be modified.

  • INVALID_PATTERN: You provided a value that doesn't match the required pattern.

  • INVALID_PATTERN_TARGET_ID: You specified a policy target ID that doesn't match the required pattern.

  • INPUT_REQUIRED: You must include a value for all required parameters.

  • INVALID_PAGINATION_TOKEN: Get the value for the NextToken parameter from the response to a previous call of the operation.

  • MAX_FILTER_LIMIT_EXCEEDED: You can specify only one filter parameter for the operation.

  • MOVING_ACCOUNT_BETWEEN_DIFFERENT_ROOTS: You can move an account only between entities in the same root.

HTTP Status Code: 400

PolicyNotFoundException

We can't find a policy with the PolicyId that you specified.

HTTP Status Code: 400

PolicyTypeNotEnabledException

The specified policy type is not currently enabled in this root. You cannot attach policies of the specified type to entities in a root until you enable that type in the root. For more information, see Enabling All Features in Your Organization in the AWS Organizations User Guide.

HTTP Status Code: 400

ServiceException

AWS Organizations can't complete your request because of an internal service error. Try again later.

HTTP Status Code: 400

TargetNotFoundException

We can't find a root, OU, or account with the TargetId that you specified.

HTTP Status Code: 400

TooManyRequestsException

You've sent too many requests in too short a period of time. The limit helps protect against denial-of-service attacks. Try again later.

HTTP Status Code: 400

Examples

Example 1

The following example shows how to attach a service control policy (SCP) to an OU:

Sample Request

POST / HTTP/1.1
Host: organizations.us-east-1.amazonaws.com
Accept-Encoding: identity
Content-Length: 275
X-Amz-Target: AWSOrganizationsV20161128.AttachPolicy
X-Amz-Date: 20160808T211405Z
User-Agent: aws-cli/1.10.18 Python/2.7.8 Linux/2.6.18-164.el5 botocore/1.4.9
Content-Type: application/x-amz-json-1.1
Authorization: AWS4-HMAC-SHA256 
  Credential=AKIAIOSFODNN7EXAMPLE/20160808/us-east-1/organizations/aws4_request, 
  SignedHeaders=content-type;host;user-agent;x-amz-date;x-amz-target, 
  Signature=EXAMPLESIGabcdef1234567890abcdef1234567890abcdef123456EXAMPLESIG

{ "TargetId": "ou-examplerootid111-exampleouid111", "PolicyId": "p-examplepolicyid111" }

Sample Response

HTTP/1.1 200 OK
x-amzn-RequestId: EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE
Content-Type: application/x-amz-json-1.1
Content-Length: 0
Date: Mon, 08 Aug 2016 21:14:06 GMT

Example 2

The following example shows how to attach a service control policy directly to an account:

Sample Request

POST / HTTP/1.1
Host: organizations.us-east-1.amazonaws.com
Accept-Encoding: identity
Content-Length: 275
X-Amz-Target: AWSOrganizationsV20161128.AttachPolicy
X-Amz-Date: 20160808T211405Z
User-Agent: aws-cli/1.10.18 Python/2.7.8 Linux/2.6.18-164.el5 botocore/1.4.9
Content-Type: application/x-amz-json-1.1
Authorization: AWS4-HMAC-SHA256 
  Credential=AKIAIOSFODNN7EXAMPLE/20160808/us-east-1/organizations/aws4_request, 
  SignedHeaders=content-type;host;user-agent;x-amz-date;x-amz-target, 
  Signature=EXAMPLESIGabcdef1234567890abcdef1234567890abcdef123456EXAMPLESIG

{ "TargetId": "333333333333", "PolicyId": "p-examplepolicyid111" }

Sample Response

HTTP/1.1 200 OK
x-amzn-RequestId: EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE
Content-Type: application/x-amz-json-1.1
Content-Length: 0
Date: Mon, 08 Aug 2016 21:14:06 GMT

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: