Attaching and detaching service control
policies
When you sign in to your organization's management account, you can attach a service
control policy (SCP) that you previously created. You can attach an SCP to the organization
root, to an organizational unit (OU), or directly to an account. To attach an SCP, complete
the following steps.
To attach an SCP to a root, OU, or account, you need permission to run the following
action:
-
organizations:AttachPolicy with a Resource element
in the same policy statement that includes "*" or the Amazon Resource Name (ARN)
of the specified policy and the ARN of the root, OU, or account that you want to
attach the policy to
- AWS Management Console
-
You can attach an SCP by either navigating to the policy or to the root, OU,
or account that you want to attach the policy to.
To attach an SCP by navigating to the root, OU, or account
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the AWS accounts page, navigate to and then choose the check box
next to the root, OU, or account that you want to attach an SCP to.
You might have to expand OUs (choose the
) to find the OU or account that you want.
-
In the Policies tab, in the entry for
Service control policies, choose
Attach.
-
Find the policy that you want and choose Attach
policy.
The list of attached SCPs on the Policies tab is
updated to include the new addition. The policy change takes effect
immediately, affecting the permissions of IAM users and roles in the
attached account or all accounts under the attached root or OU.
To attach an SCP by navigating to the policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the Service control policies page, choose the name of the policy that you
want to attach.
-
On the Targets tab, choose
Attach.
-
Choose the radio button next to the root, OU, or account that you want
to attach the policy to. You might have to expand OUs (choose the
) to find the OU or account that you want.
-
Choose Attach policy.
The list of attached SCPs on the Targets tab is
updated to include the new addition. The policy change takes effect
immediately, affecting the permissions of IAM users and roles in the
attached account or all accounts under the attached root or OU.
- AWS CLI & AWS SDKs
-
To attach an SCP by navigating to the root, OU, or account
You can use one of the following commands to attach an SCP:
-
AWS CLI: attach-policy
The following example attaches an SCP to an OU.
$ aws organizations attach-policy \
--policy-id p-i9j8k7l6m5 \
--target-id ou-a1b2-f6g7h222
This command produces no output when successful.
-
AWS SDKs: AttachPolicy
The policy change takes effect immediately, affecting the permissions of IAM
users and roles in the attached account or all accounts under the attached root
or OU.
Detaching an SCP from the organization root, OUs, or
accounts
When you sign in to your organization's management account, you can detach an SCP from
the organization root, OU, or account that it is attached to. After you detach an SCP
from an entity, that SCP no longer applies to any IAM users and IAM roles that were
affected by the now detached entity. To detach an SCP, complete the following steps.
You can't detach the last SCP from a root, an OU, or an account. There must be at
least one SCP attached to every root, OU, and account at all times.
To detach an SCP from the root, OU, or account, you need permission to run the
following action:
- AWS Management Console
-
You can detach an SCP by either navigating to the policy or to the root,
OU, or account that you want to detach the policy from.
To detach an SCP by navigating to the root, OU, or account it's
attached to
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the AWS accounts page navigate to the Root, OU, or account that
you want to detach a policy from. You might have to expand OUs (choose the
) to find the OU or account that you want. Choose the name of
the Root, OU, or account.
-
On the Policies tab, choose the radio button
next to the SCP that you want to detach, and then choose
Detach.
-
In the confirmation dialog box, choose Detach
policy.
The list of attached SCPs is updated. The policy change caused by
detaching the SCP takes effect immediately. For example, detaching
an SCP immediately affects the permissions of IAM users and roles
in the formerly attached account or accounts under the formerly
attached organization root or OU.
To detach an SCP by navigating to the policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the Service control policies page, choose the name of the policy that
you want to detach from a root, OU, or account.
-
On the Targets tab, choose the radio button
next to the root, OU, or account that you want to detach the policy
from. You might have to expand OUs (choose the
) to find the OU or account that you want.
-
Choose Detach.
-
In the confirmation dialog box, choose
Detach.
The list of attached SCPs is updated. The policy change caused by
detaching the SCP takes effect immediately. For example, detaching
an SCP immediately affects the permissions of IAM users and roles
in the formerly attached account or accounts under the formerly
attached organization root or OU.
- AWS CLI & AWS SDKs
-
To detach an SCP from a root, OU, or account
You can use one of the following commands to detach an SCP:
The policy change takes effect immediately, affecting the permissions of
IAM users and roles in the attached account or all accounts under the
attached root or OU
