AWS::Organizations::Policy - AWS CloudFormation

AWS::Organizations::Policy

Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual AWS account.

For more information about policies and their use, see Managing Organization Policies.

If the request includes tags, then the requester must have the organizations:TagResource permission.

This operation can be called only from the organization's management account.

Note

Before you can create a policy of a given type, you must first enable that policy type in your organization.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Organizations::Policy", "Properties" : { "Content" : String, "Description" : String, "Name" : String, "Tags" : [ Tag, ... ], "TargetIds" : [ String, ... ], "Type" : String } }

YAML

Type: AWS::Organizations::Policy Properties: Content: String Description: String Name: String Tags: - Tag TargetIds: - String Type: String

Properties

Content

The policy text content.

Required: Yes

Type: String

Minimum: 1

Maximum: 1000000

Pattern: [\s\S]*

Update requires: No interruption

Description

Human readable description of the policy.

Required: No

Type: String

Maximum: 512

Pattern: [\s\S]*

Update requires: No interruption

Name

Name of the policy.

The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Pattern: [\s\S]*

Update requires: No interruption

Tags

A list of tags that you want to attach to the newly created policy. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to null. For more information about tagging, see Tagging AWS Organizations resources in the AWS Organizations User Guide.

Note

If any one of the tags is invalid or if you exceed the allowed number of tags for a policy, then the entire request fails and the policy is not created.

Required: No

Type: List of Tag

Update requires: No interruption

TargetIds

List of unique identifiers (IDs) of the root, OU, or account that you want to attach the policy to. You can get the ID by calling the ListRoots, ListOrganizationalUnitsForParent, or ListAccounts operations. If you don't specify this parameter, the policy is created but not attached to any organization resource.

The regex pattern for a target ID string requires one of the following:

  • Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.

  • Account - A string that consists of exactly 12 digits.

  • Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

Required: No

Type: List of String

Maximum: 100

Pattern: ^(r-[0-9a-z]{4,32})|(\d{12})|(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32})$

Update requires: No interruption

Type

The type of policy to create.

Required: Yes

Type: String

Allowed values: AISERVICES_OPT_OUT_POLICY | BACKUP_POLICY | SERVICE_CONTROL_POLICY | TAG_POLICY

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Id. For example: p-examplepolicyid111.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

Returns the Amazon Resource Name (ARN) of the policy. For example: arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111.

AwsManaged

Returns a boolean value that indicates whether the specified policy is an AWS managed policy. If true, then you can attach the policy to roots, OUs, or accounts, but you cannot edit it. For example: true | false.

Id

Returns the unique identifier (ID) of the policy. For example: p-examplepolicyid111.