Menu
AWS Organizations
User Guide

Managing Organization Policies

Policies in AWS Organizations enable you to apply additional types of management to the AWS accounts in your organization. Policies are enabled only after you enable all features in your organization. You can apply policies to the following entities in your organization:

  • A root. A policy applied to a root applies to all accounts in the organization.

  • An OU. A policy applied to an OU applies to all accounts in the OU and to any child OUs.

  • An account. A policy applied to an account applies only to that one account.

Notes

  • Service control policies never apply to the master account, no matter which root or OU the master account is located in.

  • Currently, service control policy (SCP) is the only supported policy type.

For procedures that are specific to each type of policy, see the following topics:

  • Service control policies. Service control policies (SCPs) are similar to IAM permission policies and use almost the exact same syntax. However, an SCP never grants permissions. Instead, think of an SCP as a "filter" that enables you to restrict what service and actions can be accessed by users and roles in the accounts that you attach the SCP to. An SCP applied at the root cascades its permissions to the OUs below it. An OU at the next level down gets the mathematical intersection of the permissions flowing down from the parent root and the SCPs that are attached to the child OU. In other words, any account has only those permissions permitted by every OU and the parent root above it. If a permission is blocked at any level above the account, either implicitly (by not being included in an "Allow" policy statement) or explicitly (by being included in a "Deny" policy statement) then a user or role in the affected account cannot use that permission, even if the account administrator attaches the AdministratorAccess IAM policy with */* permissions to the user.

Important

When you disable a policy type in a root, all policies of that type are automatically detached from all entities in that root. If you re-enable the policy type, that root reverts to the default state for that policy type. For example, if you re-enable SCPs in a root, then all entities in that root are initially attached only to the default SCP FullAWSAccess policy. Any attachments of policies to entities from before the policy type was disabled are lost and are not automatically recoverable.

The following procedures apply to all policy types. You must enable a policy type in a root before you can attach policies of that type to any entities in that root.

Listing and Displaying Information about Organization Policies

This section describes various ways to get details about the policies in your organization.

Listing All Policies in the Organization

Minimum permissions

To list the policies within your organization, you must have the following permission:

  • organizations:ListPolicies

To list all policies in the organization (Console)

  1. Sign in to the AWS Management Console and open the Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's master account.

  2. Choose the Policies tab.

    The displayed list includes the policies of all types that are currently defined in the organization.

To list all policies in an organization (AWS CLI, AWS API)

Listing All Policies Attached to a Root, OU, or Account

Minimum permissions

To list the policies that are attached to a root, OU, or account within your organization, you must have the following permission:

  • organizations:ListPoliciesForTarget with a Resource element in the same policy statement that includes the ARN of the specified target (or "*").

To list all policies that are attached directly to a specified root, OU, or account (Console)

  1. Sign in to the AWS Management Console and open the Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's master account.

  2. On the Organize accounts tab, navigate to to the root, OU, or account whose policy attachments you want to see.

    1. For a root or OU, do not select any check boxes. This way, the details pane on the right shows the information about the root or OU that you are viewing. Alternatively, you can navigate to the parent of the OU, and then select the check box for the OU whose information you want to see.

    2. For an account, check the box for the account.

  3. In the details pane on the right, expand the Service control policies section.

    The displayed list shows all policies that are attached directly to this entity. It also shows policies that affect this entity because of inheritance from the root or a parent OU.

To list all policies that are attached directly to a specified root, OU, or account (AWS CLI, AWS API)

Listing All Roots, OUs, and Accounts That a Policy Is Attached To

Minimum permissions

To list the entities that a policy is attached to, you must have the following permission:

  • organizations:ListTargetsForPolicy with a Resource element in the same policy statement that includes the ARN of the specified policy (or "*").

To list all roots, OUs, and accounts that have a specified policy attached (Console)

  1. Choose the Policies tab, and select the check box next to the policy that you're interested in.

  2. In the details pane on the right, choose one of the following:

    • Accounts to see the list of accounts that the policy is directly attached to

    • Organizational units to see the list of OUs that the policy is directly attached to

    • Roots to see the list of roots that the policy is directly attached to

To list all roots, OUs, and accounts that have a specified policy attached (AWS CLI, AWS API)

Getting Details About a Policy

Minimum permissions

To display the details of a policy, you must have the following permission:

  • organizations:DescribePolicy with a Resource element in the same policy statement that includes the ARN of the specified policy (or "*").

To get details about a policy (Console)

  1. Choose the Policies tab, and select the check box next to the policy that you're interested in.

    The details pane on the right displays the available information about the policy, including its ARN, description, and attachments.

  2. To view the content of the policy, choose Policy editor.

    The center pane shows the following information:

    • The details about the policy: its name, description, unique ID, and ARN.

    • The list of roots, OUs, and accounts that the policy is attached to. Choose each item to see the individual entities of each type.

    • The policy's content (specific to the type of policy):

      • For SCPs, the JSON text that defines the permissions that are allowed in attached accounts

      To update the contents of the policy document, choose Edit . Choose Save when you are done. For more details, see the next section.

To get details about a policy (AWS CLI, AWS API)

Editing a Policy

Minimum permissions

To display the details of a policy, you must have the following permissions:

  • organizations:DescribePolicy with a Resource element in the same policy statement that includes the ARN of the specified policy (or "*").

  • organizations:UpdatePolicy with a Resource element in the same policy statement that includes the ARN of the specified policy (or "*").

Enabling and Disabling a Policy Type on a Root

Before you can attach a policy of any type to a root, you must first enable that root to support the specified type of policy.

Note

  • Currently, you can have only one root in an organization.

  • Currently, a service control policy (SCP) is the only supported policy type.

Important

When you disable a policy type in a root, all policies of that type are automatically detached from all entities in that root. If you re-enable the policy type, that root reverts to the default state for that policy type. For example, if you re-enable SCPs in a root, then all entities in that root are initially attached to only the default FullAWSAccess policy. Any attachments of policies to entities from before the policy type was disabled are lost and are not automatically recoverable.

Minimum permissions

To enable a policy type in a root in your organization, you must have the following permissions:

  • organizations:EnablePolicyType

  • organizations:DescribeOrganization

To enable or disable a policy type on a root (Console)

When you sign in to your organization's master account, you can enable or disable policy types on a root.

  1. Sign in to the AWS Management Console and open the Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's master account.

  2. On the Organize accounts tab, choose Home to see the available roots.

  3. Select the check box for the root in which you want to enable a policy type.

  4. In the details pane on the right side of the screen, perform one of the following steps.

    • Service control policies (SCPs)

      • To enable SCPs in this root — next to Service control policies are disabled, choose Enable.

      • To disable SCPs in this root — next to Service control policies are enabled, choose Disable.

        Note

        You must first detach all policies of the specified type from all entities in a root before you can disable the policy type in that root.

To enable or disable a policy type on a root (AWS CLI, AWS API)

Attaching a Policy to Roots, OUs, or Accounts

When signed in to your organization's master account, you can attach a policy that you previously created to the root, to an OU, or directly to an account. To attach a policy, complete the following steps.

Minimum permissions

To attach a policy to a root, OU, or account, you must have the following permission:

  • organizations:AttachPolicy with a Resource element in the same policy statement that includes "*" or the ARN of the specified policy and the ARN of the root, OU, or account that you want to attach the policy to.

To attach a policy to a root, OU, or account (Console)

  1. Sign in to the AWS Management Console and open the Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's master account.

  2. On the Organize accounts tab, navigate to and select the check box for the root, OU, or account to which you want to attach the policy.

  3. In the Details pane on the right, expand the CONTROL POLICIES section to see the list of the currently attached policies, and then choose Attach policy.

  4. On the list of available policies, find the one that you want and choose Attach. The list of attached policies is updated with the new addition. The policy goes into effect immediately. For example, an SCP immediately affects the permissions of IAM users and roles in the attached account or all accounts under the attached root or OU.

To attach a policy to a root, OU, or account (AWS CLI, AWS API)

Detaching a Policy from Roots, OUs, or Accounts

When signed in to your organization's master account, you can detach a policy from the root, OU, or account that it is attached to. After you detach a policy from an entity, that policy no longer applies to any account that was affected by the now detached entity. To detach a policy, complete the following steps.

Note

You cannot detach the last service control policy (SCP) from an entity. There must be at least one SCP attached to all entities at all times.

Minimum permissions

To detach a policy from a root, OU, or account, you must have the following permission:

  • organizations:DetachPolicy

To detach a policy from a root, OU, or account (Console)

  1. Sign in to the AWS Management Console and open the Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's master account.

  2. On the Organize accounts tab, navigate to and select the check box for the root, OU, or account from which you want to detach the policy.

  3. In the Details pane on the right, expand the CONTROL POLICIES section to see the list of the currently attached policies. The Source field tells you where the policy comes from. It can be attached directly to the account or OU, or could be attached to a parent OU or root.

  4. Choose the X next to the policy that you want to detach. The list of attached policies is updated with the chosen policy removed. The policy change caused by detaching the policy goes into effect immediately. For example, detaching a service control policy (SCP) immediately affects the permissions of IAM users and roles in the formerly attached account or accounts under the formerly attached root or OU.

To detach a policy from a root, OU, or account (AWS CLI, AWS API)

Deleting a Policy

When signed in to your organization's master account, you can delete a policy that you no longer need in your organization.

Notes

  • Before you can delete a policy, you must first detach it from all attached entities.

  • You cannot delete any AWS-managed SCP such as the one named FullAWSAccess.

To delete a policy, complete the following steps.

Minimum permissions

To delete a policy, you must have the following permission:

  • organizations:DeletePolicy

To delete a policy (Console)

  1. Sign in to the AWS Management Console and open the Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's master account.

  2. The policy that you want to delete must first be detached from all roots, OUs, and accounts. Follow the steps in Detaching a Policy from Roots, OUs, or Accounts to detach the policy from all entities in the organization.

  3. On the Policies tab, choose All policies, and then select the policy that you want to delete.

  4. Choose Delete policy.

  5. In the Delete policy dialog box, choose Delete.

To delete a policy (AWS CLI, AWS API)