AWS Organizations
User Guide

Managing AWS Organizations Policies

Policies in AWS Organizations enable you to apply additional types of management to the AWS accounts in your organization. You can use policies when all features are enabled in your organization.

Policy Types

Organizations offers the following policy types:

  • Service control policies (SCPs) offer central control over the maximum available permissions for all accounts your organization.

  • Tag policies help you standardize tags across resources in your organization's accounts.

The AWS Organizations console displays the enabled and disabled status of each policy type. On the Organize accounts tab, choose the Root in the left navigation pane. The details pane on the right side of the screen shows all of the available policy types. The list indicates which are enabled and which are disabled in that organization root. If the option to Enable a type is present, that type is currently disabled. If the option to Disable a type is present, that type is currently enabled.

Listing Policy Information

This section describes various ways to get details about the policies in your organization. These procedures apply to all policy types. You must enable a policy type on the organization root before you can attach policies of that type to any entities in that organization root.

Listing All Policies

Minimum permissions

To list the policies within your organization, you must have the following permission:

  • organizations:ListPolicies

To list all policies in your organization (console)

  1. Sign in to the Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's master account.

  2. Choose the Policies tab.

  3. Choose the policy type: Service control policies or Tag policies.

    The displayed list includes the all policies of that type that are currently defined in the organization.

To list all policies in your organization (AWS CLI, AWS API)

You can use one of the following commands to list policies in an organization:

Listing All Policies Attached to a Root, OU, or Account

Minimum permissions

To list the policies that are attached to a root, OU, or account within your organization, you must have the following permission:

  • organizations:ListPoliciesForTarget with a Resource element in the same policy statement that includes the ARN of the specified target (or "*")

To list all policies that are attached directly to a specified root, OU, or account (console)

  1. Sign in to the Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's master account.

  2. On the Organize accounts tab, navigate to the root, OU, or account whose policy attachments you want to see.

    1. For a root or OU, don't select any check boxes. This way, the details pane on the right shows the information about the root or OU that you are viewing. Alternatively, you can navigate to the parent of the OU, and then select the check box for the OU whose information you want to see.

    2. For an account, check the box for the account.

  3. In the details pane on the right, expand the Service control policies or Tag policies section.

    The displayed list shows all policies of that type that are attached directly to this entity. It also shows policies that affect this entity because of inheritance from the root or a parent OU.

To list all policies that are attached directly to a specified root, OU, or account (AWS CLI, AWS API)

You can use one of the following commands to list policies that are attached to an entity:

Listing All Roots, OUs, and Accounts That a Policy Is Attached To

Minimum permissions

To list the entities that a policy is attached to, you must have the following permission:

  • organizations:ListTargetsForPolicy with a Resource element in the same policy statement that includes the ARN of the specified policy (or "*")

To list all roots, OUs, and accounts that have a specified policy attached (console)

  1. Choose the Policies tab.

  2. Choose the policy type: Service control polices or Tag policies.

  3. Select the check box next to the policy that you're interested in.

  4. In the details pane on the right, choose one of the following:

    • Accounts to see the list of accounts that the policy is directly attached to

    • Organizational units to see the list of OUs that the policy is directly attached to

    • Roots to see the list of roots that the policy is directly attached to

To list all roots, OUs, and accounts that have a specified policy attached (AWS CLI, AWS API)

You can use one of the following commands to list entities that have a policy:

Getting Details About a Policy

Minimum permissions

To display the details of a policy, you must have the following permission:

  • organizations:DescribePolicy with a Resource element in the same policy statement that includes the ARN of the specified policy (or "*")

To get details about a policy (console)

  1. Choose the Policies tab.

  2. Choose the policy type: Service control policies or Tag policies.

  3. Select the check box next to the policy that you're interested in.

    The details pane on the right displays the available information about the policy, including its ARN, description, and attachments.

  4. To view the content of the policy, choose Policy editor.

    The center pane shows the following information:

    • The details about the policy: its name, description, unique ID, and ARN.

    • The list of roots, OUs, and accounts that the policy is attached to. Choose each item to see the individual entities of each type.

    • The policy's content (specific to the type of policy):

      • For SCPs, the JSON text that defines the permissions that are allowed in attached accounts.

      • For tag policies, the JSON text that defines compliant tags for specified resource types.

      To update the contents of the policy document, choose Edit. Choose Save when you are done. For more details, see the next section.

To get details about a policy (AWS CLI, AWS API)

You can use one of the following commands to get details about a policy: