Attaching and detaching backup
policies
You can use backup policies on an entire organization as well as on organizational units
(OUs) and individual accounts. Keep the following points in mind:
-
When you attach a backup policy to your organization root,
the policy applies to all of that root's member OUs and accounts.
-
When you attach a backup policy to an OU, that policy applies
to the accounts that belong to the OU or any of its child OUs. Those accounts are
also subject to any policy attached to the organization root.
-
When you attach a backup policy to an account, that policy
applies to only that account. The account is also subject to any policy attached to
the organization root and any OUs that the account belongs to.
The aggregation of any backup policies the account inherits from the root and parent OUs,
as well as any policies directly attached to the account, is the effective
policy. For information about how policies are merged to the
effective policy, see Understanding management policy
inheritance.
Attaching a backup policy
When you sign in to your organization's management account, you can attach a backup
policy to the organization's root, OU, or directly to an account.
To attach backup policies, you must have permission to run the following
action:
- AWS Management Console
-
You can attach a backup policy by either navigating to the policy or to
the root, OU, or account that you want to attach the policy to.
To attach a backup policy by navigating to the root, OU, or
account
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the AWS accounts page, navigate to and then choose the name of
the root, OU, or account that you want to attach a policy to.
You might have to expand OUs (choose the
) to find the OU or account that you want.
-
In the Policies tab, in the entry for
Backup policies, choose
Attach.
-
Find the policy that you want and choose Attach
policy.
The list of attached backup policies on the
Policies tab is updated to include the new
addition. The policy change takes effect immediately.
To attach a backup policy by navigating to the policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the Backup policies page, choose the name of the policy
that you want to attach.
-
On the Targets tab, choose
Attach.
-
Choose the radio button next to the root, OU, or account that you
want to attach the policy to. You might have to expand OUs (choose the
) to find the OU or account that you want.
-
Choose Attach policy.
The list of attached backup policies on the
Targets tab is updated to include the new
addition. The policy change takes effect immediately.
- AWS CLI & AWS SDKs
-
To attach a backup policy to the organization root, OU, or
account
You can use one of the following commands to attach a backup
policy:
The policy change takes effect immediately.
Detaching a backup policy
When you sign in to your organization's management account, you can detach a backup
policy from the organization's root, OU, or account that it is attached to. After you
detach a backup policy from an entity, that policy no longer applies to any account that
was previously affected by the now detached entity. To detach a policy, complete the
following steps.
To detach a backup policy from the organization root, OU, or account, you must
have permission to run the following action:
- AWS Management Console
-
You can detach a backup policy by either navigating to the policy or to
the root, OU, or account that you want to detach the policy from.
To detach a backup policy by navigating to the root, OU, or account
it's attached to
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the AWS accounts page navigate to the Root, OU, or account that
you want to detach a policy from. You might have to expand OUs (choose the
) to find the OU or account that you want. Choose the name of
the Root, OU, or account.
-
On the Policies tab, choose the radio button
next to the backup policy that you want to detach, and then choose
Detach.
-
In the confirmation dialog box, choose Detach
policy.
The list of attached backup policies is updated. The policy change
takes effect immediately.
To detach a backup policy by navigating to the policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the Backup policies page, choose the name of the policy
that you want to detach from a root, OU, or account.
-
On the Targets tab, choose the radio button
next to the root, OU, or account that you want to detach the policy
from. You might have to expand OUs (choose the
) to find the OU or account that you want.
-
Choose Detach.
-
In the confirmation dialog box, choose
Detach.
The list of attached backup policies is updated. The policy change
takes effect immediately.
- AWS CLI & AWS SDKs
-
To detach a backup policy from the organization root, OU, or
account
You can use one of the following commands to detach a backup
policy:
-
AWS CLI: detach-policy
The following example detaches a policy from an OU.
$
aws organizations detach-policy \
--target-id ou-a1b2-f6g7h222 \
--policy-id p-i9j8k7l6m5
This command produces no output when successful.
-
AWS SDKs: DetachPolicy
The policy change takes effect immediately.