Prerequisites and permissions for managing tag policies
This page describes the prerequisites and required permissions for managing tag policies in AWS Organizations.
Prerequisites for managing tag policies
Using tag policies requires the following:
-
Your organization must have all features enabled.
-
You must be signed in to your organization's management account.
-
You need the permissions that are listed in Permissions for managing tag policies.
To evaluate compliance with tag policies, you use AWS Resource Groups. For information on requirements for evaluating compliance, see Prerequisites and Permissions in the AWS Resource Groups User Guide.
Permissions for managing tag policies
The following example IAM policy provides permissions for managing tag policies.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ManageTagPolicies", "Effect": "Allow", "Action": [ "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:DescribeEffectivePolicy", "organizations:DescribePolicy", "organizations:ListRoots", "organizations:DisableAWSServiceAccess", "organizations:DetachPolicy", "organizations:DeletePolicy", "organizations:DescribeAccount", "organizations:DisablePolicyType", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListPolicies", "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:EnableAWSServiceAccess", "organizations:ListCreateAccountStatus", "organizations:DescribeOrganization", "organizations:UpdatePolicy", "organizations:EnablePolicyType", "organizations:DescribeOrganizationalUnit", "organizations:AttachPolicy", "organizations:ListParents", "organizations:ListOrganizationalUnitsForParent", "organizations:CreatePolicy", "organizations:DescribeCreateAccountStatus" ], "Resource": "*" } ] }
For more information on IAM policies and permissions, see the IAM User Guide.
