Deleting organization policies with AWS Organizations

When you no longer need a policy and after you detach it from all organizational units (OUs) and accounts, you can delete it.

This topic describes how to delete policies with AWS Organizations. A policy defines the controls that you want to apply to a group of AWS accounts. AWS Organizations supports management policies and authorization policies.

Topics

Delete policies with AWS Organizations

Delete policies with AWS Organizations

When you sign in to your organization's management account, you can delete a policy that you no longer need in your organization.

Before you can delete a policy, you must first detach it from all attached entities.

Note

You can't delete any AWS managed SCP such as the SCP named FullAWSAccess.

Minimum permissions

To delete a policy, you need permission to run the following action:

organizations:DeletePolicy

Backup policies

To delete a backup policy

Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the Backup policies page, choose the name of the backup policy that you want to delete.
You must first detach the backup policy that you want to delete from all roots, OUs, and accounts. Choose the Targets tab, choose the radio button next to each root, OU, or account that is shown in the Targets list, and then choose Detach. In the confirmation dialog box, choose Detach. Repeat until you remove all targets.
Choose Delete at the top of the page.
On the confirmation dialog box, enter the name of the policy, and then choose Delete.

Tag policies

To delete a tag policy

Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the Tag policies page page, choose the policy that you want to delete.
You must first detach the policy that you want to delete from all roots, OUs, and accounts. Choose the Targets tab, choose the radio button next to each root, OU, or account that's shown in the Targets list, and then choose Detach. In the confirmation dialog box, choose Detach.
Choose Delete at the top of the page.
On the confirmation dialog box, enter the name of the policy, and then choose Delete.

Chatbot policies

To delete a chatbot policy

Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the Chatbot policies page, choose the name of the policy that you want to delete.
You must first detach the policy that you want to delete from all roots, OUs, and accounts. Choose the Targets tab, choose the radio button next to each root, OU, or account that is shown in the Targets list, and then choose Detach. In the confirmation dialog box, choose Detach. Repeat until you remove all targets.
Choose Delete at the top of the page.
On the confirmation dialog box, enter the name of the policy, and then choose Delete.

AI services opt-out policies

To delete an AI services opt-out policy

Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the AI services opt-out policies page, choose the name of the policy that you want to delete.
You must first detach the policy that you want to delete from all roots, OUs, and accounts. Choose the Targets tab, choose the radio button next to each root, OU, or account that is shown in the Targets list, and then choose Detach. In the confirmation dialog box, choose Detach. Repeat until you remove all targets.
Choose Delete at the top of the page.
On the confirmation dialog box, enter the name of the policy, and then choose Delete.

Service control policies (SCPs)

To delete an SCP

Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the Service control policies page, choose the name of the SCP that you want to delete.
You must first detach the policy that you want to delete from all roots, OUs, and accounts. Choose the Targets tab, choose the radio button next to each root, OU, or account that is shown in the Targets list, and then choose Detach. In the confirmation dialog box, choose Detach. Repeat until you remove all targets.
Choose Delete at the top of the page.
On the confirmation dialog box, enter the name of the policy, and then choose Delete.

To delete an a policy

The following code examples show how to use DeletePolicy.

.NET

AWS SDK for .NET

Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.


    using System;
    using System.Threading.Tasks;
    using Amazon.Organizations;
    using Amazon.Organizations.Model;

    /// <summary>
    /// Deletes an existing AWS Organizations policy.
    /// </summary>
    public class DeletePolicy
    {
        /// <summary>
        /// Initializes the Organizations client object and then uses it to
        /// delete the policy with the specified policyId.
        /// </summary>
        public static async Task Main()
        {
            // Create the client object using the default account.
            IAmazonOrganizations client = new AmazonOrganizationsClient();

            var policyId = "p-00000000";

            var request = new DeletePolicyRequest
            {
                PolicyId = policyId,
            };

            var response = await client.DeletePolicyAsync(request);

            if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
            {
                Console.WriteLine($"Successfully deleted Policy: {policyId}.");
            }
            else
            {
                Console.WriteLine($"Could not delete Policy: {policyId}.");
            }
        }
    }

For API details, see DeletePolicy in AWS SDK for .NET API Reference.

CLI

AWS CLI

To delete a policy

The following example shows how to delete a policy from an organization. The example assumes that you previously detached the policy from all entities:


aws organizations delete-policy --policy-id p-examplepolicyid111

For API details, see DeletePolicy in AWS CLI Command Reference.

Python

SDK for Python (Boto3)

Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.


def delete_policy(policy_id, orgs_client):
    """
    Deletes a policy.

    :param policy_id: The ID of the policy to delete.
    :param orgs_client: The Boto3 Organizations client.
    """
    try:
        orgs_client.delete_policy(PolicyId=policy_id)
        logger.info("Deleted policy %s.", policy_id)
    except ClientError:
        logger.exception("Couldn't delete policy %s.", policy_id)
        raise

For API details, see DeletePolicy in AWS SDK for Python (Boto3) API Reference.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Getting policy details

Tagging resources