Attaching organization policies with Amazon Organizations
This topic describes how to attach policies with Amazon Organizations. A policy defines the controls that you want to apply to a group of Amazon Web Services accounts. Amazon Organizations supports management policies and authorization policies.
Attach policies with Amazon Organizations
Minimum permissions
To attach policies, you must have permission to run the following action:
-
organizations:AttachPolicy
Minimum permissions
To attach an SCP to a root, OU, or account, you need permission to run the following action:
-
organizations:AttachPolicy
with aResource
element in the same policy statement that includes "*" or the Amazon Resource Name (ARN) of the specified policy and the ARN of the root, OU, or account that you want to attach the policy to
- Service control policies (SCPs)
-
You can attach an SCP by either navigating to the policy or to the root, OU, or account that you want to attach the policy to.
To attach an SCP by navigating to the root, OU, or account
-
Sign in to the Amazon Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Amazon Web Services accounts
page, navigate to and then choose the check box next to the root, OU, or account that you want to attach an SCP to. You might have to expand OUs (choose the ) to find the OU or account that you want. -
In the Policies tab, in the entry for Service control policies, choose Attach.
-
Find the policy that you want and choose Attach policy.
The list of attached SCPs on the Policies tab is updated to include the new addition. The policy change takes effect immediately, affecting the permissions of IAM users and roles in the attached account or all accounts under the attached root or OU.
To attach an SCP by navigating to the policy
-
Sign in to the Amazon Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Service control policies
page, choose the name of the policy that you want to attach. -
On the Targets tab, choose Attach.
-
Choose the radio button next to the root, OU, or account that you want to attach the policy to. You might have to expand OUs (choose the ) to find the OU or account that you want.
-
Choose Attach policy.
The list of attached SCPs on the Targets tab is updated to include the new addition. The policy change takes effect immediately, affecting the permissions of IAM users and roles in the attached account or all accounts under the attached root or OU.
-
- Backup policies
-
You can attach a backup policy by either navigating to the policy or to the root, OU, or account that you want to attach the policy to.
To attach a backup policy by navigating to the root, OU, or account
-
Sign in to the Amazon Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Amazon Web Services accounts
page, navigate to and then choose the name of the root, OU, or account that you want to attach a policy to. You might have to expand OUs (choose the ) to find the OU or account that you want. -
In the Policies tab, in the entry for Backup policies, choose Attach.
-
Find the policy that you want and choose Attach policy.
The list of attached backup policies on the Policies tab is updated to include the new addition. The policy change takes effect immediately.
To attach a backup policy by navigating to the policy
-
Sign in to the Amazon Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Backup policies
page, choose the name of the policy that you want to attach. -
On the Targets tab, choose Attach.
-
Choose the radio button next to the root, OU, or account that you want to attach the policy to. You might have to expand OUs (choose the ) to find the OU or account that you want.
-
Choose Attach policy.
The list of attached backup policies on the Targets tab is updated to include the new addition. The policy change takes effect immediately.
-
- Tag policies
-
You can attach a tag policy by either navigating to the policy or to the root, OU, or account that you want to attach the policy to.
To attach a tag policy by navigating to the root, OU, or account
-
Sign in to the Amazon Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Amazon Web Services accounts
page, navigate to and then choose the name of the root, OU, or account that you want to attach a policy to. You might have to expand OUs (choose the ) to find the OU or account that you want. -
In the Policies tab, in the entry for Tag policies, choose Attach.
-
Find the policy that you want and choose Attach policy.
The list of attached tag policies on the Policies tab is updated to include the new addition. The policy change takes effect immediately.
To attach a tag policy by navigating to the policy
-
Sign in to the Amazon Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Tag policies
page, choose the name of the policy that you want to attach. -
On the Targets tab, choose Attach.
-
Choose the radio button next to the root, OU, or account that you want to attach the policy to. You might have to expand OUs (choose the ) to find the OU or account that you want.
-
Choose Attach policy.
The list of attached tag policies on the Targets tab is updated to include the new addition. The policy change takes effect immediately.
-
- Chatbot policies
-
You can attach a chatbot policy by either navigating to the policy or to the root, OU, or account that you want to attach the policy to.
To attach a chatbot policy by navigating to the root, OU, or account
-
Sign in to the Amazon Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Amazon Web Services accounts
page, navigate to and then choose the name of the root, OU, or account that you want to attach a policy to. You might have to expand OUs (choose the ) to find the OU or account that you want. -
In the Policies tab, in the entry for Chatbot policies, choose Attach.
-
Find the policy that you want and choose Attach policy.
The list of attached chatbot policies on the Policies tab is updated to include the new addition. The policy change takes effect immediately.
To attach a chatbot policy by navigating to the policy
-
Sign in to the Amazon Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Chatbot policies
page, choose the name of the policy that you want to attach. -
On the Targets tab, choose Attach.
-
Choose the radio button next to the root, OU, or account that you want to attach the policy to. You might have to expand OUs (choose the ) to find the OU or account that you want.
-
Choose Attach policy.
The list of attached chatbot policies on the Targets tab is updated to include the new addition. The policy change takes effect immediately.
-
- AI services opt-out policies
-
You can attach an AI services opt-out policy by either navigating to the policy or to the root, OU, or account that you want to attach the policy to.
To attach an AI services opt-out policy by navigating to the root, OU, or account
-
Sign in to the Amazon Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Amazon Web Services accounts
page, navigate to and then choose the name of the root, OU, or account that you want to attach a policy to. You might have to expand OUs (choose the ) to find the OU or account that you want. -
In the Policies tab, in the entry for AI service opt-out policies, choose Attach.
-
Find the policy that you want and choose Attach policy.
The list of attached AI services opt-out policies on the Policies tab is updated to include the new addition. The policy change takes effect immediately.
To attach an AI services opt-out policy by navigating to the policy
-
Sign in to the Amazon Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the AI services opt-out policies
page, choose the name of the policy that you want to attach. -
On the Targets tab, choose Attach.
-
Choose the radio button next to the root, OU, or account that you want to attach the policy to. You might have to expand OUs (choose the ) to find the OU or account that you want.
-
Choose Attach policy.
The list of attached AI services opt-out policies on the Targets tab is updated to include the new addition. The policy change takes effect immediately.
-
The policy change takes effect immediately, affecting the permissions of IAM users and roles in the attached account or all accounts under the attached root or OU
To attach a policy
The following code examples show how to use AttachPolicy
.
- .NET
-
- Amazon SDK for .NET
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. using System; using System.Threading.Tasks; using Amazon.Organizations; using Amazon.Organizations.Model; /// <summary> /// Shows how to attach an AWS Organizations policy to an organization, /// an organizational unit, or an account. /// </summary> public class AttachPolicy { /// <summary> /// Initializes the Organizations client object and then calls the /// AttachPolicyAsync method to attach the policy to the root /// organization. /// </summary> public static async Task Main() { IAmazonOrganizations client = new AmazonOrganizationsClient(); var policyId = "p-00000000"; var targetId = "r-0000"; var request = new AttachPolicyRequest { PolicyId = policyId, TargetId = targetId, }; var response = await client.AttachPolicyAsync(request); if (response.HttpStatusCode == System.Net.HttpStatusCode.OK) { Console.WriteLine($"Successfully attached Policy ID {policyId} to Target ID: {targetId}."); } else { Console.WriteLine("Was not successful in attaching the policy."); } } }
-
For API details, see AttachPolicy in Amazon SDK for .NET API Reference.
-
- CLI
-
- Amazon CLI
-
To attach a policy to a root, OU, or account
Example 1
The following example shows how to attach a service control policy (SCP) to an OU:
aws organizations attach-policy --policy-id
p-examplepolicyid111
--target-idou-examplerootid111-exampleouid111
Example 2
The following example shows how to attach a service control policy directly to an account:
aws organizations attach-policy --policy-id
p-examplepolicyid111
--target-id333333333333
-
For API details, see AttachPolicy
in Amazon CLI Command Reference.
-
- Python
-
- SDK for Python (Boto3)
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. def attach_policy(policy_id, target_id, orgs_client): """ Attaches a policy to a target. The target is an organization root, account, or organizational unit. :param policy_id: The ID of the policy to attach. :param target_id: The ID of the resources to attach the policy to. :param orgs_client: The Boto3 Organizations client. """ try: orgs_client.attach_policy(PolicyId=policy_id, TargetId=target_id) logger.info("Attached policy %s to target %s.", policy_id, target_id) except ClientError: logger.exception( "Couldn't attach policy %s to target %s.", policy_id, target_id ) raise
-
For API details, see AttachPolicy in Amazon SDK for Python (Boto3) API Reference.
-
The policy change takes effect immediately, affecting the permissions of IAM users and roles in the attached account or all accounts under the attached root or OU