Getting started with declarative policies - Amazon Organizations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting started with declarative policies

Follow these steps to get started using declarative policies.

  1. Learn about the permissions you must have to perform declarative policy tasks.

  2. Enable declarative policies for your organization.

    Note

    Enabling trust access is required

    You must enable trusted access for the service where the declarative policy will enforce a baseline configuration. This creates a read-only service-linked role that is used to generate the account status report of what the existing configuration is for accounts across your organization.

    Using the console

    If you use the Organizations console, this step is a part of the process for enabling declarative policies.

    Using the Amazon CLI

    If you use the Amazon CLI, there are two separate APIs:

    For more information on how to enable trusted access for a specific service with the Amazon CLI see, Amazon Web Services services that you can use with Amazon Organizations.

  3. Run the account status report.

  4. Create a declarative policy.

  5. Attach the declarative policy to your organization's root, OU, or account.

  6. View the combined effective declarative policy that applies to an account.

For all of these steps, you sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.

Other information