Managing organization policies with Amazon Organizations
Policies in Amazon Organizations enable you to apply additional types of management to the Amazon Web Services accounts in your organization. You can use policies when all features are enabled in your organization.
The Amazon Organizations console displays the enabled or disabled status for each policy type. On the
Organize accounts tab, choose the Root in the left
navigation pane. The details pane on the right side of the screen shows all of the available
policy types. The list indicates which are enabled and which are disabled in that
organization root. If the option to Enable a type is present, that type
is currently disabled. If the option to Disable a type is present, that
type is currently enabled.
Topics
Policy types
Organizations offers policy types in the following two broad categories:
Authorization policies
Authorization policies help you to centrally manage the security of Amazon Web Services accounts across an organization.
-
Service control policies (SCPs) offer central control over the maximum available permissions for IAM users and IAM roles in an organization.
-
Resource control policies (RCPs) offer central control over the maximum available permissions for resources in an organization.
Management policies
Management policies help you centrally configure and manage Amazon Web Services services and their features across an organization.
-
Declarative policies allow you to centrally declare and enforce desired configurations for a given Amazon Web Services service at scale across an organization. Once attached, the configuration is always maintained when the service adds new features or APIs.
-
Backup policies allow you to centrally manage and apply backup plans to the Amazon resources across an organization's accounts.
-
Tag policies allow you to standardize the tags attached to the Amazon resources in an organization's accounts.
-
Chat applications policies allow you to control access to an organization's accounts from chat applications such as Slack and Microsoft Teams.
-
AI services opt-out policies allow you to control data collection for Amazon AI services for all the accounts in an organization.
The following table summarizes some of the characteristics of each policy type. For additional characteristics about these policy types, see Quotas and service limits for Amazon Organizations.
| Policy type | Policy category | Affects management account | Maximum number you can attach to a root, OU, or account | Maximum size | Supports viewing effective policy for OU or account |
|---|---|---|---|---|---|
| SCP | Authorization | 5 | 5120 characters | ||
| RCP | Authorization | 5 | 5120 characters | ||
| Declarative policy | Management | 10 | 10,000 characters | ||
| Backup policy | Management | 10 | 10,000 characters | ||
| Tag policy | Management | 10 | 10,000 characters | ||
| Chat applications policy | Management | 5 | 10,000 characters | ||
| AI services opt-out policy | Management | 5 | 2500 characters |