Viewing effective management policies
Determine the effective management policy for an account in your organization.
What is an effective management policy?
The effective policy specifies the final rules that apply to an Amazon Web Services account for a management policy type. It is the aggregation for a management policy that the account inherits, plus any policies for that management policy type that are directly attached to the account. When you attach a management policy to the organization's root, it applies to all accounts in your organization. When you attach a management policy to an organiztional unit (OU), it applies to all accounts and OUs that belong to the OU. When you attach a management policy directly to an account, it applies only to that one Amazon Web Services account.
For information about how policies are combined into the final effective policy, see Understanding management policy inheritance.
Backup policy example
The backup policy attached to the organization root might specify that all accounts in the organization back up all Amazon DynamoDB tables with a default backup frequency of once per week. A separate backup policy attached directly to one member account with critical information in a table can override the frequency with a value of once per day. The combination of these backup policies comprises the effective backup policy. This effective backup policy is determined for each account in the organization individually. In this example, the result is that all accounts in the organization back up their DynamoDB tables once per week, with the exception of one account that backs up its tables daily.
Tag policy example
The tag policy attached to the organization root might define a
                CostCenter tag with four compliant values. A separate tag policy
            attached to the account may restrict the CostCenter key to only two of the
            four compliant values. The combination of these tag policies comprises the effective tag
            policy. The result is that only two of the four compliant tag values defined in the
            organization root tag policy are compliant for the account.
Chat applications policy example
Amazon Q Developer in chat applications will reevaluate any previously created Amazon Q Developer in chat applications configurations against the effective chat applications policies and deny any previously allowed actions if they are consistent with the permitted settings and guardrails in the effective policy. The effective policy for a member account defines the permitted settings and guardrails. For example, if a chat applications policy with deny access for public Slack channels is applied to a member account, then the existing Amazon Q Developer in chat applications configurations for public Slack channels in the member account will be disabled. Amazon Q Developer in chat applications will not deliver notifications and channel members will not be able to run any tasks in the blocked channel. The Amazon Q Developer in chat applications console will mark the affected channels as disabled with an appropriate error messaging next to it.
AI services opt-out example
The AI services opt-out policy attached to the organization root might specify that all accounts in the organization opt out of content use by all Amazon machine learning services. A separate AI services opt-out policy attached directly to one member account specifies that it opts in to content use for only Amazon Rekognition. The combination of these AI services opt-out policies comprises the effective AI services opt-out policy. The result is that all accounts in the organization are opted out of all Amazon Web Services services, with the exception of one account that opts in to Amazon Rekognition.
How to view the effective management policy
You can view the effective policy of a management policy type for an account from the Amazon Web Services Management Console, Amazon API, or Amazon Command Line Interface.
Minimum permissions
To view the effective policy of a management policy type for an account, you must have permission to run the following actions:
- 
                    organizations:DescribeEffectivePolicy
- 
                    organizations:DescribeOrganization– required only when using the Organizations console
For information about situations in which an effective policy could become invalid, see Viewing invalid policy alerts.
