Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Getting information about your
organization's policies
This section describes various ways to get details about the policies in your
organization. These procedures apply to all policy types. You must
enable a policy type on the organization root before you can attach policies of that type to
any entities in that organization root.
Listing all policies
To list the policies within your organization, you must have the following
permission:
You can view the policies in your organization in the Amazon Web Services Management Console or by using an
Amazon Command Line Interface (Amazon CLI) command or an Amazon SDK operation.
- Amazon Web Services Management Console
-
To list all of the policies in
your organization
-
Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the Policies page, choose the policy type that you want to
list.
If the specified policy type is enabled, the console displays a
list of all of the policies of that type that are currently
available in the organization.
-
Return to the Policies page and repeat for each policy
type.
- Amazon CLI & Amazon SDKs
-
To list all of the policies in your organization
You can use one of the following commands to list policies in an
organization:
-
Amazon CLI: list-policies
The following example shows how to get a list of all of the
service control policies in your organization. You must specify the
type of policy you want see. Repeat the command for each policy type
you want to include.
$ aws organizations list-policies \
--filter SERVICE_CONTROL_POLICY
{
"Policies": [
{
"Id": "p-FullAWSAccess",
"Arn": "arn:aws-cn:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess",
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"AwsManaged": true
}
]
}
-
Amazon SDKs: ListPolicies
Listing the policies attached to a root, OU,
or account
To list the policies that are attached to a root, organizational unit (OU), or
account within your organization, you must have the following permission:
- Amazon Web Services Management Console
-
To list all policies that are attached directly to a specified root,
OU, or account
-
Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the Amazon Web Services accounts page, choose the name of the root, OU, or account
whose policies you want to view. You might have to expand OUs (choose the
) to find the OU that you want.
-
On the Root, OU, or account page, choose the
Policies tab.
The Policies tab displays all of the policies
attached to that root, OU, or account, grouped by policy
type.
- Amazon CLI & Amazon SDKs
-
To list all policies that are attached directly to a specified root,
OU, or account
You can use one of the following commands to list policies that are
attached to an entity:
-
Amazon CLI: list-policies-for-target
The following example lists all of the service control policies
attached to the specified OU. You must specify both the ID of the
root, OU, or account, and the type of policy that you want to
list.
$ aws organizations list-policies-for-target \
--target-id ou-a1b2-f6g7h222 \
--filter SERVICE_CONTROL_POLICY
{
"Policies": [
{
"Id": "p-FullAWSAccess",
"Arn": "arn:aws-cn:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess",
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"AwsManaged": true
}
]
}
-
Amazon SDKs: ListPoliciesForTarget
Listing all roots, OUs, and accounts
that a policy is attached to
To list the entities that a policy is attached to, you must have the following
permission:
- Amazon Web Services Management Console
-
To list all roots, OUs, and accounts that have a specified policy
attached
-
Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the Policies page, choose the policy type, and then choose the
name of the policy whose attachments you want to examine.
-
Choose the Targets tab, to display a table of
every root, OU, and account that the chosen policy is attached
to.
- Amazon CLI & Amazon SDKs
-
To list all roots, OUs, and accounts that have a specified policy
attached
You can use one of the following commands to list entities that have a
policy:
-
Amazon CLI: list-targets-for-policy
The following example shows all of the attachments to root, OUs,
and accounts for the specified policy.
$ aws organizations list-targets-for-policy \
--policy-id p-FullAWSAccess
{
"Targets": [
{
"TargetId": "ou-a1b2-f6g7h111",
"Arn": "arn:aws-cn:organizations::123456789012:ou/o-aa111bb222/ou-a1b2-f6g7h111",
"Name": "testou2",
"Type": "ORGANIZATIONAL_UNIT"
},
{
"TargetId": "ou-a1b2-f6g7h222",
"Arn": "arn:aws-cn:organizations::123456789012:ou/o-aa111bb222/ou-a1b2-f6g7h222",
"Name": "testou1",
"Type": "ORGANIZATIONAL_UNIT"
},
{
"TargetId": "123456789012",
"Arn": "arn:aws-cn:organizations::123456789012:account/o-aa111bb222/123456789012",
"Name": "My Management Account (bisdavid)",
"Type": "ACCOUNT"
},
{
"TargetId": "r-a1b2",
"Arn": "arn:aws-cn:organizations::123456789012:root/o-aa111bb222/r-a1b2",
"Name": "Root",
"Type": "ROOT"
}
]
}
-
Amazon SDKs: ListTargetsForPolicy
Getting details about a policy
To display the details of a policy, you must have the following permission:
- Amazon Web Services Management Console
-
To get details about a policy
-
Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the Policies page, choose the policy type of the policy that
you want to examine, and then choose the name of the policy.
The policy page displays the available information about the
policy, including its ARN, description, and attached targets.
-
The Content tab shows the current
contents of the policy in JSON format.
-
The Targets tab shows a list of the
roots, OUs, and accounts to which the policy is
attached.
-
The Tags tab shows the tags attached
to the policy. Note: the Tags tab is not available for Amazon
managed policies.
To edit the policy, choose Edit policy.
Because each policy type has different editing requirements, see the
instructions for creating and updating policies of your specified
policy type.
- Amazon CLI & Amazon SDKs
-
To get details about a policy
You can use one of the following commands to get details about a
policy:
-
Amazon CLI: describe-policy
The following example displays the details for the specified
policy.
$ aws organizations describe-policy \
--policy-id p-FullAWSAccess
{
"Policy": {
"PolicySummary": {
"Id": "p-FullAWSAccess",
"Arn": "arn:aws-cn:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess",
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"AwsManaged": true
},
"Content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"*\",\n \"Resource\": \"*\"\n }\n ]\n}"
}
}
-
Amazon SDKs: DescribePolicy