Attaching and detaching service control policies - Amazon Organizations
Detaching an SCP from the organization root, OUs, or accounts
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Attaching and detaching service control policies

When you sign in to your organization's management account, you can attach a service control policy (SCP) that you previously created. You can attach an SCP to the organization root, to an organizational unit (OU), or directly to an account. To attach an SCP, complete the following steps.

Minimum permissions

To attach an SCP to a root, OU, or account, you need permission to run the following action:

  • organizations:AttachPolicy with a Resource element in the same policy statement that includes "*" or the Amazon Resource Name (ARN) of the specified policy and the ARN of the root, OU, or account that you want to attach the policy to

You can attach an SCP by either navigating to the policy or to the root, OU, or account that you want to attach the policy to.

To attach an SCP by navigating to the root, OU, or account

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Amazon Web Services accounts page, navigate to and then choose the check box next to the root, OU, or account that you want to attach an SCP to. You might have to expand OUs (choose the ) to find the OU or account that you want.

  3. In the Policies tab, in the entry for Service control policies, choose Attach.

  4. Find the policy that you want and choose Attach policy.

    The list of attached SCPs on the Policies tab is updated to include the new addition. The policy change takes effect immediately, affecting the permissions of IAM users and roles in the attached account or all accounts under the attached root or OU.

To attach an SCP by navigating to the policy

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Service control policies page, choose the name of the policy that you want to attach.

  3. On the Targets tab, choose Attach.

  4. Choose the radio button next to the root, OU, or account that you want to attach the policy to. You might have to expand OUs (choose the ) to find the OU or account that you want.

  5. Choose Attach policy.

    The list of attached SCPs on the Targets tab is updated to include the new addition. The policy change takes effect immediately, affecting the permissions of IAM users and roles in the attached account or all accounts under the attached root or OU.

To attach an SCP by navigating to the root, OU, or account

The following code examples show how to use AttachPolicy.

.NET
Amazon SDK for .NET
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository. 

    using System;
    using System.Threading.Tasks;
    using Amazon.Organizations;
    using Amazon.Organizations.Model;

    /// <summary>
    /// Shows how to attach an AWS Organizations policy to an organization,
    /// an organizational unit, or an account.
    /// </summary>
    public class AttachPolicy
    {
        /// <summary>
        /// Initializes the Organizations client object and then calls the
        /// AttachPolicyAsync method to attach the policy to the root
        /// organization.
        /// </summary>
        public static async Task Main()
        {
            IAmazonOrganizations client = new AmazonOrganizationsClient();
            var policyId = "p-00000000";
            var targetId = "r-0000";

            var request = new AttachPolicyRequest
            {
                PolicyId = policyId,
                TargetId = targetId,
            };

            var response = await client.AttachPolicyAsync(request);

            if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
            {
                Console.WriteLine($"Successfully attached Policy ID {policyId} to Target ID: {targetId}.");
            }
            else
            {
                Console.WriteLine("Was not successful in attaching the policy.");
            }
        }
    }

  • For API details, see AttachPolicy in Amazon SDK for .NET API Reference.

CLI
Amazon CLI

To attach a policy to a root, OU, or account

Example 1

The following example shows how to attach a service control policy (SCP) to an OU:

aws organizations attach-policy
                --policy-id p-examplepolicyid111
                --target-id ou-examplerootid111-exampleouid111

Example 2

The following example shows how to attach a service control policy directly to an account:

aws organizations attach-policy
                --policy-id p-examplepolicyid111
                --target-id 333333333333

  • For API details, see AttachPolicy in Amazon CLI Command Reference.

Python
SDK for Python (Boto3)
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository. 

def attach_policy(policy_id, target_id, orgs_client):
    """
    Attaches a policy to a target. The target is an organization root, account, or
    organizational unit.

    :param policy_id: The ID of the policy to attach.
    :param target_id: The ID of the resources to attach the policy to.
    :param orgs_client: The Boto3 Organizations client.
    """
    try:
        orgs_client.attach_policy(PolicyId=policy_id, TargetId=target_id)
        logger.info("Attached policy %s to target %s.", policy_id, target_id)
    except ClientError:
        logger.exception(
            "Couldn't attach policy %s to target %s.", policy_id, target_id
        )
        raise

  • For API details, see AttachPolicy in Amazon SDK for Python (Boto3) API Reference.

The policy change takes effect immediately, affecting the permissions of IAM users and roles in the attached account or all accounts under the attached root or OU.

Detaching an SCP from the organization root, OUs, or accounts

When you sign in to your organization's management account, you can detach an SCP from the organization root, OU, or account that it is attached to. After you detach an SCP from an entity, that SCP no longer applies to any IAM users and IAM roles that were affected by the now detached entity. To detach an SCP, complete the following steps.

Note

You can't detach the last SCP from a root, an OU, or an account. There must be at least one SCP attached to every root, OU, and account at all times.

Minimum permissions

To detach an SCP from the root, OU, or account, you need permission to run the following action:

  • organizations:DetachPolicy

You can detach an SCP by either navigating to the policy or to the root, OU, or account that you want to detach the policy from.

To detach an SCP by navigating to the root, OU, or account it's attached to

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Amazon Web Services accounts page navigate to the Root, OU, or account that you want to detach a policy from. You might have to expand OUs (choose the ) to find the OU or account that you want. Choose the name of the Root, OU, or account.

  3. On the Policies tab, choose the radio button next to the SCP that you want to detach, and then choose Detach.

  4. In the confirmation dialog box, choose Detach policy.

    The list of attached SCPs is updated. The policy change caused by detaching the SCP takes effect immediately. For example, detaching an SCP immediately affects the permissions of IAM users and roles in the formerly attached account or accounts under the formerly attached organization root or OU.

To detach an SCP by navigating to the policy

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Service control policies page, choose the name of the policy that you want to detach from a root, OU, or account.

  3. On the Targets tab, choose the radio button next to the root, OU, or account that you want to detach the policy from. You might have to expand OUs (choose the ) to find the OU or account that you want.

  4. Choose Detach.

  5. In the confirmation dialog box, choose Detach.

    The list of attached SCPs is updated. The policy change caused by detaching the SCP takes effect immediately. For example, detaching an SCP immediately affects the permissions of IAM users and roles in the formerly attached account or accounts under the formerly attached organization root or OU.

To detach an SCP from a root, OU, or account

The following code examples show how to use DetachPolicy.

.NET
Amazon SDK for .NET
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository. 

    using System;
    using System.Threading.Tasks;
    using Amazon.Organizations;
    using Amazon.Organizations.Model;

    /// <summary>
    /// Shows how to detach a policy from an AWS Organizations organization,
    /// organizational unit, or account.
    /// </summary>
    public class DetachPolicy
    {
        /// <summary>
        /// Initializes the Organizations client object and uses it to call
        /// DetachPolicyAsync to detach the policy.
        /// </summary>
        public static async Task Main()
        {
            // Create the client object using the default account.
            IAmazonOrganizations client = new AmazonOrganizationsClient();

            var policyId = "p-00000000";
            var targetId = "r-0000";

            var request = new DetachPolicyRequest
            {
                PolicyId = policyId,
                TargetId = targetId,
            };

            var response = await client.DetachPolicyAsync(request);

            if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
            {
                Console.WriteLine($"Successfully detached policy with Policy Id: {policyId}.");
            }
            else
            {
                Console.WriteLine("Could not detach the policy.");
            }
        }
    }

  • For API details, see DetachPolicy in Amazon SDK for .NET API Reference.

CLI
Amazon CLI

To detach a policy from a root, OU, or account

The following example shows how to detach a policy from an OU:

aws organizations  detach-policy  --target-id ou-examplerootid111-exampleouid111 --policy-id p-examplepolicyid111

  • For API details, see DetachPolicy in Amazon CLI Command Reference.

Python
SDK for Python (Boto3)
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository. 

def detach_policy(policy_id, target_id, orgs_client):
    """
    Detaches a policy from a target.

    :param policy_id: The ID of the policy to detach.
    :param target_id: The ID of the resource where the policy is currently attached.
    :param orgs_client: The Boto3 Organizations client.
    """
    try:
        orgs_client.detach_policy(PolicyId=policy_id, TargetId=target_id)
        logger.info("Detached policy %s from target %s.", policy_id, target_id)
    except ClientError:
        logger.exception(
            "Couldn't detach policy %s from target %s.", policy_id, target_id
        )
        raise

  • For API details, see DetachPolicy in Amazon SDK for Python (Boto3) API Reference.

The policy change takes effect immediately, affecting the permissions of IAM users and roles in the attached account or all accounts under the attached root or OU