Tag policies and Amazon Organizations - Amazon Organizations
Service principalsEnable trusted accessDisable trusted access
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tag policies and Amazon Organizations

Tag policies are a type of policy in Amazon Organizations that can help you standardize tags across resources in your organization's accounts. For more information about tag policies, see Tag policies.

Use the following information to help you integrate tag policies with Amazon Organizations.

Service principals used by the service-linked roles

Organizations interacts with the tags attached to your resources using the following service principal.

  • tagpolicies.tag.amazonaws.com

Enabling trusted access for tag policies

You can enable trusted access either by enabling tag policies in the organization, or by using the Amazon Organizations console.

Important

We strongly recommend that you enable trusted access by enabling tag policies. This enables Organizations to perform required setup tasks.

You can enable trusted access for tag policies by enabling the tag policy type in the Amazon Organizations console. For more information, see Enabling a policy type.

You can enable trusted access by using either the Amazon Organizations console, by running a Amazon CLI command, or by calling an API operation in one of the Amazon SDKs.

Amazon Web Services Management Console
To enable trusted service access using the Organizations console

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. In the navigation pane, choose Services.

  3. Choose tag policies in the list of services.

  4. Choose Enable trusted access.

  5. In the Enable trusted access for tag policies dialog box, type enable to confirm it, and then choose Enable trusted access.

  6. If you are the administrator of only Amazon Organizations, tell the administrator of tag policies that they can now enable that service using its console to work with Amazon Organizations.

Amazon CLI, Amazon API
To enable trusted service access using the OrganizationsCLI/SDK

You can use the following Amazon CLI commands or API operations to enable trusted service access:

  • Amazon CLI: enable-aws-service-access

    You can run the following command to enable tag policies as a trusted service with Organizations.

    $ aws organizations enable-aws-service-access \ 
    --service-principal tagpolicies.tag.amazonaws.com

    This command produces no output when successful.

  • Amazon API: EnableAWSServiceAccess

Disabling trusted access with tag policies

You can disable trusted access for tag policies by disabling the tag policy type in the Amazon Organizations console. For more information, see Disabling a policy type.