Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
获取有关组织策略的信息
本部分介绍了各种方法来获取有关您组织中的策略的详细信息。这些过程适用于所有 策略类型。您必须先在组织根中启用一个策略类型,然后才能将该类型的策略附加到组织根中的任何实体。
列出所有策略
您可以使用 Amazon Command Line Interface (Amazon CLI) 命令或 Amazon SDK操作在 Amazon Web Services Management Console 或中查看组织中的策略。
以下代码示例演示如何使用 ListPolicies
。
- .NET
-
- Amazon SDK for .NET
-
using System;
using System.Threading.Tasks;
using Amazon.Organizations;
using Amazon.Organizations.Model;
/// <summary>
/// Shows how to list the AWS Organizations policies associated with an
/// organization.
/// </summary>
public class ListPolicies
{
/// <summary>
/// Initializes an Organizations client object, and then calls its
/// ListPoliciesAsync method.
/// </summary>
public static async Task Main()
{
// Create the client object using the default account.
IAmazonOrganizations client = new AmazonOrganizationsClient();
// The value for the Filter parameter is required and must must be
// one of the following:
// AISERVICES_OPT_OUT_POLICY
// BACKUP_POLICY
// SERVICE_CONTROL_POLICY
// TAG_POLICY
var request = new ListPoliciesRequest
{
Filter = "SERVICE_CONTROL_POLICY",
MaxResults = 5,
};
var response = new ListPoliciesResponse();
try
{
do
{
response = await client.ListPoliciesAsync(request);
response.Policies.ForEach(p => DisplayPolicies(p));
if (response.NextToken is not null)
{
request.NextToken = response.NextToken;
}
}
while (response.NextToken is not null);
}
catch (AWSOrganizationsNotInUseException ex)
{
Console.WriteLine(ex.Message);
}
}
/// <summary>
/// Displays information about the Organizations policies associated
/// with an organization.
/// </summary>
/// <param name="policy">An Organizations policy summary to display
/// information on the console.</param>
private static void DisplayPolicies(PolicySummary policy)
{
string policyInfo = $"{policy.Id} {policy.Name}\t{policy.Description}";
Console.WriteLine(policyInfo);
}
}
- CLI
-
- Amazon CLI
-
检索特定类型组织中所有策略的列表
以下示例向您展示了如何获取 filter 参数所指定的列表:SCPs
aws organizations list-policies --filter SERVICE_CONTROL_POLICY
输出包括含摘要信息的策略列表:
{
"Policies": [
{
"Type": "SERVICE_CONTROL_POLICY",
"Name": "AllowAllS3Actions",
"AwsManaged": false,
"Id": "p-examplepolicyid111",
"Arn": "arn:aws:organizations::111111111111:policy/service_control_policy/p-examplepolicyid111",
"Description": "Enables account admins to delegate permissions for any S3 actions to users and roles in their accounts."
},
{
"Type": "SERVICE_CONTROL_POLICY",
"Name": "AllowAllEC2Actions",
"AwsManaged": false,
"Id": "p-examplepolicyid222",
"Arn": "arn:aws:organizations::111111111111:policy/service_control_policy/p-examplepolicyid222",
"Description": "Enables account admins to delegate permissions for any EC2 actions to users and roles in their accounts."
},
{
"AwsManaged": true,
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-FullAWSAccess",
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess"
}
]
}
- Python
-
- SDK适用于 Python (Boto3)
-
def list_policies(policy_filter, orgs_client):
"""
Lists the policies for the account, limited to the specified filter.
:param policy_filter: The kind of policies to return.
:param orgs_client: The Boto3 Organizations client.
:return: The list of policies found.
"""
try:
response = orgs_client.list_policies(Filter=policy_filter)
policies = response["Policies"]
logger.info("Found %s %s policies.", len(policies), policy_filter)
except ClientError:
logger.exception("Couldn't get %s policies.", policy_filter)
raise
else:
return policies
列出附加到根、OU 或账户的策略
要列出附加到您组织中的根、组织部门(OU)或账户的策略,您必须拥有以下权限:
- Amazon Web Services Management Console
-
列出直接附加到所指定根、OU 或账户的所有策略
-
登录 Amazon Organizations 控制台。您必须在组织的管理账户中以IAM用户身份登录、代入IAM角色或以 root 用户身份登录(不推荐)。
-
在Amazon Web Services 账户页面上,选择要查看其策略的根、OU 或账户的名称。您可能需要展开OUs(选择
)才能找到所需的 OU。
-
在根、OU 或账户页面上,选择 Policies (策略) 选项卡。
Policies (策略) 选项卡显示附加到该根、OU 或账户的所有策略,并按策略类型分组。
- Amazon CLI & Amazon SDKs
-
列出直接附加到所指定根、OU 或账户的所有策略
可以使用以下命令之一列出附加到实体的策略:
-
Amazon CLI: list-policies-for-target
以下示例列出了附加到指定 OU 的所有服务控制策略。您必须同时指定根、OU 或账户的 ID,以及要列出的策略类型。
$
aws organizations list-policies-for-target \
--target-id ou-a1b2-f6g7h222 \
--filter SERVICE_CONTROL_POLICY
{
"Policies": [
{
"Id": "p-FullAWSAccess",
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess",
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"AwsManaged": true
}
]
}
-
Amazon SDKs: ListPoliciesForTarget
列出策略所关联的所有根和账户 OUs
- Amazon Web Services Management Console
-
- Amazon CLI & Amazon SDKs
-
列出所有关联了指定策略的根和账户 OUs
可以使用以下命令之一列出具有策略的实体:
-
Amazon CLI: list-targets-for-policy
以下示例显示了指定策略的 root OUs、和账户的所有附件。
$
aws organizations list-targets-for-policy \
--policy-id p-FullAWSAccess
{
"Targets": [
{
"TargetId": "ou-a1b2-f6g7h111",
"Arn": "arn:aws:organizations::123456789012:ou/o-aa111bb222/ou-a1b2-f6g7h111",
"Name": "testou2",
"Type": "ORGANIZATIONAL_UNIT"
},
{
"TargetId": "ou-a1b2-f6g7h222",
"Arn": "arn:aws:organizations::123456789012:ou/o-aa111bb222/ou-a1b2-f6g7h222",
"Name": "testou1",
"Type": "ORGANIZATIONAL_UNIT"
},
{
"TargetId": "123456789012",
"Arn": "arn:aws:organizations::123456789012:account/o-aa111bb222/123456789012",
"Name": "My Management Account (bisdavid)",
"Type": "ACCOUNT"
},
{
"TargetId": "r-a1b2",
"Arn": "arn:aws:organizations::123456789012:root/o-aa111bb222/r-a1b2",
"Name": "Root",
"Type": "ROOT"
}
]
}
-
Amazon SDKs: ListTargetsForPolicy
获取有关策略的详细信息
获取有关策略的详细信息
-
登录 Amazon Organizations 控制台。您必须在组织的管理账户中以IAM用户身份登录、代入IAM角色或以 root 用户身份登录(不推荐)。
-
在 Policies (策略) 页面上,选择要检查的策略类型,然后选择策略的名称。
策略页面显示有关策略的可用信息,包括策略的ARN描述和附加的目标。
要编辑策略,请选择 Edit policy (编辑策略)。由于每种策略类型都有不同的编辑要求,因此请参阅有关指定策略类型的创建和更新策略相关说明。
以下代码示例演示如何使用 DescribePolicy
。
- CLI
-
- Amazon CLI
-
获取有关策略的信息
以下示例演示如何请求有关策略的信息:
aws organizations describe-policy --policy-id p-examplepolicyid111
输出包括一个策略对象,其中包含有关策略的详细信息:
{
"Policy": {
"Content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"*\",\n \"Resource\": \"*\"\n }\n ]\n}",
"PolicySummary": {
"Arn": "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-examplepolicyid111",
"AwsManaged": false,
"Name": "AllowAllS3Actions",
"Description": "Enables admins to delegate S3 permissions"
}
}
}
- Python
-
- SDK适用于 Python (Boto3)
-
def describe_policy(policy_id, orgs_client):
"""
Describes a policy.
:param policy_id: The ID of the policy to describe.
:param orgs_client: The Boto3 Organizations client.
:return: The description of the policy.
"""
try:
response = orgs_client.describe_policy(PolicyId=policy_id)
policy = response["Policy"]
logger.info("Got policy %s.", policy_id)
except ClientError:
logger.exception("Couldn't get policy %s.", policy_id)
raise
else:
return policy