Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
获取有关组织策略的信息
本主题介绍了各种可用来获取您组织中策略的详细信息的方法。这些过程适用于所有 策略类型。您必须先在组织根中启用一个策略类型,然后才能将该类型的策略附加到组织根中的任何实体。
列出所有策略
您可以在Amazon Web Services Management Console中或通过使用 Amazon Command Line Interface(Amazon CLI)命令或 Amazon SDK 操作来查看您组织中的策略。
以下代码示例演示如何使用 ListPolicies
。
- .NET
-
- Amazon SDK for .NET
-
using System;
using System.Threading.Tasks;
using Amazon.Organizations;
using Amazon.Organizations.Model;
/// <summary>
/// Shows how to list the AWS Organizations policies associated with an
/// organization.
/// </summary>
public class ListPolicies
{
/// <summary>
/// Initializes an Organizations client object, and then calls its
/// ListPoliciesAsync method.
/// </summary>
public static async Task Main()
{
// Create the client object using the default account.
IAmazonOrganizations client = new AmazonOrganizationsClient();
// The value for the Filter parameter is required and must must be
// one of the following:
// AISERVICES_OPT_OUT_POLICY
// BACKUP_POLICY
// SERVICE_CONTROL_POLICY
// TAG_POLICY
var request = new ListPoliciesRequest
{
Filter = "SERVICE_CONTROL_POLICY",
MaxResults = 5,
};
var response = new ListPoliciesResponse();
try
{
do
{
response = await client.ListPoliciesAsync(request);
response.Policies.ForEach(p => DisplayPolicies(p));
if (response.NextToken is not null)
{
request.NextToken = response.NextToken;
}
}
while (response.NextToken is not null);
}
catch (AWSOrganizationsNotInUseException ex)
{
Console.WriteLine(ex.Message);
}
}
/// <summary>
/// Displays information about the Organizations policies associated
/// with an organization.
/// </summary>
/// <param name="policy">An Organizations policy summary to display
/// information on the console.</param>
private static void DisplayPolicies(PolicySummary policy)
{
string policyInfo = $"{policy.Id} {policy.Name}\t{policy.Description}";
Console.WriteLine(policyInfo);
}
}
- CLI
-
- Amazon CLI
-
检索特定类型组织中所有策略的列表
以下示例演示了如何获取由筛选器参数指定的 SCP 列表:
aws organizations list-policies --filter SERVICE_CONTROL_POLICY
输出包括含摘要信息的策略列表:
{
"Policies": [
{
"Type": "SERVICE_CONTROL_POLICY",
"Name": "AllowAllS3Actions",
"AwsManaged": false,
"Id": "p-examplepolicyid111",
"Arn": "arn:aws:organizations::111111111111:policy/service_control_policy/p-examplepolicyid111",
"Description": "Enables account admins to delegate permissions for any S3 actions to users and roles in their accounts."
},
{
"Type": "SERVICE_CONTROL_POLICY",
"Name": "AllowAllEC2Actions",
"AwsManaged": false,
"Id": "p-examplepolicyid222",
"Arn": "arn:aws:organizations::111111111111:policy/service_control_policy/p-examplepolicyid222",
"Description": "Enables account admins to delegate permissions for any EC2 actions to users and roles in their accounts."
},
{
"AwsManaged": true,
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-FullAWSAccess",
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess"
}
]
}
- Python
-
- SDK for Python (Boto3)
-
def list_policies(policy_filter, orgs_client):
"""
Lists the policies for the account, limited to the specified filter.
:param policy_filter: The kind of policies to return.
:param orgs_client: The Boto3 Organizations client.
:return: The list of policies found.
"""
try:
response = orgs_client.list_policies(Filter=policy_filter)
policies = response["Policies"]
logger.info("Found %s %s policies.", len(policies), policy_filter)
except ClientError:
logger.exception("Couldn't get %s policies.", policy_filter)
raise
else:
return policies
列出附加到根、OU 或账户的策略
要列出附加到您组织中的根、组织部门(OU)或账户的策略,您必须拥有以下权限:
- Amazon Web Services Management Console
-
列出直接附加到所指定根、OU 或账户的所有策略
-
登录 Amazon Organizations 控制台。您必须以 IAM 用户的身份登录,担任 IAM 角色;或在组织的管理账户中以根用户的身份登录(不推荐)。
-
在Amazon Web Services 账户页面上,选择要查看其策略的根、OU 或账户的名称。您可能需要展开 OU(选择
)以查找所需的 OU。
-
在根、OU 或账户页面上,选择 Policies (策略) 选项卡。
Policies (策略) 选项卡显示附加到该根、OU 或账户的所有策略,并按策略类型分组。
- Amazon CLI & Amazon SDKs
-
列出直接附加到所指定根、OU 或账户的所有策略
可以使用以下命令之一列出附加到实体的策略:
-
Amazon CLI:list-policies-for-target
以下示例列出了附加到指定 OU 的所有服务控制策略。您必须同时指定根、OU 或账户的 ID,以及要列出的策略类型。
$
aws organizations list-policies-for-target \
--target-id ou-a1b2-f6g7h222 \
--filter SERVICE_CONTROL_POLICY
{
"Policies": [
{
"Id": "p-FullAWSAccess",
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess",
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"AwsManaged": true
}
]
}
-
Amazon SDK:ListPoliciesForTarget
列出策略附加到的所有根、OU 和账户
- Amazon Web Services Management Console
-
- Amazon CLI & Amazon SDKs
-
列出拥有附加的所指定策略的所有根、OU 和账户
可以使用以下命令之一列出具有策略的实体:
-
Amazon CLI:list-targets-for-policy
以下示例显示指定策略的根、OU 和账户的所有附件。
$
aws organizations list-targets-for-policy \
--policy-id p-FullAWSAccess
{
"Targets": [
{
"TargetId": "ou-a1b2-f6g7h111",
"Arn": "arn:aws:organizations::123456789012:ou/o-aa111bb222/ou-a1b2-f6g7h111",
"Name": "testou2",
"Type": "ORGANIZATIONAL_UNIT"
},
{
"TargetId": "ou-a1b2-f6g7h222",
"Arn": "arn:aws:organizations::123456789012:ou/o-aa111bb222/ou-a1b2-f6g7h222",
"Name": "testou1",
"Type": "ORGANIZATIONAL_UNIT"
},
{
"TargetId": "123456789012",
"Arn": "arn:aws:organizations::123456789012:account/o-aa111bb222/123456789012",
"Name": "My Management Account (bisdavid)",
"Type": "ACCOUNT"
},
{
"TargetId": "r-a1b2",
"Arn": "arn:aws:organizations::123456789012:root/o-aa111bb222/r-a1b2",
"Name": "Root",
"Type": "ROOT"
}
]
}
-
Amazon SDK:ListTargetsForPolicy
获取有关策略的详细信息
获取有关策略的详细信息
-
登录 Amazon Organizations 控制台。您必须以 IAM 用户的身份登录,担任 IAM 角色;或在组织的管理账户中以根用户的身份登录(不推荐)。
-
在 Policies (策略) 页面上,选择要检查的策略类型,然后选择策略的名称。
策略页面显示有关策略的可用信息,包括 ARN、描述和附加项。
-
Content (内容) 选项卡以 JSON 格式显示策略的当前内容。
-
Targets (目标) 选项卡显示策略附加到的根、OU 和账户的列表。
-
Tags (标签) 选项卡显示附加到策略的标签。注意:Tags (标签) 选项卡不可用于Amazon托管式策略。
要编辑策略,请选择 Edit policy (编辑策略)。由于每种策略类型都有不同的编辑要求,因此请参阅有关指定策略类型的创建和更新策略相关说明。
以下代码示例演示如何使用 DescribePolicy
。
- CLI
-
- Amazon CLI
-
获取有关策略的信息
以下示例演示如何请求有关策略的信息:
aws organizations describe-policy --policy-id p-examplepolicyid111
输出包括一个策略对象,其中包含有关策略的详细信息:
{
"Policy": {
"Content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"*\",\n \"Resource\": \"*\"\n }\n ]\n}",
"PolicySummary": {
"Arn": "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-examplepolicyid111",
"AwsManaged": false,
"Name": "AllowAllS3Actions",
"Description": "Enables admins to delegate S3 permissions"
}
}
}
- Python
-
- SDK for Python (Boto3)
-
def describe_policy(policy_id, orgs_client):
"""
Describes a policy.
:param policy_id: The ID of the policy to describe.
:param orgs_client: The Boto3 Organizations client.
:return: The description of the policy.
"""
try:
response = orgs_client.describe_policy(PolicyId=policy_id)
policy = response["Policy"]
logger.info("Got policy %s.", policy_id)
except ClientError:
logger.exception("Couldn't get policy %s.", policy_id)
raise
else:
return policy