If you no longer want to use a certain policy type in your organization, you can disable that type to prevent its accidental use. You can disable a policy type from only the organization's management account or a member account designated as a delegated administrator..
Considerations
Disabled policies are detached from all entities but not deleted
When you disable a policy type, all policies of the specified type are automatically detached from all entities in the organization root. The policies are not deleted.
(Service control policy type only) All entities in the root are initially attached to only
the default FullAWSAccess
SCP
(Service control policy type only) If you re-enable the SCP policy type
later, all entities in the organization root are initially attached to only
the default FullAWSAccess
SCP. Attachments of SCPs to entities
are lost when the SCPs are disabled in the organization. If you later want
to re-enable SCPs, you must reattach them to the organization's root, OUs,
and accounts, as appropriate.
Disable a policy type
Minimum permissions
To disable SCPs, you need permission to run the following actions:
-
organizations:DisablePolicyType
-
organizations:DescribeOrganization
– required only when using the Organizations console -
organizations:ListRoots
– required only when using the Organizations console
To disable a policy type
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Policies
page, choose the name of the policy type that you want to disable. -
On the policy type page, choose Disable
policy type
. -
On the confirmation dialog box, enter the word
disable
, and then choose Disable.The list of available policies of the specified type disappears.