Getting started with declarative policies
Follow these steps to get started using declarative policies.
-
Learn about the permissions you must have to perform declarative policy tasks.
-
Enable declarative policies for your organization.
Note
Enabling trust access is required
You must enable trusted access for the service where the declarative policy will enforce a baseline configuration. This creates a read-only service-linked role that is used to generate the account status report of what the existing configuration is for accounts across your organization.
Using the console
If you use the Organizations console, this step is a part of the process for enabling declarative policies.
Using the AWS CLI
If you use the AWS CLI, there are two separate APIs:
EnablePolicyType, which you use to enable declarative policies.
EnableAWSServiceAccess, which you use to enable trusted access.
For more information on how to enable trusted access for a specific service with the AWS CLI see, AWS services that you can use with AWS Organizations.
-
Attach the declarative policy to your organization's root, OU, or account.
-
View the combined effective declarative policy that applies to an account.
For all of these steps, you sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.