Getting started with declarative policies - AWS Organizations

Getting started with declarative policies

Follow these steps to get started using declarative policies.

  1. Learn about the permissions you must have to perform declarative policy tasks.

  2. Enable declarative policies for your organization.

    Note

    Enabling trust access is required

    You must enable trusted access for the service where the declarative policy will enforce a baseline configuration. This creates a read-only service-linked role that is used to generate the account status report of what the existing configuration is for accounts across your organization.

    Using the console

    If you use the Organizations console, this step is a part of the process for enabling declarative policies.

    Using the AWS CLI

    If you use the AWS CLI, there are two separate APIs:

    For more information on how to enable trusted access for a specific service with the AWS CLI see, AWS services that you can use with AWS Organizations.

  3. Run the account status report.

  4. Create a declarative policy.

  5. Attach the declarative policy to your organization's root, OU, or account.

  6. View the combined effective declarative policy that applies to an account.

For all of these steps, you sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.