Best practices for using declarative policies - AWS Organizations

Best practices for using declarative policies

AWS recommends the following best practices for using declarative policies.

Leverage readiness assessments

Use the declarative policy account status report to assess the current status of all attributes supported by declarative policies for the accounts in scope. You can choose the accounts and organizational units (OUs) to include in the report scope, or choose an entire organization by selecting the root.

This report helps you assess readiness by providing a Region breakdown and if the current state of an attribute is uniform across accounts (through the numberOfMatchedAccounts) or inconsistent (through the numberOfUnmatchedAccounts). You can also see the most frequent value, which is the configuration value that is most frequently observed for the attribute.

The choice to attach a declarative policy for enforcing a baseline configuration depends on your specific use case.

For more information and an illustrative example, see Account status report for declarative policies.

Start small and then scale

To simplify debugging, start with a test policy. Validate the behavior and impact of each change before making the next change. This approach reduces the number of variables you have to account for when an error or unexpected result occurs.

For example, you can start with a test policy attached to a single account in a noncritical test environment. After you have confirmed that it works to your specifications, you can then incrementally move the policy up the organization structure to more accounts and more organizational units (OUs).

Establish review processes

Implement processes to monitor for new declarative attributes, evaluate policy exceptions, and make adjustments to maintain alignment with your organizational security and operational requirements.

Validate changes using DescribeEffectivePolicy

After you make a change to a declarative policy, check the effective policies for representative accounts below the level where you made the change. You can view the effective policy by using the AWS Management Console, or by using the DescribeEffectivePolicy API operation or one of its AWS CLI or AWS SDK variants. Ensure that the change you made had the intended impact on the effective policy.

Communicate and train

Ensure your organizations understand the purpose and impact of your declarative policies. Provide clear guidance on the expected behaviors and how to handle failures due to policy enforcement.