Creating organization policies with AWS Organizations
After you enable policies for your organization, you can create a policy.
This topic describes how to create policies with AWS Organizations. A policy defines the controls that you want to apply to a group of AWS accounts.
Topics
Create a service control policy (SCP)
Minimum permissions
To create SCPs, you need permission to run the following action:
-
organizations:CreatePolicy
- AWS Management Console
-
To create a service control policy
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Service control policies
page, choose Create policy. -
On the Create new service control policy page
, enter a Policy name and an optional Policy description. -
(Optional) Add one or more tags by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't
null
. You can attach up to 50 tags to a policy. For more information, see Tagging AWS Organizations resources.Note
In most of the steps that follow, we discuss using the controls on the right side of the JSON editor to construct the policy, element by element. Alternatively, you can, at any time, simply enter text in the JSON editor on the left side of the window. You can directly type, or use copy and paste.
-
To build the policy, your next steps vary depending on whether you want to add a statement that denies or allows access. For more information, see SCP evaluation. If you use
Deny
statements, you have additional control because you can restrict access to specific resources, define conditions for when SCPs are in effect, and use the NotAction element. For details about syntax, see SCP syntax.To add a statement that denies access:
-
In the right Edit statement pane of the editor, under Add actions, choose an AWS service.
As you choose options on the right, the JSON editor updates to show the corresponding JSON policy on left.
-
After you select a service, a list opens that contains the available actions for that service. You can choose All actions, or choose one or more individual actions that you want to deny.
The JSON on the left updates to include the actions you selected.
Note
If you select an individual action and then also go back and also select All actions, the expected entry for
is added to the JSON, but the individual actions that you previously selected are left in the JSON and not removed.servicename
:* -
If you want to add actions from additional services, you can choose All services at the top of the Statement box, and then repeat the previous two steps as needed.
-
Specify resources to include in the statement.
-
Next to Add a resource, choose Add.
-
In the Add resource dialog, choose the service whose resources you want to control from the list. You can select from among only those services you selected in the previous step.
-
Under Resource type, choose the type of resource you want to control.
-
Finally, complete the Amazon Resource Name (ARN) in Resource ARN to identify the specific resource to which you want to control access. You must replace all placeholders that are surrounded by curly braces
{}
. You can specify wild cards (*
) where that resource type's ARN syntax permits. See the documentation for a specific resource type for information about where you can use wild cards. -
Save your addition to the policy by choosing Add resource. The
Resource
element in the JSON reflects your additions or changes. The Resource element is required.
Tip
If you want to specify all resources for the selected service, either choose the All resources option in the list, or edit the
Resource
statement directly in the JSON to read"Resource":"*"
. -
-
(Optional) To specify conditions that limit when a policy statement is in effect, next to Add condition, choose Add.
-
Condition key – From the list you can choose any condition key that is available for all AWS services (for example,
aws:SourceIp
) or a service-specific key for only one of the services that you selected for this statement. -
Qualifier – (Optional) When the request has more than one values for a multivalued context key, you can specify a qualifier for testing requests against the values. For more information see, Single-valued vs. multivalued context keys in the IAM User Guide. To check if a request can have multiple values, see the Actions, resources, and condition keys for AWS services in the Service Authorization Reference.
-
Default – Tests a single value in the request against the condition key value in the policy. The condition returns true if the value in the request matches the value in the policy. If the policy specifies more than one value then they are treated as an "or" test, and the condition returns true if the request values matches any of the policy values.
-
For any value in a request – When the request can have multiple values, this option tests whether at least one of the request values matches at least one of the condition key values in the policy. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or a null dataset, the condition returns false.
-
For all values in a request – When the request can have multiple values, this option tests whether every request value matches a condition key value in the policy. The condition returns true if every key value in the request matches at least one value in the policy. It also returns true if there are no keys in the request, or if the key values resolve to a null data set, such as an empty string.
-
-
Operator – The operator specifies the type of comparison to make. The options that are presented depend on the data type of the condition key. For example, the
aws:CurrentTime
global condition key lets you pick from any of the date comparison operators, orNull
, which you can use to test whether the value is present in the request.For any condition operator except the
Null
test, you can choose the IfExists option. -
Value – (Optional) Specify one or more values for which you want to test the request.
Choose Add condition.
For more information about condition keys, see IAM JSON Policy Elements: Condition in the IAM User Guide.
-
-
-
To add a statement that allows access:
-
In the JSON editor on the left, change the line
"Effect": "Deny"
to"Effect": "Allow"
.As you choose options on the right, the JSON editor updates to show the corresponding JSON policy on the left.
-
After you select a service, a list opens that contains the available actions for that service. You can choose All actions, or choose one or more individual actions that you want to allow.
The JSON on the left updates to include the actions you selected.
Note
If you select an individual action and then also go back and also select All actions, the expected entry for
is added to the JSON, but the individual actions that you previously selected are left in the JSON and not removed.servicename
:* -
If you want to add actions from additional services, you can choose All services at the top of the Statement box, and then repeat the previous two steps as needed.
-
-
(Optional) To add another statement to the policy, choose Add statement and use the visual editor to build the next statement.
-
When you're finished adding statements, choose Create policy to save the completed SCP.
Your new SCP appears in the list of the organization's policies. You can now attach your SCP to the root, OUs, or accounts.
-
- AWS CLI & AWS SDKs
-
To create a service control policy
You can use one of the following commands to create an SCP:
-
AWS CLI: create-policy
The following example assumes that you have a file named
Deny-IAM.json
with the JSON policy text in it. It uses that file to create a new service control policy.$
aws organizations create-policy \ --content file://Deny-IAM.json \ --description "Deny all IAM actions" \ --name DenyIAMSCP \ --type SERVICE_CONTROL_POLICY{ "Policy": { "PolicySummary": { "Id": "p-i9j8k7l6m5", "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/service_control_policy/p-i9j8k7l6m5", "Name": "DenyIAMSCP", "Description": "Deny all IAM actions", "Type": "SERVICE_CONTROL_POLICY", "AwsManaged": false }, "Content": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Statement1\",\"Effect\":\"Deny\",\"Action\":[\"iam:*\"],\"Resource\":[\"*\"]}]}" } }
-
AWS SDKs: CreatePolicy
-
Note
SCPs don't take effect on the management account and in a few other situations. For more information, see Tasks and entities not restricted by SCPs.
Create a resource control policy (RCP)
Minimum permissions
To create RCPs, you need permission to run the following action:
-
organizations:CreatePolicy
- AWS Management Console
-
To create a resource control policy
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Resource control policy page, choose Create policy.
-
On the Create new resource control policy page
, enter a Policy name and an optional Policy description. -
(Optional) Add one or more tags by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't
null
. You can attach up to 50 tags to a policy. For more information, see Tagging AWS Organizations resources.Note
In most of the steps that follow, we discuss using the controls on the right side of the JSON editor to construct the policy, element by element. Alternatively, you can, at any time, simply enter text in the JSON editor on the left side of the window. You can directly type, or use copy and paste.
-
To add a statement:
-
In the right Edit statement pane of the editor, under Add actions, choose an AWS service.
As you choose options on the right, the JSON editor updates to show the corresponding JSON policy on left.
-
After you select a service, a list opens that contains the available actions for that service. You can choose All actions, or choose one or more individual actions that you want to deny.
The JSON on the left updates to include the actions you selected.
Note
If you select an individual action and then also go back and also select All actions, the expected entry for
is added to the JSON, but the individual actions that you previously selected are left in the JSON and not removed.servicename
:* -
If you want to add actions from additional services, you can choose All services at the top of the Statement box, and then repeat the previous two steps as needed.
-
Specify resources to include in the statement.
-
Next to Add a resource, choose Add.
-
In the Add resource dialog, choose the service whose resources you want to control from the list. You can select from among only those services you selected in the previous step.
-
Under Resource type, choose the type of resource you want to control.
-
Complete the Amazon Resource Name (ARN) in Resource ARN to identify the specific resource to which you want to control access. You must replace all placeholders that are surrounded by curly braces
{}
. You can specify wild cards (*
) where that resource type's ARN syntax permits. See the documentation for a specific resource type for information about where you can use wild cards. -
Save your addition to the policy by choosing Add resource. The
Resource
element in the JSON reflects your additions or changes. The Resource element is required.
Tip
If you want to specify all resources for the selected service, either choose the All resources option in the list, or edit the
Resource
statement directly in the JSON to read"Resource":"*"
. -
-
(Optional) To specify conditions that limit when a policy statement is in effect, next to Add condition, choose Add.
-
Condition key – From the list you can choose any condition key that is available for all AWS services (for example,
aws:SourceIp
) or a service-specific key for only one of the services that you selected for this statement. -
Qualifier – (Optional) When the request has more than one values for a multivalued context key, you can specify a qualifier for testing requests against the values. For more information see, Single-valued vs. multivalued context keys in the IAM User Guide. To check if a request can have multiple values, see the Actions, resources, and condition keys for AWS services in the Service Authorization Reference.
-
Default – Tests a single value in the request against the condition key value in the policy. The condition returns true if the value in the request matches the value in the policy. If the policy specifies more than one value then they are treated as an "or" test, and the condition returns true if the request values matches any of the policy values.
-
For any value in a request – When the request can have multiple values, this option tests whether at least one of the request values matches at least one of the condition key values in the policy. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or a null dataset, the condition returns false.
-
For all values in a request – When the request can have multiple values, this option tests whether every request value matches a condition key value in the policy. The condition returns true if every key value in the request matches at least one value in the policy. It also returns true if there are no keys in the request, or if the key values resolve to a null data set, such as an empty string.
-
-
Operator – The operator specifies the type of comparison to make. The options that are presented depend on the data type of the condition key. For example, the
aws:CurrentTime
global condition key lets you pick from any of the date comparison operators, orNull
, which you can use to test whether the value is present in the request.For any condition operator except the
Null
test, you can choose the IfExists option. -
Value – (Optional) Specify one or more values for which you want to test the request.
Choose Add condition.
For more information about condition keys, see IAM JSON Policy Elements: Condition in the IAM User Guide.
-
-
(Optional) To use the
NotAction
element to deny access to all actions except those specified, replaceAction
in the left pane withNotAction
, just after the"Effect": "Deny",
element. For more information, see IAM JSON Policy Elements: NotAction in the IAM User Guide.
-
-
(Optional) To add another statement to the policy, choose Add statement and use the visual editor to build the next statement.
-
When you're finished adding statements, choose Create policy to save the completed RCP.
Your new RCP appears in the list of the organization's policies. You can now attach your RCP to the root, OUs, or accounts.
-
- AWS CLI & AWS SDKs
-
To create a resource control policy
You can use one of the following commands to create an RCP:
-
AWS CLI: create-policy
The following example assumes that you have a file named
Deny-IAM.json
with the JSON policy text in it. It uses that file to create a new resource control policy.$
aws organizations create-policy \ --content file://Deny-IAM.json \ --description "Deny all IAM actions" \ --name DenyIAMSCP \ --type SERVICE_CONTROL_POLICY{ "Policy": { "PolicySummary": { "Id": "p-i9j8k7l6m5", "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/service_control_policy/p-i9j8k7l6m5", "Name": "DenyIAMSCP", "Description": "Deny all IAM actions", "Type": "RESOURCE_CONTROL_POLICY", "AwsManaged": false }, "Content": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Statement1\",\"Effect\":\"Deny\",\"Action\":[\"iam:*\"],\"Resource\":[\"*\"]}]}" } }
-
AWS SDKs: CreatePolicy
-
Note
RCPs don't take effect on the management account and in a few other situations. For more information, see Resources and entities not restricted by RCPs.
Create a declarative policy
Minimum permissions
To create a declarative policy, you need permission to run the following action:
-
organizations:CreatePolicy
- AWS Management Console
-
To create a declarative policy
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Declarative policies
page, choose Create policy. -
On the Create new declarative policy for EC2 page
, enter a Policy name and an optional Policy description. -
(Optional) You can add one or more tags to the policy by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't
null
. You can attach up to 50 tags to a policy. For more information, see Tagging AWS Organizations resources. You can build the policy using the Visual editor as described in this procedure. You can also enter or paste policy text in the JSON tab. For information about declarative policy syntax, see Declarative policy syntax and examples.
If you choose to use the Visual editor, select the service attribute you want to include in your declarative policy. For more information, see Supported AWS services and attributes.
-
Choose Add service attribute, and configure the attribute to your specifications. For more detailed information on the each effect, see Declarative policy syntax and examples.
-
When you're finished editing your policy, choose Create policy at the lower-right corner of the page.
-
- AWS CLI & AWS SDKs
-
To create a declarative policy
You can use one of the following to create a declarative policy:
-
AWS CLI: create-policy
-
Create a declarative policy like the following, and store it in a text file.
{ "ec2_attributes": { "image_block_public_access": { "state": { "@@assign": "block_new_sharing" } } } }
This declarative policy specifies that all accounts affected by the policy are must be configured so that new Amazon Machine Images (AMIs) are not publicly sharable. For information about declarative policy syntax, see Declarative policy syntax and examples.
-
Import the JSON policy file to create a new policy in the organization. In this example, the previous JSON file was named
policy.json
.$
aws organizations create-policy \ --type DECLARATIVE_POLICY_EC2 \ --name "MyTestPolicy
" \ --description "My test policy
" \ --content file://policy.json
{ "Policy": { "Content": "{"ec2_attributes":{"image_block_public_access":{"state":{"@@assign":"block_new_sharing"}}}}". "PolicySummary": { "Id": "p-i9j8k7l6m5" "Arn": "arn:aws:organizations::o-aa111bb222:policy/declarative_policy_ec2/p-i9j8k7l6m5", "Description": "My test policy", "Name": "MyTestPolicy", "Type": "DECLARATIVE_POLICY_EC2" } } }
-
-
AWS SDKs: CreatePolicy
-
What to do next
After you create a declarative policy, assess readiness using the account status report. You can then enforce your baseline configurations. To do that, you can attach the policy to the organization root, organizational units (OUs), AWS accounts within your organization, or a combination of all of those.
Create a backup policy
Minimum permissions
To create a backup policy, you need permission to run the following action:
-
organizations:CreatePolicy
- AWS Management Console
-
You can create a backup policy in the AWS Management Console in one of two ways:
-
A visual editor that lets you choose options and generates the JSON policy text for you.
-
A text editor that lets you directly create the JSON policy text yourself.
The visual editor makes the process easy, but it limits your flexibility. It's a great way to create your first policies and get comfortable with using them. After you understand how they work and have started to be limited by what the visual editor provides, you can add advanced features to your policies by editing the JSON policy text yourself. The visual editor uses only the @@assign value-setting operator, and it doesn't provide any access to the child control operators. You can add the child control operators only if you manually edit the JSON policy text.
To create a backup policy
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Backup policies
page, choose Create policy. -
On the Create policy page, enter a Policy name and an optional Policy description.
-
(Optional) You can add one or more tags to the policy by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't
null
. You can attach up to 50 tags to a policy. For more information about tagging, see Tagging AWS Organizations resources. -
You can build the policy using the Visual editor as described in this procedure. You can also enter or paste policy text in the JSON tab. For information about backup policy syntax, see Backup policy syntax and examples.
If you choose to use the Visual editor, select the backup options appropriate for your scenario. A backup plan consists of three parts. For more information about these backup plan elements, see Creating a backup plan and Assigning resources in the AWS Backup Developer Guide.
-
Backup plan general details
-
The Backup plan name can consist of only alphanumeric, hyphen, and underline characters.
-
You must select at least one Backup plan region from the list. The plan can back up resources in only the selected AWS Regions.
-
-
One or more backup rules that specify how and when AWS Backup is to operate. Each backup rule defines the following items:
-
A schedule that includes the frequency of the backup and the time window in which the backup can occur.
-
The name of the backup vault to use. The Backup vault name can consist of only alphanumeric, hyphen, and underline characters. The backup vault must exist before the plan can successfully run. Create the vault using the AWS Backup console or AWS CLI commands.
-
(Optional) One or more Copy to region rules to also copy the backup to vaults in other AWS Regions.
-
One or more tag key and value pairs to attach to the backup recovery points created each time this backup plan runs.
-
Lifecycle options that specify when the backup transitions to cold storage, and when the backup expires.
Choose Add rule to add each rule you need to the plan.
For more information about backup rules, see Backup Rules in the AWS Backup Developer Guide.
-
-
A resource assignment that specifies which resources that AWS Backup should backup with this plan. The assignment is made by specifying tag pairs that AWS Backup uses to find and match resources
-
The Resource assignment name can consist of only alphanumeric, hyphen, and underline characters.
-
Specify the IAM role for AWS Backup to use to perform the backup by its name.
In the console, you don't specify the entire Amazon Resource Name (ARN). You must include both the role name and its prefix that specifies the type of role. The prefixes are typically
role
orservice-role
, and they are separated from the role name by a forward slash ('/'). For example, you might enterrole/MyRoleName
orservice-role/MyManagedRoleName
. This is converted to a full ARN for you when stored in the underlying JSON.Important
The specified IAM role must already exist in the account the policy is applied to. If it does not, the backup plan might successfully start backup jobs, but those backup jobs will fail.
-
Specify one or more Resource tag key and Tag values pairs to identify resources that you want backed up. If there is more than one tag value, separate the values with commas.
Choose Add assignment to add each configured resource assignment to the backup plan.
For more information, see Assign Resources to a Backup Plan in the AWS Backup Developer Guide.
-
-
-
When you're finished creating your policy, choose Create policy. The policy appears in your list of available backup policies.
-
- AWS CLI & AWS SDKs
-
To create a backup policy
You can use one of the following to create a backup policy:
-
AWS CLI: create-policy
Create a backup plan as JSON text similar to the following, and store it in a text file. For complete rules for the syntax, see Backup policy syntax and examples.
{ "plans": { "PII_Backup_Plan": { "regions": { "@@assign": [ "ap-northeast-2", "us-east-1", "eu-north-1" ] }, "rules": { "Hourly": { "schedule_expression": { "@@assign": "cron(0 5/1 ? * * *)" }, "start_backup_window_minutes": { "@@assign": "480" }, "complete_backup_window_minutes": { "@@assign": "10080" }, "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "180" }, "delete_after_days": { "@@assign": "270" } }, "target_backup_vault_name": { "@@assign": "FortKnox" }, "copy_actions": { "arn:aws:backup:us-east-1:$account:backup-vault:secondary-vault": { "lifecycle": { "move_to_cold_storage_after_days": { "@@assign": "10" }, "delete_after_days": { "@@assign": "100" } } } } } }, "selections": { "tags": { "datatype": { "iam_role_arn": { "@@assign": "arn:aws:iam::$account:role/MyIamRole" }, "tag_key": { "@@assign": "dataType" }, "tag_value": { "@@assign": [ "PII" ] } } } } } } }
This backup plan specifies that AWS Backup should back up all resources in the affected AWS accounts that are in the specified AWS Regions and that have the tag
dataType
with a value ofPII
.Next, import the JSON policy file backup plan to create a new backup policy in the organization. Note the policy ID at the end of the policy ARN in the output.
$
aws organizations create-policy \ --name "MyBackupPolicy" \ --type BACKUP_POLICY \ --description "My backup policy" \ --content file://policy.json{ "Policy": { "PolicySummary": { "Arn": "arn:aws:organizations::o-aa111bb222:policy/backup_policy/p-i9j8k7l6m5", "Description": "My backup policy", "Name": "MyBackupPolicy", "Type": "BACKUP_POLICY" } "Content": "
...a condensed version of the JSON policy document you provided in the file...
", } } -
AWS SDKs: CreatePolicy
-
Create a tag policy
Minimum permissions
To create tag policies, you need permission to run the following action:
-
organizations:CreatePolicy
You can create a tag policy in the AWS Management Console in one of two ways:
-
A visual editor that lets you choose options and generates the JSON policy text for you.
-
A text editor that lets you directly create the JSON policy text yourself.
The visual editor makes the process easy, but it limits your flexibility. It's a great way to create your first policies and get comfortable with using them. After you understand how they work and have started to be limited by what the visual editor provides, you can add advanced features to your policies by editing the JSON policy text yourself. The visual editor uses only the @@assign value-setting operator, and it doesn't provide any access to the child control operators. You can add the child control operators only if you manually edit the JSON policy text.
- AWS Management Console
-
You can create a tag policy in the AWS Management Console in one of two ways:
-
A visual editor that lets you choose options and generates the JSON policy text for you.
-
A text editor that lets you directly create the JSON policy text yourself.
The visual editor makes the process easy, but it limits your flexibility. It's a great way to create your first policies and get comfortable with using them. After you understand how they work and have started to be limited by what the visual editor provides, you can add advanced features to your policies by editing the JSON policy text yourself. The visual editor uses only the @@assign value-setting operator, and it doesn't provide any access to the child control operators. You can add the child control operators only if you manually edit the JSON policy text.
To create a tag policy
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Tag policies
page, choose Create policy. -
On the Create policy page, enter a Policy name and an optional Policy description.
-
(Optional) You can add one or more tags to the policy object itself. These tags are not part of the policy. To do this, choose Add tag and then enter a key and an optional value. Leaving the value blank sets it to an empty string; it isn't
null
. You can attach up to 50 tags to a policy. For more information, see Tagging AWS Organizations resources. -
You can build the tag policy using the Visual editor as described in this procedure. You can also type or paste a tag policy in the JSON tab. For information about tag policy syntax, see Tag policy syntax.
If you choose to use the Visual editor, specify the following:
For New tag key 1, specify the name of a tag key to add.
-
For Compliance Options you can select the following options:
Use the capitalization that you've specified above for the tag key — leave this option cleared (the default) to specify that the inherited parent tag policy, if any exists, should define the case treatment for the tag key.
Enable this option if you want to mandate a specific capitalization for the tag key using this policy. If you select this option, the capitalization you specified for Tag Key overrides the case treatment specified in an inherited parent policy.
If a parent policy doesn't exist and you don't enable this option, only tag keys in all lowercase characters are considered compliant. For more information about inheritance from parent policies, see Understanding management policy inheritance.
Tip
Consider using the example tag policy shown in Example 1: Define organization-wide tag key case as a guide in creating a tag policy that define tag keys and their case treatment. Attach it to the organization root. Later, you can create and attach additional tag policies to OUs or accounts to create additional tagging rules.
Specify allowed values for this tag key — enable this option if you want to add allowed values for this tag key to any values inherited from a parent policy.
By default, this option is cleared, which means that only those values defined in and inherited from a parent policy are considered compliant. If a parent policy doesn't exist and you don't specify tag values then any value (including no value at all) is considered compliant.
To update the list of acceptable tag values, select Specify allowed values for this tag key and then choose Specify values. When prompted, enter the new values (one value per box), and then choose Save changes.
-
For Resource types to enforce, you can select Prevent noncompliant operations for this tag.
We recommend that you leave this option cleared (the default) unless you are experienced with using tag policies. Make sure that you have reviewed the recommendations in Understanding enforcement, and test thoroughly. Otherwise, you could prevent users in your organization's accounts from tagging the resources they need.
If you do want to enforce compliance with this tag key, select the check box and then Specify resource types. When prompted, select the resource types to include in the policy. Then choose Save changes.
Important
When you select this option, any operations that manipulate tags for resources of the specified types succeed only if the operation results in tags that are compliant with the policy.
-
(Optional) To add another tag key to this tag policy, choose Add tag key. Then perform steps 6–9 to define the tag key.
-
When you're finished building your tag policy, choose Save changes.
-
- AWS CLI & AWS SDKs
-
To create a tag policy
You can use one of the following to create a tag policy:
-
AWS CLI: create-policy
You can use any text editor to create a tag policy. Use JSON syntax and save the tag policy as a file with any name and extension in a location of your choosing. Tag policies can have a maximum of 2,500 characters, including spaces. For information about tag policy syntax, see Tag policy syntax.
To create a tag policy
-
Create a tag policy in a text file that looks similar to the following:
Contents of
testpolicy.json
:{ "tags": { "CostCenter": { "tag_key": { "@@assign": "CostCenter" } } } }
This tag policy defines the
CostCenter
tag key. The tag can accept any value or no value. A policy like this means that a resource that has the CostCenter tag attached with or without a value is compliant. -
Create a policy that contains the policy content from the file. Extra white space in the output has been truncated for readability.
$
aws organizations create-policy \ --name "MyTestTagPolicy" \ --description "My Test policy" \ --content file://testpolicy.json \ --type TAG_POLICY{ "Policy": { "PolicySummary": { "Id": "p-a1b2c3d4e5", "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/tag_policy/p-a1b2c3d4e5", "Name": "MyTestTagPolicy", "Description": "My Test policy", "Type": "TAG_POLICY", "AwsManaged": false }, "Content": "{\n\"tags\":{\n\"CostCenter\":{\n\"tag_key\":{\n\"@@assign\":\"CostCenter\"\n}\n}\n}\n}\n\n" } }
-
-
AWS SDKs: CreatePolicy
-
Create a chatbot policy
Minimum permissions
To create a chatbot policy, you need permission to run the following action:
-
organizations:CreatePolicy
- AWS Management Console
-
You can create a chatbot policy in the AWS Management Console in one of two ways:
-
A visual editor that lets you choose options and generates the JSON policy text for you.
-
A text editor that lets you directly create the JSON policy text yourself.
The visual editor makes the process easy, but it limits your flexibility. It's a great way to create your first policies and get comfortable with using them. After you understand how they work and have started to be limited by what the visual editor provides, you can add advanced features to your policies by editing the JSON policy text yourself. The visual editor uses only the @@assign value-setting operator, and it doesn't provide any access to the child control operators. You can add the child control operators only if you manually edit the JSON policy text.
To create a chatbot policy
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Chatbot policies
page, choose Create policy. -
On the Create new chatbot policy page
, enter a Policy name and an optional Policy description. -
(Optional) You can add one or more tags to the policy by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't
null
. You can attach up to 50 tags to a policy. For more information, see Tagging AWS Organizations resources. -
You can build the policy using the Visual editor as described in this procedure. You can also enter or paste policy text in the JSON tab. For information about chatbot policy syntax, see Chatbot policy syntax and examples.
If you choose to use the Visual editor, configure your chatbot policy by specifying access controls for chat clients.
-
Choose one of the following for Set Amazon Chime chat client access
-
Deny chime access.
-
Allow Chime access.
-
-
Choose on the following for Set Microsoft Teams chat client access
-
Deny access to all Teams
-
Allow access to all Teams
-
Restrict access to named Teams
-
-
Choose one of the following for Set Slack chat client access
-
Deny access to all Slack workspaces
-
Allow access to all Slack workspaces
-
Restrict access to named Slack worksapces
Note
In addition, you can select Limit AWS Chatbot usage to only private Slack channels.
-
-
Select the following options for Set IAM permissions types
-
Enable Channel level IAM role — All channel members share IAM role permissions to run tasks in a channel. A channel role is appropriate if channel members require the same permissions.
-
Enable User level IAM role — Channel members must choose an IAM user role to perform actions (Requires Console access to choose roles). User roles are apporopriate if channel members require different permissions and can choose their user roles.
-
-
-
When you're finished creating your policy, choose Create policy. The policy appears in your list of chatbot backup policies.
-
- AWS CLI & AWS SDKs
-
To create a chatbot policy
You can use one of the following to create a chatbot policy:
-
AWS CLI: create-policy
You can use any text editor to create a chatbot policy. Use JSON syntax and save the chatbot policy as a file with any name and extension in a location of your choosing. Chatbot policies can have a maximum of ? characters, including spaces. For information about tag policy syntax, see Chatbot policy syntax and examples.
To create a chatbot policy
-
Create a chatbot policy in a text file that looks similar to the following:
Contents of
testpolicy.json
:{ "chatbot": { "platforms": { "slack": { "client": { "@@assign": "enabled" }, "workspaces": { "@@assign": [ "
Slack-Workspace-Id
" ] }, "default": { "supported_channel_types": { "@@assign": [ "private" ] } } }, "microsoft_teams": { "client": { "@@assign": "disabled" } } } } }This chatbot policy allows only private Slack channels in a specific workspace, disables Microsoft Teams, and supports all role settings.
-
Create a policy that contains the policy content from the file. Extra white space in the output has been truncated for readability.
$
aws organizations create-policy \ --name "MyTestTagPolicy" \ --description "My Test policy" \ --content file://testpolicy.json \ --type TAG_POLICY{ "Policy": { "PolicySummary": { "Id": "p-a1b2c3d4e5", "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/chatbot_policy/p-a1b2c3d4e5", "Name": "MyTestChatbotPolicy", "Description": "My Test policy", "Type": "CHATBOT_POLICY", "AwsManaged": false }, "Content": "{"chatbot":{"platforms":{"slack":{"client":{"@@assign":"enabled"},"workspaces":{"@@assign":["
Slack-Workspace-Id
"]},"supported_channel_types":{"@@assign":["private"]}},"microsoft_teams":{"client":{"@@assign":"disabled"}}}}}" } }
-
-
AWS SDKs: CreatePolicy
-
Create an AI services opt-out policy
Minimum permissions
To create an AI services opt-out policy, you need permission to run the following action:
-
organizations:CreatePolicy
- AWS Management Console
-
To create an AI services opt-out policy
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the AI services opt-out policies
page, choose Create policy. -
On the Create new AI services opt-out policy page
, enter a Policy name and an optional Policy description. -
(Optional) You can add one or more tags to the policy by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't
null
. You can attach up to 50 tags to a policy. For more information, see Tagging AWS Organizations resources. -
Enter or paste the policy text in the JSON tab. For information about AI services opt-out policy syntax, see AI services opt-out policy syntax and examples. For example policies that you can use as a starting point, see AI services opt-out policy examples.
-
When you're finished editing your policy, choose Create policy at the lower-right corner of the page.
-
- AWS CLI & AWS SDKs
-
To create an AI services opt-out policy
You can use one of the following to create a tag policy:
-
AWS CLI: create-policy
-
Create an AI services opt-out policy like the following, and store it in a text file. Note that "
optOut
" and "optIn
" are case-sensitive.{ "services": { "default": { "opt_out_policy": { "@@assign": "optOut" } }, "rekognition": { "opt_out_policy": { "@@assign": "optIn" } } } }
This AI services opt-out policy specifies that all accounts affected by the policy are opted out of all AI services except for Amazon Rekognition.
-
Import the JSON policy file to create a new policy in the organization. In this example, the previous JSON file was named
policy.json
.$
aws organizations create-policy \ --type AISERVICES_OPT_OUT_POLICY \ --name "MyTestPolicy
" \ --description "My test policy
" \ --content file://policy.json
{ "Policy": { "Content": "{\"services\":{\"default\":{\"opt_out_policy\":{\"@@assign\":\"optOut\"}},\"rekognition\":{\"opt_out_policy\":{\"@@assign\":\"optIn\"}}}}", "PolicySummary": { "Id": "p-i9j8k7l6m5" "Arn": "arn:aws:organizations::o-aa111bb222:policy/aiservices_opt_out_policy/p-i9j8k7l6m5", "Description": "My test policy", "Name": "MyTestPolicy", "Type": "AISERVICES_OPT_OUT_POLICY" } } }
-
-
AWS SDKs: CreatePolicy
-