What Is AWS Organization Policy
In the last blog post, we have discussed how to interact with AWS Organization service using AWS CLI.
In this blog post, we will discuss AWS Organization Policy. Policies in AWS Organizations enable you to apply additional types of management to the AWS accounts in your organization. Organization policy can only be used if you have enabled all features (default) of AWS organization.
Organization Policy Types:
Service control policy (SCP):
A policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are similar to IAM permissions policies except that they don’t grant any permissions. Instead, SCPs specify the maximum permissions for an organization, organizational unit (OU), or account. When you attach an SCP to your organization root or an OU, the SCP limits permissions for entities in member accounts.
Artificial intelligence (AI) services opt-out policy:
A type of policy that helps you standardize your opt-out settings for AWS AI services across all of the accounts in your organization. Certain AWS AI services can store and use customer content processed by those services for the development and continuous improvement of Amazon AI services and technologies. As an AWS customer, you can use AI service opt-out policies to choose to opt out of having your content stored or used for service improvements.
A type of policy that helps you standardize and implement a backup strategy for the resources across all of the accounts in your organization. In a backup policy, you can configure and deploy backup plans for your resources.
A type of policy that helps you standardize tags across resources across all of the accounts in your organization. In a tag policy, you can specify tagging rules for specific resources.
Organization Policy Inheritance:
An organization policy can be attached at different levels. You can attach an organization policy to the root level, any organizational unit (OU) level or per account level.
- If you attach an organization policy to organization root, all the OU and accounts inherits that policy.
- If you attach an organization policy to any OU, all the child OU and accounts under that OU inherits the policy.
- If you attach an organization policy directly to an account, only the account inherits the policy.
Organization policy inheritance depends on the policy type and service control policy inheritance differs in nature than other policy types.
- Service Control Policy Inheritance: In case of SCP, permission inheritance follows from the parent OU. For example, if SCP policy A is applied to root it will be inherited across organization by all OU and accounts. If policy B then applied to a specific OU, it will be inherited by all child OU and accounts under that OU. If a permission is denied in the parent OU by a SCP, that permission can not be allowed in subsequent child OU or any accounts by any other SCP. Also, SCP does not support the inheritance block in policy definition. In case of SCP policy there are two approach you can take to apply those polices –
- A deny list strategy makes use of the FullAWSAccess SCP that is attached by default to every OU and account. This SCP overrides the default implicit deny, and explicitly allows all permissions to flow down from the root to every account, unless you explicitly deny a permission with an additional SCP that you create and attach to the appropriate OU or account. This strategy works because an explicit deny in a policy always overrides any kind of allow. No account below the level of the OU with the deny policy can use the denied API, and there is no way to add the permission back lower in the hierarchy.
- An allow list strategy has you remove the FullAWSAccess SCP that is attached by default to every OU and account. This means that no APIs are permitted anywhere unless you explicitly allow them. To allow a service API to operate in an AWS account, you must create your own SCPs and attach them to the account and every OU above it, up to and including the root. Every SCP in the hierarchy, starting at the root, must explicitly allow the APIs that you want to be usable in the OUs and accounts below it. This strategy works because an explicit allow in an SCP overrides an implicit deny.
- Other Policy Inheritance: Policy inheritance behaves differently in case of Artificial Intelligence (AI) services opt-out policies, Backup policies and Tag policies. The syntax for other policy types includes inheritance operators, which enable you to specify with fine granularity what elements from the parent policies are applied and what elements can be overridden or modified when inherited by child OUs and accounts. The effective policy is the set of rules that are inherited from the organization root and OUs along with those directly attached to the account. The effective policy specifies the final set of rules that apply to the account. You can view the effective policy for an account that includes the effect of all of the inheritance operators in the policies applied.
Hope you have enjoyed this article. To know more about AWS organization, please refer below official documentation