This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::Organizations::ResourcePolicy Creates or updates a resource-based delegation policy that can be used to delegate policy management for AWS Organizations to specified member accounts to perform policy actions that are by default available only to the management account. For more information about delegated policy management, see [Delegated administrator for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html) in the *AWS Organizations User Guide*. You can only call this operation from the organization's management account. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Organizations::ResourcePolicy", "Properties" : { "[Content](#cfn-organizations-resourcepolicy-content)" : {{Json}}, "[Tags](#cfn-organizations-resourcepolicy-tags)" : {{[ Tag, ... ]}} } } ``` ### YAML ``` Type: AWS::Organizations::ResourcePolicy Properties: [Content](#cfn-organizations-resourcepolicy-content): {{Json}} [Tags](#cfn-organizations-resourcepolicy-tags): {{ - Tag}} ``` ## Properties `Content` The policy text of the organization resource policy. You can specify the resource policy content as a JSON object or a JSON string. When you specify the resource policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the resource policy content as a JSON object instead. *Required*: Yes *Type*: Json *Pattern*: `[\s\S]*` *Minimum*: `1` *Maximum*: `40000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` A list of tags that you want to attach to the newly created resource policy. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null`. For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the *AWS Organizations User Guide*. If any one of the tags is not valid or if you exceed the allowed number of tags for the resource policy, then the entire request fails and the resource policy is not created. *Required*: No *Type*: Array of [Tag](aws-properties-organizations-resourcepolicy-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `Id`. For example: `rp-examplepolicyid111`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) of the policy. For example: `arn:aws:organizations::111111111111:resourcepolicy/o-exampleorgid/rp-examplepolicyid111`. `Id` Returns the unique identifier (ID) of the resource policy. For example: `rp-examplepolicyid111`. ## Examples **Topics** + [Organization Resource Policy Content Specified as a JSON Object](#aws-resource-organizations-resourcepolicy--examples--Organization_Resource_Policy_Content_Specified_as_a_JSON_Object) + [Organization Resource Policy Content Specified as a JSON String](#aws-resource-organizations-resourcepolicy--examples--Organization_Resource_Policy_Content_Specified_as_a_JSON_String) ### Organization Resource Policy Content Specified as a JSON Object This example illustrates how to specify the organization resource policy content as a JSON object in `AWS::Organizations::ResourcePolicy`. The organization resource policy is specified inline as a JSON object in the `Content` property of `AWS::Organizations::ResourcePolicy`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Organizations Template Example", "Resources": { "ResourcePolicyTestTemplate": { "DeletionPolicy": "Retain", "Type": "AWS::Organizations::ResourcePolicy", "Properties": { "Content": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDescribeOrganization", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "organizations:DescribeOrganization" ], "Resource": "*" } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: ResourcePolicyTestTemplate: DeletionPolicy: Retain Type: AWS::Organizations::ResourcePolicy Properties: Content: Version: 2012-10-17 Statement: - Sid: AllowDescribeOrganization Effect: Allow Principal: AWS: 'arn:aws:iam::111122223333:root' Action: - 'organizations:DescribeOrganization' Resource: '*' ``` ### Organization Resource Policy Content Specified as a JSON String This example illustrates how to specify the organization resource policy content as a JSON string in `AWS::Organizations::ResourcePolicy`. The organization resource policy is specified inline as a JSON string in the `Content` property of `AWS::Organizations::ResourcePolicy`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Organizations Template Example", "Resources": { "ResourcePolicyExample": { "DeletionPolicy": "Retain", "Type": "AWS::Organizations::ResourcePolicy", "Properties": { "Content": "{\"Version\":\"2012-10-17\", \"Statement\":[{\"Sid\":\"AllowDescribeOrganization\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":[\"organizations:DescribeOrganization\"],\"Resource\":\"*\"}]}" } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: ResourcePolicyExample: DeletionPolicy: Retain Type: AWS::Organizations::ResourcePolicy Properties: Content: >- {"Version":"2012-10-17", "Statement":[{"Sid":"AllowDescribeOrganization","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111122223333:root"},"Action":["organizations:DescribeOrganization"],"Resource":"*"}]} ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: ResourcePolicyExample: DeletionPolicy: Retain Type: AWS::Organizations::ResourcePolicy Properties: Content: >- { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDescribeOrganization", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "organizations:DescribeOrganization" ], "Resource": "*" } ] } ``` ## See also + [Delegated administrator for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html) in the *AWS Organizations User Guide*. + [PutResourcePolicy](https://docs.aws.amazon.com/organizations/latest/APIReference/API_PutResourcePolicy.html) in the *AWS Organizations API Reference Guide*.