Viewing effective management policies - AWS Organizations
>What is an effective policy?How to view the effective policyWhen an effective management policy might be considered invalid

Viewing effective management policies

Determine the effective management policy for an account in your organization.

What is an effective management policy?

The effective policy specifies the final rules that apply to an AWS account for a management policy type. It is the aggregation for a management policy that the account inherits, plus any policies for that management policy type that are directly attached to the account. When you attach a management policy to the organization's root, it applies to all accounts in your organization. When you attach a management policy to an organiztional unit (OU), it applies to all accounts and OUs that belong to the OU. When you attach a management policy directly to an account, it applies only to that one AWS account.

For information about how policies are combined into the final effective policy, see Understanding management policy inheritance.

Backup policy example

The backup policy attached to the organization root might specify that all accounts in the organization back up all Amazon DynamoDB tables with a default backup frequency of once per week. A separate backup policy attached directly to one member account with critical information in a table can override the frequency with a value of once per day. The combination of these backup policies comprises the effective backup policy. This effective backup policy is determined for each account in the organization individually. In this example, the result is that all accounts in the organization back up their DynamoDB tables once per week, with the exception of one account that backs up its tables daily.

Tag policy example

The tag policy attached to the organization root might define a CostCenter tag with four compliant values. A separate tag policy attached to the account may restrict the CostCenter key to only two of the four compliant values. The combination of these tag policies comprises the effective tag policy. The result is that only two of the four compliant tag values defined in the organization root tag policy are compliant for the account.

Chat applications policy example

Amazon Q Developer in chat applications will reevaluate any previously created Amazon Q Developer in chat applications configurations against the effective chat applications policies and deny any previously allowed actions if they are consistent with the permitted settings and guardrails in the effective policy. The effective policy for a member account defines the permitted settings and guardrails. For example, if a chat applications policy with deny access for public Slack channels is applied to a member account, then the existing Amazon Q Developer in chat applications configurations for public Slack channels in the member account will be disabled. Amazon Q Developer in chat applications will not deliver notifications and channel members will not be able to run any tasks in the blocked channel. The Amazon Q Developer in chat applications console will mark the affected channels as disabled with an appropriate error messaging next to it.

AI services opt-out example

The AI services opt-out policy attached to the organization root might specify that all accounts in the organization opt out of content use by all AWS machine learning services. A separate AI services opt-out policy attached directly to one member account specifies that it opts in to content use for only Amazon Rekognition. The combination of these AI services opt-out policies comprises the effective AI services opt-out policy. The result is that all accounts in the organization are opted out of all AWS services, with the exception of one account that opts in to Amazon Rekognition.

How to view the effective management policy

You can view the effective policy of a management policy type for an account from the AWS Management Console, AWS API, or AWS Command Line Interface.

Minimum permissions

To view the effective policy of a management policy type for an account, you must have permission to run the following actions:

  • organizations:DescribeEffectivePolicy

  • organizations:DescribeOrganization – required only when using the Organizations console

AWS Management Console
To view the effective policy of a management policy type for an account

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the AWS accounts page, choose the name of the account for which you want to view the effective policy. You might have to expand OUs (choose the Gray cloud icon representing cloud computing or storage services. ) to find the account that you want.

  3. On the Policies tab, choose the management policy type you want to view the effective policy for.

  4. Choose View the effective policy for this AWS account.

    The console displays the effective policy applied to the specified account.

    Note

    You can't copy and paste an effective policy and use it as the JSON for another policy without significant changes. Policy documents must include the inheritance operators that specify how each setting is merged into the final effective policy.

AWS CLI & AWS SDKs
To view the effective policy of a management policy type for an account

You can use one of the following to view the effective policy:

  • AWS CLI: describe-effective-policy

    The following example shows the effective AI services opt-out policy for an account.

    $ aws organizations describe-effective-policy \
    --policy-type AISERVICES_OPT_OUT_POLICY \
    --target-id 123456789012
{
    "EffectivePolicy": {
        "PolicyContent": "{\"services\":{\"comprehend\":{\"opt_out_policy\":\"optOut\"},   ....TRUNCATED FOR BREVITY....   "opt_out_policy\":\"optIn\"}}}",
        "LastUpdatedTimestamp": "2020-12-09T12:58:53.548000-08:00",
        "TargetId": "123456789012",
        "PolicyType": "AISERVICES_OPT_OUT_POLICY"
    }
}

  • AWS SDKs: DescribeEffectivePolicy

When an effective management policy might be considered invalid

Effective policies on an account can become invalid if they violate the constraints defined for the particular policy type. For example, a policy might be missing a required parameter in the final effective policy or exceed certain quotas defined for the policy type.

Backup Policy Example

Suppose that you create a backup policy with nine backup rules and attach it to the root of your organization. Later, you create another backup policy for the same backup plan – with two more rules – and attach it to any account in the organization. In that situation, there's an invalid effective policy on the account. It is invalid because the aggregation of the two policies defines 11 rules for the backup plan. The limit is 10 backup rules in a plan.

Warning

If any account in the organization has an invalid effective policy, that account will not receive effective policy updates for the particular policy type. It continues with the last applied valid effective policy for the account, unless all the errors are fixed.