This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS Organizations **Resource types** + [AWS::Organizations::Account](aws-resource-organizations-account.md) + [AWS::Organizations::Organization](aws-resource-organizations-organization.md) + [AWS::Organizations::OrganizationalUnit](aws-resource-organizations-organizationalunit.md) + [AWS::Organizations::Policy](aws-resource-organizations-policy.md) + [AWS::Organizations::ResourcePolicy](aws-resource-organizations-resourcepolicy.md) # AWS::Organizations::Account Creates an AWS account that is automatically a member of the organization whose credentials made the request. CloudFormation uses the [https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html) operation to create accounts. This is an asynchronous request that AWS performs in the background. Because `CreateAccount` operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following: + Use the `Id` value of the `CreateAccountStatus` response element from the `CreateAccount` operation to provide as a parameter to the [https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html) operation. + Check the CloudTrail log for the `CreateAccountResult` event. For information on using CloudTrail with AWS Organizations, see [Logging and monitoring in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration) in the *AWS Organizations User Guide*. The user who calls the API to create an account must have the `organizations:CreateAccount` permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named `AWSServiceRoleForOrganizations`. For more information, see [AWS Organizations and service-linked roles](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs) in the *AWS Organizations User Guide*. If the request includes tags, then the requester must have the `organizations:TagResource` permission. AWS Organizations preconfigures the new member account with a role (named `OrganizationAccountAccessRole` by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account. For more information about creating accounts, see [Creating a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html) in the *AWS Organizations User Guide*. This operation can be called only from the organization's management account. **Deleting Account resources** The default `DeletionPolicy` for resource `AWS::Organizations::Account` is `Retain`. For more information about how CloudFormation deletes resources, see [ DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html). **Important** If you include multiple accounts in a single template, you must use the `DependsOn` attribute on each account resource type so that the accounts are created sequentially. If you create multiple accounts at the same time, Organizations returns an error and the stack operation fails. You can't modify the following list of `Account` resource parameters using CloudFormation updates. AccountName Email RoleName If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a [registered delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters `AccountName` and `Email`, you must sign in to the AWS Management Console as the AWS account root user. For more information, see [Update the AWS account name, email address, or password for the root user](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html) in the *AWS Account Management Reference Guide*. When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. For more information, see [Considerations before removing an account from an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_account-before-remove.html) in the *AWS Organizations User Guide*. When you create an account in an organization using CloudFormation, you can't specify a value for the `CreateAccount` operation parameter `IamUserAccessToBilling`. The default value for parameter `IamUserAccessToBilling` is `ALLOW`, and IAM users and roles with the required permissions can access billing information for the new account. If you get an exception that indicates `DescribeCreateAccountStatus returns IN_PROGRESS state before time out`. You must check the account creation status using the [https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html) operation. If the account state returns as `SUCCEEDED`, you can import the account into CloudFormation management using [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html). If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the [Service Quotas console](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html). If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact [AWS Support](https://console.aws.amazon.com/support/home#/). We don't recommend that you use the `CreateAccount` operation to create multiple temporary accounts. You can close accounts using the [https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html) operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see [Closing a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html) in the *AWS Organizations User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Organizations::Account", "Properties" : { "[AccountName](#cfn-organizations-account-accountname)" : String, "[Email](#cfn-organizations-account-email)" : String, "[ParentIds](#cfn-organizations-account-parentids)" : [ String, ... ], "[RoleName](#cfn-organizations-account-rolename)" : String, "[Tags](#cfn-organizations-account-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::Organizations::Account Properties: [AccountName](#cfn-organizations-account-accountname): String [Email](#cfn-organizations-account-email): String [ParentIds](#cfn-organizations-account-parentids): - String [RoleName](#cfn-organizations-account-rolename): String [Tags](#cfn-organizations-account-tags): - Tag ``` ## Properties `AccountName` The account name given to the account when it was created. *Required*: Yes *Type*: String *Pattern*: `[\u0020-\u007E]+` *Minimum*: `1` *Maximum*: `50` *Update requires*: Updates are not supported. `Email` The email address associated with the AWS account. The [regex pattern](http://wikipedia.org/wiki/regex) for this parameter is a string of characters that represents a standard internet email address. *Required*: Yes *Type*: String *Pattern*: `[^\s@]+@[^\s@]+\.[^\s@]+` *Minimum*: `6` *Maximum*: `64` *Update requires*: Updates are not supported. `ParentIds` The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in. If you don't specify this parameter, the `ParentId` defaults to the root ID. This parameter only accepts a string array with one string value. The [regex pattern](http://wikipedia.org/wiki/regex) for a parent ID string requires one of the following: + **Root** - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits. + **Organizational unit (OU)** - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits. *Required*: No *Type*: Array of String *Pattern*: `^(r-[0-9a-z]{4,32})|(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32})$` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RoleName` The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. If you don't specify this parameter, the role name defaults to `OrganizationAccountAccessRole`. For more information about how to use this role to access the member account, see the following links: + [Creating the OrganizationAccountAccessRole in an invited member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) in the *AWS Organizations User Guide* + Steps 2 and 3 in [IAM Tutorial: Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide* The [regex pattern](http://wikipedia.org/wiki/regex) that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@- *Required*: No *Type*: String *Pattern*: `[\w+=,.@-]{1,64}` *Minimum*: `1` *Maximum*: `64` *Update requires*: Updates are not supported. `Tags` A list of tags that you want to attach to the newly created account. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null`. For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the AWS Organizations User Guide. If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created. *Required*: No *Type*: Array of [Tag](aws-properties-organizations-account-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `AccountId`. For example: `123456789012`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `AccountId` Returns the unique identifier (ID) of the account. For example: `123456789012`. `Arn` Returns the Amazon Resource Name (ARN) of the account. For example: `arn:aws:organizations::111111111111:account/o-exampleorgid/555555555555`. `JoinedMethod` Returns the method by which the account joined the organization. For example: `INVITED | CREATED`. `JoinedTimestamp` Returns the date the account became a part of the organization. For example: `2016-11-24T11:11:48-08:00`. `Paths` The paths in the organization where the account exists. `State` Each state represents a specific phase in the account lifecycle. Use this information to manage account access, automate workflows, or trigger actions based on account state changes. For more information about account states and their implications, see [Monitor the state of your AWS accounts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_account_state.html) in the *AWS Organizations User Guide*. `Status` Returns the status of the account in the organization. For example: `ACTIVE | SUSPENDED | PENDING_CLOSURE`. ## See also + [Creating a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html) in the *AWS Organizations User Guide*. + [CreateAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html) in the *AWS Organizations API Reference Guide*. # AWS::Organizations::Account Tag A custom key-value pair associated with a resource within your organization. You can attach tags to any of the following organization resources. + AWS account + Organizational unit (OU) + Organization root + Policy ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-organizations-account-tag-key)" : String, "[Value](#cfn-organizations-account-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-organizations-account-tag-key): String [Value](#cfn-organizations-account-tag-value): String ``` ## Properties `Key` The key identifier, or name, of the tag. *Required*: Yes *Type*: String *Pattern*: `[\s\S]*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. *Required*: Yes *Type*: String *Pattern*: `[\s\S]*` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Organizations::Organization Creates an AWS organization. The account whose user is calling the [https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganization.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganization.html) operation automatically becomes the [management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#account) of the new organization. This operation must be called using credentials from the account that is to become the new organization's management account. The principal must also have the [relevant IAM permissions](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html). **Important** If you delete an organization, you can't recover it. If you created any policies inside of the organization, they're also deleted and you can't recover them. You can delete an organization only after you remove all member accounts from the organization. If you created some of your member accounts using AWS Organizations, you might be blocked from removing those accounts. You can remove a member account only if it has all the information that's required to operate as a standalone AWS account. For more information about how to provide that information and then remove the account, see [Leave an organization from your member account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_leave-as-member.html) in the *AWS Organizations User Guide*. If you closed a member account before you remove it from the organization, it enters a 'suspended' state for a period of time and you can't remove the account from the organization until it is finally closed. This can take up to 90 days and can prevent you from deleting the organization until all member accounts are completely closed. For more information, see [Deleting an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_delete.html) in the *AWS Organizations User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Organizations::Organization", "Properties" : { "[FeatureSet](#cfn-organizations-organization-featureset)" : String } } ``` ### YAML ``` Type: AWS::Organizations::Organization Properties: [FeatureSet](#cfn-organizations-organization-featureset): String ``` ## Properties `FeatureSet` Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality. + `ALL`– In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the *AWS Organizations User Guide*. + `CONSOLIDATED_BILLING`– All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the *AWS Organizations User Guide*. **Note** The consolidated billing feature feature set isn't available for organizations in the AWS GovCloud (US) Region. If you don't specify this property, the default value is `ALL`. *Required*: No *Type*: String *Allowed values*: `ALL | CONSOLIDATED_BILLING` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `AccountId`. For example: `123456789012`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` The Amazon Resource Name (ARN) of an organization. `Id` The unique identifier (ID) of an organization. `ManagementAccountArn` The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization. `ManagementAccountEmail` The email address that is associated with the AWS account that is designated as the management account for the organization. `ManagementAccountId` The unique identifier (ID) of the management account of an organization. `RootId` The unique identifier (ID) for the root. ## Examples **Topics** + [Organization FeatureSet specified as ALL](#aws-resource-organizations-organization--examples--Organization_FeatureSet_specified_as_ALL) + [Organization FeatureSet specified as CONSOLIDATED\$1BILLING](#aws-resource-organizations-organization--examples--Organization_FeatureSet_specified_as_CONSOLIDATED_BILLING) ### Organization FeatureSet specified as ALL This example illustrates how to specify the organization feature set as `ALL` in `AWS::Organizations::Organization`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Organizations Template Example", "Resources": { "OrganizationTemplateExample": { "DeletionPolicy": "Retain", "Type": "AWS::Organizations::Organization", "Properties": { "FeatureSet": "ALL" } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: OrganizationTemplateExample: DeletionPolicy: Retain Type: 'AWS::Organizations::Organization' Properties: FeatureSet: ALL ``` ### Organization FeatureSet specified as CONSOLIDATED\$1BILLING This example illustrates how to specify the organization feature set as `CONSOLIDATED_BILLING` in `AWS::Organizations::Organization`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Organizations Template Example", "Resources": { "OrganizationTemplateExample": { "DeletionPolicy": "Retain", "Type": "AWS::Organizations::Organization", "Properties": { "FeatureSet": "CONSOLIDATED_BILLING" } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: OrganizationTemplateExample: DeletionPolicy: Retain Type: 'AWS::Organizations::Organization' Properties: FeatureSet: CONSOLIDATED_BILLING ``` ## See also + [Creating an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html) in the *AWS Organizations User Guide*. + [CreateOrganization](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganization.html) in the *AWS Organizations API Reference Guide*. # AWS::Organizations::OrganizationalUnit Creates an organizational unit (OU) within a root or parent OU. An OU is a container for accounts that enables you to organize your accounts to apply policies according to your business requirements. The number of levels deep that you can nest OUs is dependent upon the policy types enabled for that root. For service control policies, the limit is five. For more information about OUs, see [Managing organizational units (OUs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) in the *AWS Organizations User Guide*. If the request includes tags, then the requester must have the `organizations:TagResource` permission. You can only call this operation from the management account. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Organizations::OrganizationalUnit", "Properties" : { "[Name](#cfn-organizations-organizationalunit-name)" : String, "[ParentId](#cfn-organizations-organizationalunit-parentid)" : String, "[Tags](#cfn-organizations-organizationalunit-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::Organizations::OrganizationalUnit Properties: [Name](#cfn-organizations-organizationalunit-name): String [ParentId](#cfn-organizations-organizationalunit-parentid): String [Tags](#cfn-organizations-organizationalunit-tags): - Tag ``` ## Properties `Name` The friendly name of this OU. The [regex pattern](http://wikipedia.org/wiki/regex) that is used to validate this parameter is a string of any of the characters in the ASCII character range. *Required*: Yes *Type*: String *Pattern*: `[\s\S]*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ParentId` The unique identifier (ID) of the parent root or OU that you want to create the new OU in. To update the `ParentId` parameter value, you must first remove all accounts attached to the organizational unit (OU). OUs can't be moved within the organization with accounts still attached. The [regex pattern](http://wikipedia.org/wiki/regex) for a parent ID string requires one of the following: + **Root** - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits. + **Organizational unit (OU)** - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits. *Required*: Yes *Type*: String *Pattern*: `^(r-[0-9a-z]{4,32})|(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32})$` *Maximum*: `100` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Tags` A list of tags that you want to attach to the newly created OU. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null`. For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the AWS Organizations User Guide. If any one of the tags is not valid or if you exceed the allowed number of tags for an OU, then the entire request fails and the OU is not created. *Required*: No *Type*: Array of [Tag](aws-properties-organizations-organizationalunit-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `Id`. For example: `ou-examplerootid111-exampleouid111`. **Note** When creating child OUs, we recommend that you use the `Ref` function instead of `Fn::GetAtt`. For example, in the properties for the child OU, use `ParentId: !Ref ParentOU`, instead of `ParentId: !GetAtt 'ParentOU.Id'`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` The Amazon Resource Name (ARN) of this OU. For example: `arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examplerootid111-exampleouid111`. `Id` The unique identifier (ID) associated with this OU. For example: `ou-examplerootid111-exampleouid111`. `Path` The path in the organization where this OU exists. ## Examples **Topics** + [Specify an OU under the root](#aws-resource-organizations-organizationalunit--examples--Specify_an_OU_under_the_root) + [Specify an OU under a parent OU](#aws-resource-organizations-organizationalunit--examples--Specify_an_OU_under_a_parent_OU) ### Specify an OU under the root This example illustrates how to specify an OU using `AWS::Organizations::OrganizationalUnit` directly under the root. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Organizations Template Example", "Parameters": { "OrganizationRootId": { "Type": "String" } }, "Resources": { "TestTemplateOU": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": "TestTemplateOU", "ParentId": { "Ref": "OrganizationRootId" } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Parameters: OrganizationRootId: Type: String Resources: TestTemplateOU: Type: 'AWS::Organizations::OrganizationalUnit' Properties: Name: TestTemplateOU ParentId: !Ref OrganizationRootId ``` ### Specify an OU under a parent OU This example illustrates how to specify a nested OU using `AWS::Organizations::OrganizationalUnit` by referencing another OU. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Nested OU Template Example", "Parameters": { "OrganizationRootId": { "Type": "String" } }, "Resources": { "ParentOU": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": "ParentOU", "ParentId": { "Ref": "OrganizationRootId" } } }, "ChildOU": { "Type": "AWS::Organizations::OrganizationalUnit", "Properties": { "Name": "ChildOU", "ParentId": { "Ref": "ParentOU" } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Nested OU Template Example Parameters: OrganizationRootId: Type: String Resources: ParentOU: Type: 'AWS::Organizations::OrganizationalUnit' Properties: Name: ParentOU ParentId: !Ref OrganizationRootId ChildOU: Type: 'AWS::Organizations::OrganizationalUnit' Properties: Name: ChildOU ParentId: !Ref ParentOU ``` ## See also + [Creating an OU](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html#create_ou) in the *AWS Organizations User Guide*. + [CreateOrganizationalUnit](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganizationalUnit.html) in the *AWS Organizations API Reference Guide*. # AWS::Organizations::OrganizationalUnit Tag A custom key-value pair associated with a resource within your organization. You can attach tags to any of the following organization resources. + AWS account + Organizational unit (OU) + Organization root + Policy ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-organizations-organizationalunit-tag-key)" : String, "[Value](#cfn-organizations-organizationalunit-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-organizations-organizationalunit-tag-key): String [Value](#cfn-organizations-organizationalunit-tag-value): String ``` ## Properties `Key` The key identifier, or name, of the tag. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Organizations::Policy Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual AWS account. For more information about policies and their use, see [Managing AWS Organizations policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html). If the request includes tags, then the requester must have the `organizations:TagResource` permission. This operation can be called only from the organization's management account or a member account designated as a delegated administrator. **Note** Before you can create a policy of a given type, you must first [enable that policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html) in your organization. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Organizations::Policy", "Properties" : { "[Content](#cfn-organizations-policy-content)" : Json, "[Description](#cfn-organizations-policy-description)" : String, "[Name](#cfn-organizations-policy-name)" : String, "[Tags](#cfn-organizations-policy-tags)" : [ Tag, ... ], "[TargetIds](#cfn-organizations-policy-targetids)" : [ String, ... ], "[Type](#cfn-organizations-policy-type)" : String } } ``` ### YAML ``` Type: AWS::Organizations::Policy Properties: [Content](#cfn-organizations-policy-content): Json [Description](#cfn-organizations-policy-description): String [Name](#cfn-organizations-policy-name): String [Tags](#cfn-organizations-policy-tags): - Tag [TargetIds](#cfn-organizations-policy-targetids): - String [Type](#cfn-organizations-policy-type): String ``` ## Properties `Content` The policy text content. You can specify the policy content as a JSON object or a JSON string. When you specify the policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the policy content as a JSON object instead. The text that you supply must adhere to the rules of the policy type you specify in the `Type` parameter. The following AWS Organizations quotas are enforced for the maximum size of a policy document: + Service control policies: 5,120 characters + Resource control policies: 5,120 characters + Declarative policies: 10,000 characters + Backup policies: 10,000 characters + Tag policies: 10,000 characters + Chat applications policies: 10,000 characters + AI services opt-out policies: 2,500 characters + Security Hub policies: 10,000 characters + Amazon Inspector policies: 10,000 characters + Amazon Bedrock policies: 10,000 characters + Upgrade rollout policies: 10,000 characters For more information about Organizations service quotas, see [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html) in the *AWS Organizations User Guide*. *Required*: Yes *Type*: Json *Pattern*: `[\s\S]*` *Minimum*: `1` *Maximum*: `1000000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` Human readable description of the policy. *Required*: No *Type*: String *Pattern*: `[\s\S]*` *Maximum*: `512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` Name of the policy. The [regex pattern](http://wikipedia.org/wiki/regex) that is used to validate this parameter is a string of any of the characters in the ASCII character range. *Required*: Yes *Type*: String *Pattern*: `[\s\S]*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` A list of tags that you want to attach to the newly created policy. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null`. For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the AWS Organizations User Guide. If any one of the tags is not valid or if you exceed the allowed number of tags for a policy, then the entire request fails and the policy is not created. *Required*: No *Type*: Array of [Tag](aws-properties-organizations-policy-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TargetIds` List of unique identifiers (IDs) of the root, OU, or account that you want to attach the policy to. You can get the ID by calling the [ListRoots](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListRoots.html), [ListOrganizationalUnitsForParent](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListOrganizationalUnitsForParent.html), or [ListAccounts](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html) operations. If you don't specify this parameter, the policy is created but not attached to any organization resource. The [regex pattern](http://wikipedia.org/wiki/regex) for a target ID string requires one of the following: + **Root** - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits. + **Account** - A string that consists of exactly 12 digits. + **Organizational unit (OU)** - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits. *Required*: No *Type*: Array of String *Pattern*: `^(r-[0-9a-z]{4,32})|(\d{12})|(ou-[0-9a-z]{4,32}-[a-z0-9]{8,32})$` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Type` The type of policy to create. *Required*: Yes *Type*: String *Allowed values*: `AISERVICES_OPT_OUT_POLICY | BACKUP_POLICY | BEDROCK_POLICY | CHATBOT_POLICY | DECLARATIVE_POLICY_EC2 | INSPECTOR_POLICY | NETWORK_SECURITY_DIRECTOR_POLICY | RESOURCE_CONTROL_POLICY | S3_POLICY | SECURITYHUB_POLICY | SERVICE_CONTROL_POLICY | TAG_POLICY | UPGRADE_ROLLOUT_POLICY` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `Id`. For example: `p-examplepolicyid111`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) of the policy. For example: `arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111`. `AwsManaged` Returns a boolean value that indicates whether the specified policy is an AWS managed policy. If true, then you can attach the policy to roots, OUs, or accounts, but you cannot edit it. For example: `true | false`. `Id` Returns the unique identifier (ID) of the policy. For example: `p-examplepolicyid111`. ## Examples **Topics** + [Organization Policy Content Specified as a JSON Object](#aws-resource-organizations-policy--examples--Organization_Policy_Content_Specified_as_a_JSON_Object) + [Organization Policy Content Specified as a JSON String](#aws-resource-organizations-policy--examples--Organization_Policy_Content_Specified_as_a_JSON_String) ### Organization Policy Content Specified as a JSON Object This example illustrates how to specify the organization policy content as a JSON object in `AWS::Organizations::Policy`. The organization policy is specified inline as a JSON object in the `Content` property of `AWS::Organizations::Policy`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Organizations Template Example", "Resources": { "PolicyTestTemplate": { "DeletionPolicy": "Retain", "Type": "AWS::Organizations::Policy", "Properties": { "Type": "SERVICE_CONTROL_POLICY", "Name": "SCPDenyLeaveOrganization", "Content": { "Version": "2012-10-17", "Statement": [ { "Sid": "SCPDenyLeaveOrganization", "Effect": "Deny", "Action": [ "organizations:LeaveOrganization" ], "Resource": "*" } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: PolicyTestTemplate: DeletionPolicy: Retain Type: AWS::Organizations::Policy Properties: Type: SERVICE_CONTROL_POLICY Name: SCPDenyLeaveOrganization Content: Version: 2012-10-17 Statement: - Sid: SCPDenyLeaveOrganization Effect: Deny Action: - 'organizations:LeaveOrganization' Resource: '*' ``` ### Organization Policy Content Specified as a JSON String This example illustrates how to specify the organization policy content as a JSON string in `AWS::Organizations::Policy`. The organization policy is specified inline as a JSON string in the `Content` property of `AWS::Organizations::Policy`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Organizations Template Example", "Resources": { "PolicyTestTemplate": { "DeletionPolicy": "Retain", "Type": "AWS::Organizations::Policy", "Properties": { "Type": "SERVICE_CONTROL_POLICY", "Name": "SCPDenyLeaveOrganization", "Content": "{\"Version\":\"2012-10-17\", \"Statement\":[{\"Sid\":\"SCPDenyLeaveOrganization\",\"Effect\":\"Deny\",\"Action\":[\"organizations:LeaveOrganization\"],\"Resource\":\"*\"}]}" } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: PolicyTestTemplate: DeletionPolicy: Retain Type: AWS::Organizations::Policy Properties: Type: SERVICE_CONTROL_POLICY Name: SCPDenyLeaveOrganization Content: >- {"Version":"2012-10-17", "Statement":[{"Sid":"SCPDenyLeaveOrganization","Effect":"Deny","Action":["organizations:LeaveOrganization"],"Resource":"*"}]} ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: PolicyTestTemplate: DeletionPolicy: Retain Type: AWS::Organizations::Policy Properties: Type: SERVICE_CONTROL_POLICY Name: SCPDenyLeaveOrganization Content: >- { "Version": "2012-10-17", "Statement": [ { "Sid": "SCPDenyLeaveOrganization", "Effect": "Deny", "Action": [ "organizations:LeaveOrganization" ], "Resource": "*" } ] } ``` ## See also + [Managing AWS Organizations policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html) in the *AWS Organizations User Guide*. + [CreatePolicy](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreatePolicy.html) in the *AWS Organizations API Reference Guide*. # AWS::Organizations::Policy Tag A custom key-value pair associated with a resource within your organization. You can attach tags to any of the following organization resources. + AWS account + Organizational unit (OU) + Organization root + Policy ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-organizations-policy-tag-key)" : String, "[Value](#cfn-organizations-policy-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-organizations-policy-tag-key): String [Value](#cfn-organizations-policy-tag-value): String ``` ## Properties `Key` The key identifier, or name, of the tag. *Required*: Yes *Type*: String *Pattern*: `[\s\S]*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. *Required*: Yes *Type*: String *Pattern*: `[\s\S]*` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::Organizations::ResourcePolicy Creates or updates a resource-based delegation policy that can be used to delegate policy management for AWS Organizations to specified member accounts to perform policy actions that are by default available only to the management account. For more information about delegated policy management, see [Delegated administrator for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html) in the *AWS Organizations User Guide*. You can only call this operation from the organization's management account. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::Organizations::ResourcePolicy", "Properties" : { "[Content](#cfn-organizations-resourcepolicy-content)" : Json, "[Tags](#cfn-organizations-resourcepolicy-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::Organizations::ResourcePolicy Properties: [Content](#cfn-organizations-resourcepolicy-content): Json [Tags](#cfn-organizations-resourcepolicy-tags): - Tag ``` ## Properties `Content` The policy text of the organization resource policy. You can specify the resource policy content as a JSON object or a JSON string. When you specify the resource policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the resource policy content as a JSON object instead. *Required*: Yes *Type*: Json *Pattern*: `[\s\S]*` *Minimum*: `1` *Maximum*: `40000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` A list of tags that you want to attach to the newly created resource policy. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to `null`. For more information about tagging, see [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html) in the *AWS Organizations User Guide*. If any one of the tags is not valid or if you exceed the allowed number of tags for the resource policy, then the entire request fails and the resource policy is not created. *Required*: No *Type*: Array of [Tag](aws-properties-organizations-resourcepolicy-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `Id`. For example: `rp-examplepolicyid111`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) of the policy. For example: `arn:aws:organizations::111111111111:resourcepolicy/o-exampleorgid/rp-examplepolicyid111`. `Id` Returns the unique identifier (ID) of the resource policy. For example: `rp-examplepolicyid111`. ## Examples **Topics** + [Organization Resource Policy Content Specified as a JSON Object](#aws-resource-organizations-resourcepolicy--examples--Organization_Resource_Policy_Content_Specified_as_a_JSON_Object) + [Organization Resource Policy Content Specified as a JSON String](#aws-resource-organizations-resourcepolicy--examples--Organization_Resource_Policy_Content_Specified_as_a_JSON_String) ### Organization Resource Policy Content Specified as a JSON Object This example illustrates how to specify the organization resource policy content as a JSON object in `AWS::Organizations::ResourcePolicy`. The organization resource policy is specified inline as a JSON object in the `Content` property of `AWS::Organizations::ResourcePolicy`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Organizations Template Example", "Resources": { "ResourcePolicyTestTemplate": { "DeletionPolicy": "Retain", "Type": "AWS::Organizations::ResourcePolicy", "Properties": { "Content": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDescribeOrganization", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "organizations:DescribeOrganization" ], "Resource": "*" } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: ResourcePolicyTestTemplate: DeletionPolicy: Retain Type: AWS::Organizations::ResourcePolicy Properties: Content: Version: 2012-10-17 Statement: - Sid: AllowDescribeOrganization Effect: Allow Principal: AWS: 'arn:aws:iam::111122223333:root' Action: - 'organizations:DescribeOrganization' Resource: '*' ``` ### Organization Resource Policy Content Specified as a JSON String This example illustrates how to specify the organization resource policy content as a JSON string in `AWS::Organizations::ResourcePolicy`. The organization resource policy is specified inline as a JSON string in the `Content` property of `AWS::Organizations::ResourcePolicy`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AWS CloudFormation Organizations Template Example", "Resources": { "ResourcePolicyExample": { "DeletionPolicy": "Retain", "Type": "AWS::Organizations::ResourcePolicy", "Properties": { "Content": "{\"Version\":\"2012-10-17\", \"Statement\":[{\"Sid\":\"AllowDescribeOrganization\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":[\"organizations:DescribeOrganization\"],\"Resource\":\"*\"}]}" } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: ResourcePolicyExample: DeletionPolicy: Retain Type: AWS::Organizations::ResourcePolicy Properties: Content: >- {"Version":"2012-10-17", "Statement":[{"Sid":"AllowDescribeOrganization","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111122223333:root"},"Action":["organizations:DescribeOrganization"],"Resource":"*"}]} ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: AWS CloudFormation Organizations Template Example Resources: ResourcePolicyExample: DeletionPolicy: Retain Type: AWS::Organizations::ResourcePolicy Properties: Content: >- { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDescribeOrganization", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "organizations:DescribeOrganization" ], "Resource": "*" } ] } ``` ## See also + [Delegated administrator for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html) in the *AWS Organizations User Guide*. + [PutResourcePolicy](https://docs.aws.amazon.com/organizations/latest/APIReference/API_PutResourcePolicy.html) in the *AWS Organizations API Reference Guide*. # AWS::Organizations::ResourcePolicy Tag A custom key-value pair associated with a resource within your organization. You can attach tags to any of the following organization resources. + AWS account + Organizational unit (OU) + Organization root + Policy ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-organizations-resourcepolicy-tag-key)" : String, "[Value](#cfn-organizations-resourcepolicy-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-organizations-resourcepolicy-tag-key): String [Value](#cfn-organizations-resourcepolicy-tag-value): String ``` ## Properties `Key` The key identifier, or name, of the tag. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The string value that's associated with the key of the tag. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)