Updated on 2024-11-15 GMT+08:00

Creating Custom Policies

You can create custom policies to supplement the system-defined policies of Organizations. For the actions that can be added to custom policies, see Policies and Supported Actions.

To create a custom policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. There is no need to know much about policy syntax.
  • JSON: Edit policies from scratch or based on an existing policy in JSON format.

For details, see Creating a Custom Policy. The following lists examples of common Organizations custom policies.

Example Custom Policies

  • Example 1: Grant permission to invite member accounts to join an organization or to remove member accounts from an organization.
    {
            "Version": "5.0",
            "Statement": [
                    {
                            "Effect": "Allow",
                            "Action": [
                                    "organizations:accounts:invite",
                                    "organizations:accounts:remove"
                            ]
                    }
            ]
    }
  • Example 2: Grant permission to deny the deletion of OUs or removal of member accounts.

    To apply a policy with only Deny statements, it must be used together with other policies. If you do not assign the permission to perform an action, the action is denied by default. If the permissions granted to an IAM user contain both Allow and Deny, the Deny statements take precedence over the Allow statements.

    Assume that you want to grant the permissions of the OrganizationsFullAccess policy to a user but want to prevent them from deleting OUs or removing member accounts. You can create a custom policy for denying the deletion, and attach this policy together with the OrganizationsFullAccess policy to the user. As an explicit Deny in any policy overrides any kind of Allow, the user can perform all operations on a given organization except deleting its OUs or removing member accounts. The following is an example of a deny policy:
    {
            "Version": "5.0",
            "Statement": [
                    {
                            "Effect": "Deny",
                            "Action": [
                                    "organizations:ous:delete",
                                    "organizations:accounts:remove"
                            ]
                    }
            ]
    }