Skip to main content

Policies

The Policies section allows you to view and manage AWS Organizations policies directly from the Prism interface. You can create, edit, delete, attach, detach, and tag policies across all supported policy types.

Prerequisites

  • Org Services must be enabled for your tenant by an application administrator.

Supported Policy Types

Policy TypeDescriptionMax Per Target
Service Control Policies (SCPs)Centrally control the maximum available permissions for accounts in your organization5
Resource Control Policies (RCPs)Centrally control the maximum available permissions for resources in your organization5
Tag PoliciesStandardize tags across resources in your organization's accounts5
Backup PoliciesCentrally manage and apply backup plans to AWS resources across your organization5
AI Services Opt-Out PoliciesControl data collection for AWS AI services for all accounts5

Viewing Policy Types

Navigate to Policies from the sidebar. The landing page shows all supported policy types with their current status:

  • Enabled -- The policy type is active in your organization and policies can be managed.
  • Disabled -- The policy type is not enabled. It must be enabled in the AWS Organizations console before policies can be created.

Click a policy type to view and manage its policies.

Managing Policies

Viewing the Policy List

After selecting a policy type, a searchable table displays all policies of that type. Use the search bar to filter policies by name. Internal CloudKeeper management policies are hidden automatically.

Creating a Policy

  1. Click the Create button.
  2. Enter a Policy Name and optional Description.
  3. Enter the Policy JSON content in the editor.
  4. For SCPs and RCPs, the policy is validated automatically as you type. Fix any errors or warnings shown before creating.
  5. Click Create.
tip

Use the default template provided as a starting point. For SCPs, the policy must follow the IAM policy syntax with Version, Statement, Effect, Action, and Resource fields.

Editing a Policy

  1. Select a policy from the list to open its detail view.
  2. Click the Edit button.
  3. Modify the name, description, or JSON content.
  4. Click Save.
warning

AWS-managed policies (such as FullAWSAccess) cannot be edited or deleted.

Deleting a Policy

  1. Select a policy from the list.
  2. Click the Delete button.
  3. Confirm the deletion.

The policy must be detached from all targets before it can be deleted.

Attaching Policies to Targets

Policies take effect only when attached to targets (organization root, OUs, or accounts).

Step-by-Step Guide

  1. Select a policy from the list.
  2. Switch to the Targets tab.
  3. Click the Attach button.
  4. An organization tree with checkboxes is displayed. Each node shows its current quota usage (e.g., 2/5).
  5. Select one or more targets by checking the boxes.
  6. Click Attach.

Targets already attached to the policy are shown as disabled with an "attached" label. Targets at the maximum quota (5/5) are also disabled and shown in red.

Batch Attachment

You can select multiple targets at once. The attachment process runs sequentially with a progress indicator showing the result for each target.

Detaching Policies

Single Detach

On the Targets tab, click the detach icon next to the target you want to detach from.

Batch Detach

  1. On the Targets tab, use the checkboxes to select multiple targets.
  2. Click the Detach selected (N) button that appears.
  3. All selected targets are detached.
warning

Detaching FullAWSAccess from a target will disable ALL operations on that target. No API calls, console actions, or service operations will be permitted. Only proceed if you are absolutely sure.

Managing Tags

Tags are key-value pairs that help you organize and identify your policies.

Viewing Tags

  1. Select a policy from the list.
  2. Switch to the Tags tab.
  3. All tags on the policy are displayed in a table.

Adding a Tag

  1. On the Tags tab, click the Add Tag button.
  2. Enter a Key and optional Value.
  3. Click Add.

Editing a Tag

  1. Click the Edit icon next to the tag you want to modify.
  2. Update the key and/or value.
  3. Click Save.

If the key is changed, the old tag is removed and a new one is created.

Removing a Tag

Click the Delete icon next to the tag you want to remove.

info

AWS-managed policies cannot be tagged. The Add Tag and Delete buttons are disabled for these policies.

The Policies section uses breadcrumb navigation:

  • Policies -- Returns to the policy types landing page.
  • Policies > Service Control Policies -- Returns to the policy list for that type.
  • Policies > Service Control Policies > my-policy -- Current policy detail view.

Click any breadcrumb segment to navigate back.