Skip to main content

Policy Management Issues

Common issues and solutions when managing AWS Organizations policies through Prism.

Policy Type Shows as "Disabled"

Problem: A policy type (e.g., Tag Policies, Backup Policies) shows "Disabled" on the Policies landing page.

Solution: The policy type must be enabled in the AWS Organizations console for your management account. Prism reflects the current state of your organization -- it cannot enable policy types on your behalf. Contact your AWS administrator to enable the policy type.

"Max Policies Exceeded" Error When Attaching

Problem: Attaching a policy to a target fails with an error about exceeding the maximum number of policies.

Solution: AWS Organizations limits each target (root, OU, or account) to 5 policies per type. The attach dialog shows the current quota usage (e.g., "3/5") next to each target. Targets at 5/5 are disabled and cannot accept additional policies. Detach an existing policy from the target before attaching a new one.

Cannot Edit or Delete an AWS-Managed Policy

Problem: The Edit and Delete buttons are disabled for certain policies like FullAWSAccess.

Solution: AWS-managed policies are controlled by AWS and cannot be modified or deleted. You can only attach or detach them from targets. Create a custom policy if you need different permissions.

Cannot Delete a Policy

Problem: Deleting a policy fails with an error about targets still being attached.

Solution: A policy must be detached from all targets before it can be deleted. Go to the policy's Targets tab, select all targets using the checkboxes, and click Detach selected to remove all attachments first.

Tag Operations Fail

Problem: Adding or removing tags from a policy fails.

Solution:

  • AWS-managed policies cannot be tagged. The tag management buttons are disabled for these policies.
  • Ensure your management account's IAM role has the organizations:TagResource and organizations:UntagResource permissions.

OU Deletion Fails

Problem: Deleting an organizational unit fails.

Solution: The OU must be completely empty -- no child accounts or child OUs. Move all accounts out of the OU first using the Move Account action in the hierarchy view, then delete any child OUs before deleting the parent.

Organization Tree Not Loading

Problem: The hierarchy view in the Accounts section shows an error or empty state.

Solution:

  • Verify that Org Services is enabled for your customer (check with your application administrator).
  • Ensure the management account ID is correctly configured.
  • The management account's IAM role must have organizations:ListRoots, organizations:ListOrganizationalUnitsForParent, and organizations:ListAccountsForParent permissions.