Management Policies – Designing a Multi-Account AWS Environment for Complex Organizations – SAP-C02 Study Guide

Management Policies

The other type of policy handled by AWS Organizations is management policies, which later subdivides into artificial intelligence (AI) services opt-out policies, backup policies, and tag policies.

Management policies are inherited from the root of your organization down to the account level. The effective policy being applied at the account level is the result of the merging of all the policies from the root of your organization down to the account. How these policies are merged depends on inheritance operators. Inheritance operators define how inherited policies merge into the account’s effective policy. The visual editor in the AWS Organizations management console only lets you use the @@assign operator. The other operators (@@append and @@remove) are considered advanced features and are available only when you author the policy in JavaScript Object Notation (JSON). The @@assign operator simply overwrites the policy settings inherited from the parent levels with those that you specify. The @@append operator adds the settings you specify to those inherited from the parent levels. The @@remove operator removes the specified settings from the settings inherited from the parent levels.

You can optionally include child control operators to specify which control operators can be specified in child policies. This gives you the opportunity to prohibit certain behavior across your entire organization or across certain OUs (for instance, to avoid specific settings being removed at a lower level within your organization, in child OUs or accounts). Imagine, for instance, that you want to enforce regular backups of all your Amazon Relational Database Service (RDS) databases across your entire organization. You would typically define a backup policy at the root level and specify child control operators in a way that ensures child OUs or accounts do not make use of the @@remove operator. Please refer to the AWS documentation at https://packt.link/buM81 for more details and example policies on how to do this.

Whether you’re building a backup or tag policy, it is recommended to start with a simple policy, to check the resulting effective policy on the target account(s), and to test its results thoroughly. Then, you can gradually add more complexity as required, always following the same procedure and limiting the scope of the policy change each time to make tests and troubleshooting easier and more efficient.

To check the effective policy applied to your account(s), you can, from the command line, run the command given below. This will yield the managed policy that would be applied on your account’s concerned resources:

aws organizations describe-effective-policy –policy-type <POLICY-TYPE>

Here, <POLICY_TYPE> is either BACKUP_POLICY, TAG_POLICY, or AISERVICES_ OPT_OUT_POLICY.

When you run it from your organization’s management account, you can also add –target-id <managed-account-id> as an option, to specify the identifier (ID) of an account within your organization about which you want to find out the effective managed policy.