Policies

You can have four types of policies in your AWS organization: service control policies, tag policies, backup policies, and AI services opt-out policies. You can use Takomo to manage all of these.
Policy files
You use policy files to store the policies you want to deploy to your AWS organization. Each policy type has its own directory from where Takomo looks for the policies.
Policy type
Directory
Service control policies
service-control-policies
Tag policies
tag-policies
Backup policies
backup-policies
AI services opt-out policies
ai-services-opt-out-policies
Example
Here's an example of a service control policy that denies everything from regions that are not explicitly allowed. Because it's a service control policy, it needs to be placed into the service-control-policies directory.
organization/service-control-policies/restrict-by-regions.json
1
{
2
  "Version": "2012-10-17",
3
  "Statement": [
4
    {
5
      "Sid": "DenyAllOutsideAllowedRegions",
6
      "Effect": "Deny",
7
      "Action": "*",
8
      "Resource": "*",
9
      "Condition": {
10
        "StringNotEquals": {
11
          "aws:RequestedRegion": [
12
            "us-east-1",
13
            "eu-central-1",
14
            "eu-west-1",
15
            "eu-west-2",
16
            "eu-west-3",
17
            "eu-north-1"
18
          ]
19
        }
20
      }
21
    }
22
  ]
23
}
Copied!
Declaring policies
Once you have policy files in the correct directories, you can declare them in the organization configuration. Each policy type has its own property under which you declare the policies.
Policy type
Property
Service control policies
serviceControlPolicies
Tag policies
tagPolicies
Backup policies
backupPolicies
AI services opt-out policies
aiServicesOptOutPolicies
Each of the above are objects whose keys are policy names and values are configuration for the corresponding policy. The policy name is the file name of the policy file, excluding the file extension.
Example
Here's how you would declare the service control policy we created in the previous example:
organization/organization.yml
1
masterAccountId: "098765432100"
2
​
3
# Use serviceControlPolicies property 
4
# to specify service control policies
5
serviceControlPolicies:
6
  restrict-by-regions:
7
    description: Restrict regions
8
    
9
organizationalUnits:
10
  Root:
11
    accounts:
12
      - "098765432100"
13
  Root/Workloads/Dev: {}
14
  Root/Workloads/Test: {}
15
  Root/Workloads/Prod: 
16
    accounts:
17
      - id: "876754648373"
18
        name: MyAccount
19
        email: [email protected]
20
        description: This is a production account
21
  Root/Sandbox:
22
    accounts:
23
      - "123456789012"
24
      - "448873940474"     
Copied!
AWS managed policies
There is a default service control policy named FullAWSAccess which is managed by AWS. You can't provide your own policy with this name. You can still use this policy with your organizational units and accounts by declaring it with awsManaged: true. Because AWS manages the policy, you don't need to provide a policy file for it.
Example
Here's how you declare the AWS managed policy:
organization/organization.yml
1
masterAccountId: "098765432100"
2
​
3
serviceControlPolicies:
4
  restrict-by-regions:
5
    description: Restrict regions
6
    
7
  # This is the AWS managed default service control policy
8
  FullAWSAccess:
9
    description: AWS managed default policy
10
    awsManaged: true
11
    
12
organizationalUnits:
13
  Root:
14
    accounts:
15
      - "098765432100"
16
  Root/Workloads/Dev: {}
17
  Root/Workloads/Test: {}
18
  Root/Workloads/Prod: 
19
    accounts:
20
      - id: "876754648373"
21
        name: MyAccount
22
        email: [email protected]
23
        description: This is a production account
24
  Root/Sandbox:
25
    accounts:
26
      - "123456789012"
27
      - "448873940474" 
Copied!
Attaching policies
You can attach declared policies to OUs and accounts with the following properties.
Policy type
Property
Service control policies
serviceControlPolicies
Tag policies
tagPolicies
Backup policies
backupPolicies
AI services opt-out policies
aiServicesOptOutPolicies
Each of them accepts a single policy name or a list of policy names. Service control policies behave differently than others policies. If you attach a service control policy to an OU, it is also attached automatically to all OUs and accounts under that OU. If you attach any other policy to an OU, the policy is not attached to OUs and accounts under the first OU, but they inherit the policy instead.
Example
Let's add one backup policy named MyBackups and attach it directly to account 123456789012. Then, we attach the AWS managed default service control policy FullAWSAccess to Root OU, so it will be inherited by all OUs and accounts in the organization. Finally, we want our workload accounts under Root/Workloads OU to be restricted to use only the allowed regions, so we attach the restrict-by-regions policy to it.
organization/organization.yml
1
masterAccountId: "098765432100"
2
​
3
serviceControlPolicies:
4
  restrict-by-regions:
5
    description: Restrict regions
6
  FullAWSAccess:
7
    description: AWS managed default policy
8
    awsManaged: true
9
    
10
backupPolicies:
11
  MyBackups:
12
    description: Backup policy    
13
    
14
organizationalUnits:
15
  Root:
16
    serviceControlPolicies: FullAWSAccess
17
    accounts:
18
      - "098765432100"
19
  Root/Workloads:
20
    serviceControlPolicies: restrict-by-regions
21
  Root/Workloads/Dev: {}
22
  Root/Workloads/Test: {}
23
  Root/Workloads/Prod: 
24
    accounts:
25
      - id: "876754648373"
26
        name: MyAccount
27
        email: [email protected]
28
        description: This is a production account
29
  Root/Sandbox:
30
    accounts:
31
      - id: "123456789012"
32
        backupPolicies:
33
          - MyBackups
34
      - "448873940474"
Copied!
Organization configuration - Previous
Accounts
Next - Organization configuration
Deploying organization
Last modified 7mo ago
Copy link
Contents