Skip to content

Organization Policies

Usage

Service Control Policy

Attached a Service Control Policy to an Organization Unit or an Account

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import { Construct } from 'constructs';
import {
  Organization,
  OrganizationUnit,
  Account,
  ServiceControlPolicy
} from '@jttc/aws-organizations';

export class OrganizationStack extends Construct {
  constructor(scope: Construct, id: string) {
    super(scope, id);

    const organization = new Organization(this, 'Organization');

    const workloadOrganizationUnit = new OrganizationUnit(
      this,
      'WorkloadsOrganizationUnit',
      {
        organizationUnitName: 'workloads',
        parent: organization,
      }
    );

    new Account(this, 'ProdAccount', {
      accountName: 'prodc-account',
      email: 'prod@example.com'
      parent: workloadOrganizationUnit,
    });

    const policy = new PolicyStatement({
      effect: Effect.ALLOW,
      actions: ['s3:*'],
      resources: ['*'],
    });

    new ServiceControlPolicy(stack, 'ServiceControlPolicy', {
      name: 'test-policy',
      description: 'test policy',
      statements: [policy],
      targetIds: [workloadOrganizationUnit.organizationUnitId],
    });
  }
}