Table: aws_organizations_policy - Query AWS Organizations Policy using SQL
The AWS Organizations Policy is a service that allows you to centrally manage and enforce policies for multiple AWS accounts. With this service, you can create policies that apply across your organization, or to specific organizational units (OUs) or accounts. It provides control over AWS service use, ensures consistent tags, and helps maintain your accounts as per your company's compliance requirements.
Table Usage Guide
The aws_organizations_policy
table in Steampipe provides you with information about policies within AWS Organizations. This table allows you, as a DevOps engineer, to query policy-specific details, including policy type, content, and associated metadata. You can utilize this table to gather insights on policies, such as policy names, policy types, and the contents of the policies. The schema outlines the various attributes of the policy for you, including the policy ARN, policy type, policy content, policy name, and associated tags.
Important Notes
- You must specify
type
in thewhere
clause to query this table.
Examples
Basic info
Analyze the settings to understand the policies managed by AWS within your organization. This is particularly useful for gaining insights into service control policies, allowing you to manage access across your AWS environment effectively.
select name, id, arn, type, aws_managedfrom aws_organizations_policywhere type = 'SERVICE_CONTROL_POLICY';
select name, id, arn, type, aws_managedfrom aws_organizations_policywhere type = 'SERVICE_CONTROL_POLICY';
List tag policies that are not managed by AWS
Identify tag policies within your AWS organization that are not directly managed by AWS. This can be useful for maintaining oversight of custom policies and ensuring they align with your organization's specific requirements and standards.
select id, name, arn, type, aws_managedfrom aws_organizations_policywhere not aws_managed and type = 'TAG_POLICY';
select id, name, arn, type, aws_managedfrom aws_organizations_policywhere not aws_managed and type = 'TAG_POLICY';
List backup policies
Explore the list of backup policies in your AWS organization to understand which ones are managed by AWS and which ones you've implemented. This can help you maintain compliance and ensure data recovery in case of accidental deletion or system failure.
select id, name, arn, type, aws_managedfrom aws_organizations_policywhere type = 'BACKUP_POLICY';
select id, name, arn, type, aws_managedfrom aws_organizations_policywhere type = 'BACKUP_POLICY';
Get policy details of the service control policies
Determine the details of service control policies within your AWS organization. This query can help you understand the version and statement of each policy, providing valuable insights for policy management and compliance.
select name, id, content ->> 'Version' as policy_version, content ->> 'Statement' as policy_statementfrom aws_organizations_policywhere type = 'SERVICE_CONTROL_POLICY';
select name, id, json_extract(content, '$.Version') as policy_version, json_extract(content, '$.Statement') as policy_statementfrom aws_organizations_policywhere type = 'SERVICE_CONTROL_POLICY';
Schema for aws_organizations_policy
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | The Amazon Resource Name (ARN) of the policy. | |
aws_managed | boolean | A boolean value that indicates whether the specified policy is an Amazon Web Services managed policy. If true, then you can attach the policy to roots, OUs, or accounts, but you cannot edit it. | |
content | jsonb | The text content of the policy. | |
description | text | The description of the policy. | |
id | text | = | The unique identifier (ID) of the policy. |
name | text | The friendly name of the policy. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
title | text | Title of the resource. | |
type | text | = | The type of policy. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_organizations_policy