steampipe plugin install awssteampipe plugin install aws

Table: aws_organizations_policy - Query AWS Organizations Policy using SQL

The AWS Organizations Policy is a service that allows you to centrally manage and enforce policies for multiple AWS accounts. With this service, you can create policies that apply across your organization, or to specific organizational units (OUs) or accounts. It provides control over AWS service use, ensures consistent tags, and helps maintain your accounts as per your company's compliance requirements.

Table Usage Guide

The aws_organizations_policy table in Steampipe provides you with information about policies within AWS Organizations. This table allows you, as a DevOps engineer, to query policy-specific details, including policy type, content, and associated metadata. You can utilize this table to gather insights on policies, such as policy names, policy types, and the contents of the policies. The schema outlines the various attributes of the policy for you, including the policy ARN, policy type, policy content, policy name, and associated tags.

Important Notes

You must specify type in the where clause to query this table.

Examples

Basic info

Analyze the settings to understand the policies managed by AWS within your organization. This is particularly useful for gaining insights into service control policies, allowing you to manage access across your AWS environment effectively.

select
  name,
  id,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy
where
  type = 'SERVICE_CONTROL_POLICY';

select
  name,
  id,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy
where
  type = 'SERVICE_CONTROL_POLICY';

Identify tag policies within your AWS organization that are not directly managed by AWS. This can be useful for maintaining oversight of custom policies and ensuring they align with your organization's specific requirements and standards.

select
  id,
  name,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy
where
  not aws_managed
  and type = 'TAG_POLICY';

select
  id,
  name,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy
where
  not aws_managed
  and type = 'TAG_POLICY';

List backup policies

Explore the list of backup policies in your AWS organization to understand which ones are managed by AWS and which ones you've implemented. This can help you maintain compliance and ensure data recovery in case of accidental deletion or system failure.

select
  id,
  name,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy
where
  type = 'BACKUP_POLICY';

select
  id,
  name,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy
where
  type = 'BACKUP_POLICY';

Get policy details of the service control policies

Determine the details of service control policies within your AWS organization. This query can help you understand the version and statement of each policy, providing valuable insights for policy management and compliance.

select
  name,
  id,
  content ->> 'Version' as policy_version,
  content ->> 'Statement' as policy_statement
from
  aws_organizations_policy
where
  type = 'SERVICE_CONTROL_POLICY';

select
  name,
  id,
  json_extract(content, '$.Version') as policy_version,
  json_extract(content, '$.Statement') as policy_statement
from
  aws_organizations_policy
where
  type = 'SERVICE_CONTROL_POLICY';

Schema for aws_organizations_policy

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
arn	text		The Amazon Resource Name (ARN) of the policy.
aws_managed	boolean		A boolean value that indicates whether the specified policy is an Amazon Web Services managed policy. If true, then you can attach the policy to roots, OUs, or accounts, but you cannot edit it.
content	jsonb		The text content of the policy.
description	text		The description of the policy.
id	text	=	The unique identifier (ID) of the policy.
name	text		The friendly name of the policy.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
region	text		The AWS Region in which the resource is located.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
title	text		Title of the resource.
type	text	=	The type of policy.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_organizations_policy