Steampipe unbundled →
Steampipe Hub 
Hub
Plugins
turbot/aws
Overview
483Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_organizations_policy_target - Query AWS Organizations Policy Targets using SQL

The AWS Organizations Policy Target is a part of AWS Organizations service. It allows you to attach policies to roots, organizational units (OUs), or accounts in your organization, thereby enabling centralized control over your AWS workloads. It simplifies the process of managing permissions and enhances the security of your AWS resources.

Table Usage Guide

The aws_organizations_policy_target table in Steampipe provides you with information about policy targets within AWS Organizations. This table allows you, as a DevOps engineer, to query policy target-specific details, including the policy ID, target ID, and the type of target (root, OU, or account). You can utilize this table to gather insights on policy applications, such as which policies are applied to which roots, OUs, or accounts, and the status of these applications. The schema outlines the various attributes of the policy target for you, including the ARN, policy ID, target ID, and target type.

Important Notes

  • You must specify type and target_id in the where clause to query this table.

Examples

Basic info

Explore which AWS managed services are controlled by a specific policy. This is particularly useful for assessing security measures and ensuring only authorized services are being used within an organization.

select
  name,
  id,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy_target
where
  type = 'SERVICE_CONTROL_POLICY'
  and target_id = '123456789098';
select
  name,
  id,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy_target
where
  type = 'SERVICE_CONTROL_POLICY'
  and target_id = '123456789098';

List tag policies of a targeted organization that are not managed by AWS

Determine the areas in which your organization has implemented tag policies that are not directly managed by AWS. This is useful for maintaining oversight of policy management and ensuring compliance with your organization's specific requirements.

select
  id,
  name,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy_target
where
  not aws_managed
  and type = 'TAG_POLICY'
  and target_id = 'ou-jsdhkek';
select
  id,
  name,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy_target
where
  not aws_managed
  and type = 'TAG_POLICY'
  and target_id = 'ou-jsdhkek';

List backup organization policies of an account

Explore which backup policies are managed by AWS for a specific account. This is useful for assessing the security measures in place and identifying any potential vulnerabilities.

select
  id,
  name,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy_target
where
  type = 'BACKUP_POLICY'
  and target_id = '123456789098';
select
  id,
  name,
  arn,
  type,
  aws_managed
from
  aws_organizations_policy_target
where
  type = 'BACKUP_POLICY'
  and target_id = '123456789098';

Get policy details of the service control policies of a root account

Determine the specifics of service control policies linked to a root account to understand the policy version and statements. This can be useful in managing and auditing policy details for security and compliance purposes.

select
  name,
  id,
  content ->> 'Version' as policy_version,
  content ->> 'Statement' as policy_statement
from
  aws_organizations_policy_target
where
  type = 'SERVICE_CONTROL_POLICY'
  and target_id = 'r-9ijkl7';
select
  name,
  id,
  json_extract(content, '$.Version') as policy_version,
  json_extract(content, '$.Statement') as policy_statement
from
  aws_organizations_policy_target
where
  type = 'SERVICE_CONTROL_POLICY'
  and target_id = 'r-9ijkl7';

Schema for aws_organizations_policy_target

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextThe Amazon Resource Name (ARN) of the policy.
aws_managedbooleanA boolean value that indicates whether the specified policy is an Amazon Web Services managed policy. If true, then you can attach the policy to roots, OUs, or accounts, but you cannot edit it.
contentjsonbThe text content of the policy.
descriptiontextThe description of the policy.
idtext=The unique identifier (ID) of the policy.
nametextThe friendly name of the policy.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
target_idtext=The unique identifier (ID) of the root, organizational unit, or account whose policies you want to list.
titletextTitle of the resource.
typetext=The type of policy.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_organizations_policy_target