aws.org-unit
Filters
Actions
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
set-policy
Set a policy on an org unit or account
policies:
- name: attach-existing-scp
resource: aws.org-unit
filters:
- type: policy
policy-type: SERVICE_CONTROL_POLICY
count: 0
attrs:
- Name: RestrictedRootAccount
actions:
- type: set-policy
policy-type: SERVICE_CONTROL_POLICY
name: RestrictedRootAccount
policies:
- name: create-and-attach-scp
resource: aws.org-unit
filters:
- type: policy
policy-type: SERVICE_CONTROL_POLICY
count: 0
attrs:
- Name: RestrictedRootAccount
actions:
- type: set-policy
policy-type: SERVICE_CONTROL_POLICY
name: RestrictedRootAccount
contents:
Version: "2012-10-17"
Statement:
- Sid: RestrictEC2ForRoot
Effect: Deny
Action:
- "ec2:*"
Resource:
- "*"
Condition:
StringLike:
"aws:PrincipalArn":
- arn:aws:iam::*:root
properties:
contents:
type: object
description:
type: string
name:
type: string
policy-type:
enum:
- SERVICE_CONTROL_POLICY
- TAG_POLICY
- BACKUP_POLICY
- AISERVICES_OPT_OUT_POLICY
tags:
patternProperties:
? ''
: type: string
type: object
type:
enum:
- set-policy
required:
- name
- policy-type
- type
Permissions - organizations:AttachPolicy, organizations:CreatePolicy