Posted On: Dec 1, 2024
Today, we announce the general availability of declarative policies, a new management policy type within Amazon Organizations. These policies simplify the way customers enforce durable intent, such as baseline configuration for Amazon Web Services services within their organization. For example, customers can configure Amazon EC2 to allow instance launches using AMIs vended by specific providers and block public access in their Amazon VPC with a few simple clicks or commands for their entire organization using a Declarative Policy.
Declarative policies are designed to prevent actions that are non-compliant with the policy. The configuration defined in the declarative policy is maintained even when services add new APIs or features, or when customers add new principals or accounts to their organization. With declarative policies, governance teams have access to the account status report which provides insight into the current configuration for an Amazon Web Services service across their organization. This helps them asses readiness to enforce configuration at scale. Administrators can provide additional transparency to end users by configuring custom error messages to redirect them to internal wikis or ticketing systems through declarative policies.
To get started, navigate to the Amazon Organizations console to create and attach Declarative Policies. You can also use the Amazon CLI or Amazon CloudFormation templates to configure these policies. Declarative Policies today support Amazon EC2, Amazon EBS and Amazon VPC configurations with support for other services coming soon. To learn more, see documentation and blogpost.