ResourcePolicy
The ResourcePolicy resource lets you manage AWS Organizations ResourcePolicys to define permissions for your AWS accounts and organizational units.
Minimal Example
Section titled “Minimal Example”Create a basic resource policy with necessary content and tags.
import AWS from "alchemy/aws/control";
const resourcePolicy = await AWS.Organizations.ResourcePolicy("basicResourcePolicy", { Content: { Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: "*", Action: "organizations:DescribeAccounts", Resource: "*" } ] }, Tags: [ { Key: "Environment", Value: "Development" } ]});Advanced Configuration
Section titled “Advanced Configuration”Define a more complex resource policy with multiple statements and additional properties.
const advancedResourcePolicy = await AWS.Organizations.ResourcePolicy("advancedResourcePolicy", { Content: { Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: { Service: "cloudformation.amazonaws.com" }, Action: "organizations:ListAccounts", Resource: "*" }, { Effect: "Deny", Principal: { AWS: "arn:aws:iam::123456789012:root" }, Action: "organizations:DeleteOrganization", Resource: "*" } ] }, Tags: [ { Key: "Project", Value: "ResourceManagement" } ], adopt: true});Use Case: Restricting Access
Section titled “Use Case: Restricting Access”Implement a resource policy to restrict access to a specific account.
const restrictedAccessPolicy = await AWS.Organizations.ResourcePolicy("restrictedAccessPolicy", { Content: { Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: { AWS: "arn:aws:iam::098765432109:user/SpecificUser" }, Action: [ "organizations:DescribeOrganizationalUnits", "organizations:ListAccounts" ], Resource: "*" }, { Effect: "Deny", Principal: "*", Action: "organizations:DescribeOrganizationalUnits", Resource: "arn:aws:organizations::123456789012:ou/o-exampleorgid/ou-exampleouid" } ] }});