本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 获取有关组织策略的信息
本主题介绍了各种可用来获取您组织中策略的详细信息的方法。这些过程适用于*所有* 策略类型。您必须先在组织根中启用一个策略类型,然后才能将该类型的策略附加到组织根中的任何实体。
**Topics**
+ [列出所有策略](#list-all-pols-in-org)
+ [列出附加的策略](#list-all-pols-in-entity)
+ [列出所有附件](#list-all-entities-attached-to-pol)
+ [获取有关策略的详细信息](#get-details-about-pol)
## 列出所有策略
**最小权限**
要列出组织中的策略,您必须拥有以下权限:
`organizations:ListPolicies`
您可以使用 AWS Command Line Interface (AWS CLI) 命令 AWS 管理控制台 或 AWS SDK 操作在或中查看组织中的政策。
### AWS 管理控制台
**列出组织中的所有策略**
1. 登录 [AWS Organizations 控制台](https://console.aws.amazon.com/organizations/v2)。您必须以 IAM 用户的身份登录,担任 IAM 角色;或在组织的管理账户中以根用户的身份登录([不推荐](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials))。
1. 在 **[Policies (策略)](https://console.aws.amazon.com/organizations/v2/home/policies)** 页面上,选择要列出的策略。
如果启用了指定的策略类型,则控制台将显示组织中当前可用的该类型所有策略的列表。
1. 返回到 **[Policies (策略)](https://console.aws.amazon.com/organizations/v2/home/policies)** 页面,然后对每种策略类型重复此操作。
### AWS CLI & AWS SDKs
以下代码示例演示如何使用 `ListPolicies`。
------
#### [ .NET ]
**适用于 .NET 的 SDK**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Organizations#code-examples)中查找完整示例,了解如何进行设置和运行。
```
using System;
using System.Threading.Tasks;
using Amazon.Organizations;
using Amazon.Organizations.Model;
///
/// Shows how to list the AWS Organizations policies associated with an
/// organization.
///
public class ListPolicies
{
///
/// Initializes an Organizations client object, and then calls its
/// ListPoliciesAsync method.
///
public static async Task Main()
{
// Create the client object using the default account.
IAmazonOrganizations client = new AmazonOrganizationsClient();
// The value for the Filter parameter is required and must must be
// one of the following:
// AISERVICES_OPT_OUT_POLICY
// BACKUP_POLICY
// SERVICE_CONTROL_POLICY
// TAG_POLICY
var request = new ListPoliciesRequest
{
Filter = "SERVICE_CONTROL_POLICY",
MaxResults = 5,
};
var response = new ListPoliciesResponse();
try
{
do
{
response = await client.ListPoliciesAsync(request);
response.Policies.ForEach(p => DisplayPolicies(p));
if (response.NextToken is not null)
{
request.NextToken = response.NextToken;
}
}
while (response.NextToken is not null);
}
catch (AWSOrganizationsNotInUseException ex)
{
Console.WriteLine(ex.Message);
}
}
///
/// Displays information about the Organizations policies associated
/// with an organization.
///
/// An Organizations policy summary to display
/// information on the console.
private static void DisplayPolicies(PolicySummary policy)
{
string policyInfo = $"{policy.Id} {policy.Name}\t{policy.Description}";
Console.WriteLine(policyInfo);
}
}
```
+ 有关 API 的详细信息,请参阅 *适用于 .NET 的 AWS SDK API 参考[ListPolicies](https://docs.aws.amazon.com/goto/DotNetSDKV3/organizations-2016-11-28/ListPolicies)*中的。
------
#### [ CLI ]
**AWS CLI**
**检索特定类型组织中所有策略的列表**
以下示例向您展示了如何获取 filter 参数所指定的列表: SCPs
```
aws organizations list-policies --filter SERVICE_CONTROL_POLICY
```
输出包括含摘要信息的策略列表:
```
{
"Policies": [
{
"Type": "SERVICE_CONTROL_POLICY",
"Name": "AllowAllS3Actions",
"AwsManaged": false,
"Id": "p-examplepolicyid111",
"Arn": "arn:aws:organizations::111111111111:policy/service_control_policy/p-examplepolicyid111",
"Description": "Enables account admins to delegate permissions for any S3 actions to users and roles in their accounts."
},
{
"Type": "SERVICE_CONTROL_POLICY",
"Name": "AllowAllEC2Actions",
"AwsManaged": false,
"Id": "p-examplepolicyid222",
"Arn": "arn:aws:organizations::111111111111:policy/service_control_policy/p-examplepolicyid222",
"Description": "Enables account admins to delegate permissions for any EC2 actions to users and roles in their accounts."
},
{
"AwsManaged": true,
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-FullAWSAccess",
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess"
}
]
}
```
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ListPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/list-policies.html)*中的。
------
#### [ Python ]
**适用于 Python 的 SDK(Boto3)**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/organizations#code-examples)中查找完整示例,了解如何进行设置和运行。
```
def list_policies(policy_filter, orgs_client):
"""
Lists the policies for the account, limited to the specified filter.
:param policy_filter: The kind of policies to return.
:param orgs_client: The Boto3 Organizations client.
:return: The list of policies found.
"""
try:
response = orgs_client.list_policies(Filter=policy_filter)
policies = response["Policies"]
logger.info("Found %s %s policies.", len(policies), policy_filter)
except ClientError:
logger.exception("Couldn't get %s policies.", policy_filter)
raise
else:
return policies
```
+ 有关 API 的详细信息,请参阅适用[ListPolicies](https://docs.aws.amazon.com/goto/boto3/organizations-2016-11-28/ListPolicies)于 *Python 的AWS SDK (Boto3) API 参考*。
------
#### [ SAP ABAP ]
**适用于 SAP ABAP 的 SDK**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/org#code-examples)中查找完整示例,了解如何进行设置和运行。
```
TRY.
oo_result = lo_org->listpolicies( " oo_result is returned for testing purposes. "
iv_filter = iv_filter ).
DATA(lt_policies) = oo_result->get_policies( ).
MESSAGE 'Retrieved list of policies.' TYPE 'I'.
CATCH /aws1/cx_orgaccessdeniedex.
MESSAGE 'You do not have permission to list policies.' TYPE 'E'.
CATCH /aws1/cx_orgawsorgsnotinuseex.
MESSAGE 'Your account is not a member of an organization.' TYPE 'E'.
ENDTRY.
```
+ 有关 API 的详细信息,请参阅适用[ListPolicies](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。
------
## 列出附加到根、OU 或账户的策略
**最小权限**
要列出附加到您组织中的根、组织部门(OU)或账户的策略,您必须拥有以下权限:
`organizations:ListPoliciesForTarget`,且同一条策略语句中有一个 `Resource` 元素包含所指定目标的 Amazon Resource Name(ARN)(或“\$1”)。
------
#### [ AWS 管理控制台 ]
**列出直接附加到所指定根、OU 或账户的所有策略**
1. 登录 [AWS Organizations 控制台](https://console.aws.amazon.com/organizations/v2)。您必须以 IAM 用户的身份登录,担任 IAM 角色;或在组织的管理账户中以根用户的身份登录([不推荐](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials))。
1. 在**[AWS 账户](https://console.aws.amazon.com/organizations/v2/home/accounts)**页面上,选择要查看其策略的根、OU 或账户的名称。您可能需要展开 OUs (选择![\[Gray cloud icon representing cloud computing or storage services.\]](http://docs.aws.amazon.com/zh_cn/organizations/latest/userguide/images/console-expand.png))才能找到所需的 OU。
1. 在根、OU 或账户页面上,选择 **Policies (策略)** 选项卡。
**Policies (策略)** 选项卡显示附加到该根、OU 或账户的所有策略,并按策略类型分组。
------
#### [ AWS CLI & AWS SDKs ]
**列出直接附加到所指定根、OU 或账户的所有策略**
可以使用以下命令之一列出附加到实体的策略:
+ AWS CLI: [list-policies-for-target](https://docs.aws.amazon.com/cli/latest/reference/organizations/list-policies-for-target.html)
以下示例列出了附加到指定 OU 的所有服务控制策略。您必须同时指定根、OU 或账户的 ID,以及要列出的策略类型。
```
$ aws organizations list-policies-for-target \
--target-id ou-a1b2-f6g7h222 \
--filter SERVICE_CONTROL_POLICY
{
"Policies": [
{
"Id": "p-FullAWSAccess",
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"Name": "FullAWSAccess",
"Description": "Allows access to every operation",
"Type": "SERVICE_CONTROL_POLICY",
"AwsManaged": true
}
]
}
```
+ AWS SDKs: [ListPoliciesForTarget](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListPoliciesForTarget.html)
------
## 列出策略所关联的所有根和账户 OUs
**最小权限**
要列出策略附加到的实体,您必须拥有以下权限:
`organizations:ListTargetsForPolicy`,且同一条策略语句中有一个 `Resource` 元素包含所指定策略的 ARN(或“\$1”)。
------
#### [ AWS 管理控制台 ]
**列出所有关联了指定策略的根和账户 OUs**
1. 登录 [AWS Organizations 控制台](https://console.aws.amazon.com/organizations/v2)。您必须以 IAM 用户的身份登录,担任 IAM 角色;或在组织的管理账户中以根用户的身份登录([不推荐](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials))。
1. 在 **[Policies (策略)](https://console.aws.amazon.com/organizations/v2/home/policies)** 页面上,选择策略类型,然后选择要检查其附件的策略的名称。
1. 选择 **Targets (目标)** 选项卡,以显示所选策略附加到的每个根、OU 和账户的表。
------
#### [ AWS CLI & AWS SDKs ]
**列出所有关联了指定策略的根和账户 OUs**
可以使用以下命令之一列出具有策略的实体:
+ AWS CLI: [list-targets-for-policy](https://docs.aws.amazon.com/cli/latest/reference/organizations/list-targets-for-policy.html)
以下示例显示了指定策略的 root OUs、和账户的所有附件。
```
$ aws organizations list-targets-for-policy \
--policy-id p-FullAWSAccess
{
"Targets": [
{
"TargetId": "ou-a1b2-f6g7h111",
"Arn": "arn:aws:organizations::123456789012:ou/o-aa111bb222/ou-a1b2-f6g7h111",
"Name": "testou2",
"Type": "ORGANIZATIONAL_UNIT"
},
{
"TargetId": "ou-a1b2-f6g7h222",
"Arn": "arn:aws:organizations::123456789012:ou/o-aa111bb222/ou-a1b2-f6g7h222",
"Name": "testou1",
"Type": "ORGANIZATIONAL_UNIT"
},
{
"TargetId": "123456789012",
"Arn": "arn:aws:organizations::123456789012:account/o-aa111bb222/123456789012",
"Name": "My Management Account (bisdavid)",
"Type": "ACCOUNT"
},
{
"TargetId": "r-a1b2",
"Arn": "arn:aws:organizations::123456789012:root/o-aa111bb222/r-a1b2",
"Name": "Root",
"Type": "ROOT"
}
]
}
```
+ AWS SDKs: [ListTargetsForPolicy](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListTargetsForPolicy.html)
------
## 获取有关策略的详细信息
**最小权限**
要显示策略的详细信息,您必须拥有以下权限:
`organizations:DescribePolicy`,且同一条策略语句中有一个 `Resource` 元素包含所指定策略的 ARN(或“\$1”)。
### AWS 管理控制台
**获取有关策略的详细信息**
1. 登录 [AWS Organizations 控制台](https://console.aws.amazon.com/organizations/v2)。您必须以 IAM 用户的身份登录,担任 IAM 角色;或在组织的管理账户中以根用户的身份登录([不推荐](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials))。
1. 在 **[Policies (策略)](https://console.aws.amazon.com/organizations/v2/home/policies)** 页面上,选择要检查的策略类型,然后选择策略的名称。
策略页面显示有关策略的可用信息,包括 ARN、描述和附加项。
+ **Content (内容)** 选项卡以 JSON 格式显示策略的当前内容。
+ “**目标**” 选项卡显示策略所关联的根和账户的列表。 OUs
+ **Tags (标签)** 选项卡显示附加到策略的标签。注意:Tags (标签) 选项卡不可用于 AWS 托管式策略。
要编辑策略,请选择 **Edit policy (编辑策略)**。由于每种策略类型都有不同的编辑要求,因此请参阅有关指定策略类型的创建和更新策略相关说明。
### AWS CLI & AWS SDKs
以下代码示例演示如何使用 `DescribePolicy`。
------
#### [ CLI ]
**AWS CLI**
**获取有关策略的信息**
以下示例演示如何请求有关策略的信息:
```
aws organizations describe-policy --policy-id p-examplepolicyid111
```
输出包括一个策略对象,其中包含有关策略的详细信息:
```
{
"Policy": {
"Content": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"*\",\n \"Resource\": \"*\"\n }\n ]\n}",
"PolicySummary": {
"Arn": "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111",
"Type": "SERVICE_CONTROL_POLICY",
"Id": "p-examplepolicyid111",
"AwsManaged": false,
"Name": "AllowAllS3Actions",
"Description": "Enables admins to delegate S3 permissions"
}
}
}
```
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[DescribePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/describe-policy.html)*中的。
------
#### [ Python ]
**适用于 Python 的 SDK(Boto3)**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/organizations#code-examples)中查找完整示例,了解如何进行设置和运行。
```
def describe_policy(policy_id, orgs_client):
"""
Describes a policy.
:param policy_id: The ID of the policy to describe.
:param orgs_client: The Boto3 Organizations client.
:return: The description of the policy.
"""
try:
response = orgs_client.describe_policy(PolicyId=policy_id)
policy = response["Policy"]
logger.info("Got policy %s.", policy_id)
except ClientError:
logger.exception("Couldn't get policy %s.", policy_id)
raise
else:
return policy
```
+ 有关 API 的详细信息,请参阅适用[DescribePolicy](https://docs.aws.amazon.com/goto/boto3/organizations-2016-11-28/DescribePolicy)于 *Python 的AWS SDK (Boto3) API 参考*。
------
#### [ SAP ABAP ]
**适用于 SAP ABAP 的 SDK**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/org#code-examples)中查找完整示例,了解如何进行设置和运行。
```
TRY.
oo_result = lo_org->describepolicy( " oo_result is returned for testing purposes. "
iv_policyid = iv_policy_id ).
DATA(lo_policy) = oo_result->get_policy( ).
MESSAGE 'Retrieved policy details.' TYPE 'I'.
CATCH /aws1/cx_orgaccessdeniedex.
MESSAGE 'You do not have permission to describe the policy.' TYPE 'E'.
CATCH /aws1/cx_orgpolicynotfoundex.
MESSAGE 'The specified policy does not exist.' TYPE 'E'.
ENDTRY.
```
+ 有关 API 的详细信息,请参阅适用[DescribePolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)于 S *AP 的AWS SDK ABAP API 参考*。
------