Organization Policies
© 2026 Sonrai Security. All rights reserved.
Overview

Organization Policies lets you bring your own AWS organization-level policies — Service Control Policies (SCPs) and Resource Control Policies (RCPs) — into Cloud Permissions Firewall (CPF) and manage them from one place. Instead of editing policies by hand in the AWS console or maintaining custom automation, you use CPF as the single deployment and governance engine for your organization's policies.
With Organization Policies you can:
See every policy in your organization
CPF shows all SCPs and RCPs deployed across your AWS Organization — including policies it did not create — along with where each one is attached.
Import existing policies
Convert policies that were deployed outside Sonrai into CPF-managed policies, so you can edit, attach, and deploy them through CPF.
Deploy at scale
CPF deploys policies with full awareness of your AWS Organizations structure, hierarchy, and inheritance rules.
Optimize policy space
CPF helps you stay within AWS quota limits by managing how policy content is consolidated and split.
Managed vs. Unmanaged Policies
Every organization policy CPF displays is either managed or unmanaged. The distinction determines what you can do with it.
Unmanaged
A policy that exists in your cloud but was not created by CPF. You can view it and see where it is attached, but you cannot edit it from CPF. CPF cannot directly attach or detach an unmanaged policy.
Managed
A policy that CPF creates and controls. You can edit it, attach and detach it at the appropriate scope, and deploy changes through CPF's standard deployment process.
CPF hides its own internally-managed policies and the AWS FullAWSAccess policy from this view, so you see only the policies that are meaningful to manage.
To move a policy from unmanaged to managed, you import it — see Import an Existing Policy below.
The Organization Policies Screen
Open Organization Policies from the left navigation (grouped under Controls). It lists every SCP and RCP in your AWS Organization. Use Quick Search to filter the list, toggle Show Unattached Policies to include policies that aren't currently attached anywhere, and select to create a new managed policy.
Each row describes one policy:
| Column | Description |
|---|---|
| Name | The policy name. A Has Conflicts badge appears here when both a CPF-managed policy and its original unmanaged copy are attached at the same scope — see Resolve a Policy Conflict. |
| Type | The policy type — SCP or RCP. |
| Description | The policy's description. |
| Modified | When the policy was last changed. |
| Managed By | Whether the policy is Managed by CPF or Unmanaged (see Managed vs. Unmanaged Policies). |
| Status | Where the policy is attached relative to the scope you are viewing (see Status). |
| Action | The action available at the current scope — for example Manage (import an unmanaged policy), Attach, or Detach. |
![[AI GENERATED] The Organization Policies screen in Cloud Permissions Firewall, listing the organization's SCPs and RCPs with their type, management status, and attachment scope.](/cpf-public/img/cpf-interface/controls/organization-policies/cpf-organization-policies-overview-light.png)
Policy Types
CPF displays the policy type using a friendly name rather than the raw AWS identifier. The most common types you manage today are:
| Friendly name | AWS policy type |
|---|---|
| Service Control Policy (SCP) | Enforces the maximum permission boundary for IAM users and roles. |
| Resource Control Policy (RCP) | Limits cross-account access to specific AWS resources. |
AWS supports additional organization policy types (for example, Tag, Backup, and Declarative policies). Organization Policies focuses on the SCP and RCP types that govern access in your environment.
Status
The Status column shows where a policy is attached relative to the scope you are currently viewing:
| Status | Meaning |
|---|---|
| Attached | The policy is attached directly at the selected scope. |
| Attached Below | The policy is attached at a scope beneath the one you are viewing. |
| Inherited Attached | The policy applies to the current scope because it is attached at a higher scope and inherited down. |
| Pending | A change to the policy has been staged and is waiting to be deployed from the Pending Changes screen. |
Whether a policy is Managed or Unmanaged is shown separately in the Managed By column.
Because organization policies follow AWS inheritance rules, a single policy can show different statuses depending on the scope you are viewing.
Attachment Detail
Selecting a policy opens a side panel showing its attachment status for each scope at and below your current scope. Each row lists the Scope, its Scope Type (Org, OU, or Account), the attachment Status, and an available Action. Use Quick Search to find a specific scope, or toggle Show Unattached Scopes to include scopes where the policy isn't attached.
![[AI GENERATED] The Organization Policies attachment detail panel in Cloud Permissions Firewall, listing each scope at and below the current scope with its scope type, attachment status, and available action.](/cpf-public/img/cpf-interface/controls/organization-policies/cpf-organization-policies-flyout-light.png)
Import an Existing Policy
Importing converts an unmanaged policy into a CPF-managed policy. Once managed, you can edit the policy and attach or detach it through CPF.
Because CPF cannot directly attach or detach a policy that was applied outside CPF, the original unmanaged policy must be detached and the new managed policy re-deployed in its place. CPF tracks this for you and tells you exactly what to do.
How importing works:
- Select an unmanaged policy and choose to manage (import) it. CPF stages the change.
- On the Pending Changes screen, a warning banner notifies you that the original unmanaged policy must be detached and gives explicit detachment instructions — for example, "Detach policy X from scope Y."
- Deploy the new managed policy from the Pending Changes screen.
- Detach the original unmanaged policy as instructed.
If you do not detach the original policy and there is not enough policy space at the scope, deployment fails — the same way it does for any other control that exceeds available SCP or RCP space.
Resolve a Policy Conflict
A Has Conflicts badge means both a CPF-managed policy and the original unmanaged copy of that policy are attached at the same scope. This happens when you import and attach a policy through CPF but don't detach the original policy you created outside CPF — leaving two duplicate policies attached and wasting attachment space.
To clear the conflict, detach the original unmanaged policy from the scope. The CPF-managed copy stays in place.
Example:
You write your own SCP, BlockRootUsers, and attach it at the organization root. In CPF you then manage that policy, attach the managed copy at the root, and deploy. After the deploy, both the original and the managed copy are attached at the root, so CPF shows a Has Conflicts badge. Detach the original BlockRootUsers policy to clear the conflict and reclaim the attachment space.
Edit a Managed Policy
Once a policy is managed, you can edit its content directly in CPF. CPF accepts customer-supplied SCPs and RCPs in JSON or YAML, and validates the policy as you edit so you can catch problems before deploying.
After you save a change, CPF stages it as a pending change. Deploy it from the Pending Changes screen to apply it to your AWS Organization.
Unmanaged policies cannot be edited. Import a policy first to make it managed, then edit it.
Attach and Detach Policies
Organization Policies follows AWS's native attach/detach model. You navigate to the scope — organization root, organizational unit (OU), or account — where you want a policy to apply, and attach or detach it there. This mirrors how AWS Organizations works, so the behavior matches what you already expect from the AWS console.
When you attach or detach a managed policy, CPF stages the change and applies it on deployment, respecting your organization's hierarchy and inheritance rules.
Deploy Changes
All managed-policy changes — imports, edits, attachments, and detachments — are staged as pending changes and applied through CPF's standard deployment process.
On the Pending Changes screen, organization policy changes appear alongside your other staged controls, each labeled with its Policy Type and target Scope. When a change requires you to detach an existing unmanaged policy first, a warning banner at the top of the screen lists each policy you must manually detach — and the scope to detach it from — before deploying.
![[AI GENERATED] The Pending Changes screen in Cloud Permissions Firewall showing staged organization policy changes and a warning banner listing the unmanaged policies to detach before deploying.](/cpf-public/img/cpf-interface/controls/organization-policies/cpf-organization-policies-pending-changes-light.png)
![[AI GENERATED] The Pending Changes screen in Cloud Permissions Firewall showing staged organization policy changes and a warning banner listing the unmanaged policies to detach before deploying.](/cpf-public/img/cpf-interface/controls/organization-policies/cpf-organization-policies-pending-changes-dark.png)
Reference: See Deploying Changes in AWS for how CPF deploys staged changes through CloudFormation.
Manage Policy Space
AWS enforces limits on how many policies you can attach at each scope and how large each policy can be. Organization Policies helps you stay within those limits by consolidating and intelligently splitting policy content, freeing up scarce SCP and RCP slots and avoiding quota exhaustion.
Before importing several large policies, review your available policy space. Consolidating overlapping policies and removing unused ones gives CPF more room to deploy and manage your organization's policies.
Reference: Learn how CPF uses Service Control Policies (SCPs) and Resource Control Policies (RCPs), including how to optimize your SCP space.