Skip to main content

Organization Policies

One-Click Least Privilege. Zero Disruption.



© 2026 Sonrai Security. All rights reserved.

Overview

AWS Logo
This feature is currently available for AWS

Organization Policies lets you bring your own AWS organization-level policies — Service Control Policies (SCPs) and Resource Control Policies (RCPs) — into Cloud Permissions Firewall (CPF) and manage them from one place. Instead of editing policies by hand in the AWS console or maintaining custom automation, you use CPF as the single deployment and governance engine for your organization's policies.

With Organization Policies you can:

See every policy in your organization

CPF shows all SCPs and RCPs deployed across your AWS Organization — including policies it did not create — along with where each one is attached.

Import existing policies

Convert policies that were deployed outside Sonrai into CPF-managed policies, so you can edit, attach, and deploy them through CPF.

Deploy at scale

CPF deploys policies with full awareness of your AWS Organizations structure, hierarchy, and inheritance rules.

Optimize policy space

CPF helps you stay within AWS quota limits by managing how policy content is consolidated and split.


Managed vs. Unmanaged Policies

Every organization policy CPF displays is either managed or unmanaged. The distinction determines what you can do with it.

Unmanaged

A policy that exists in your cloud but was not created by CPF. You can view it and see where it is attached, but you cannot edit it from CPF. CPF cannot directly attach or detach an unmanaged policy.

Managed

A policy that CPF creates and controls. You can edit it, attach and detach it at the appropriate scope, and deploy changes through CPF's standard deployment process.


info

CPF hides its own internally-managed policies and the AWS FullAWSAccess policy from this view, so you see only the policies that are meaningful to manage.

To move a policy from unmanaged to managed, you import it — see Import an Existing Policy below.


The Organization Policies Screen

Open Organization Policies from the left navigation (grouped under Controls). It lists every SCP and RCP in your AWS Organization. Use Quick Search to filter the list, toggle Show Unattached Policies to include policies that aren't currently attached anywhere, and select to create a new managed policy.

Each row describes one policy:

ColumnDescription
NameThe policy name. A Has Conflicts badge appears here when both a CPF-managed policy and its original unmanaged copy are attached at the same scope — see Resolve a Policy Conflict.
TypeThe policy type — SCP or RCP.
DescriptionThe policy's description.
ModifiedWhen the policy was last changed.
Managed ByWhether the policy is Managed by CPF or Unmanaged (see Managed vs. Unmanaged Policies).
StatusWhere the policy is attached relative to the scope you are viewing (see Status).
ActionThe action available at the current scope — for example Manage (import an unmanaged policy), Attach, or Detach.
[AI GENERATED] The Organization Policies screen in Cloud Permissions Firewall, listing the organization's SCPs and RCPs with their type, management status, and attachment scope.[AI GENERATED] The Organization Policies screen in Cloud Permissions Firewall, listing the organization's SCPs and RCPs with their type, management status, and attachment scope.

Policy Types

CPF displays the policy type using a friendly name rather than the raw AWS identifier. The most common types you manage today are:

Friendly nameAWS policy type
Service Control Policy (SCP)Enforces the maximum permission boundary for IAM users and roles.
Resource Control Policy (RCP)Limits cross-account access to specific AWS resources.
info

AWS supports additional organization policy types (for example, Tag, Backup, and Declarative policies). Organization Policies focuses on the SCP and RCP types that govern access in your environment.

Status

The Status column shows where a policy is attached relative to the scope you are currently viewing:

StatusMeaning
AttachedThe policy is attached directly at the selected scope.
Attached BelowThe policy is attached at a scope beneath the one you are viewing.
Inherited AttachedThe policy applies to the current scope because it is attached at a higher scope and inherited down.
PendingA change to the policy has been staged and is waiting to be deployed from the Pending Changes screen.

Whether a policy is Managed or Unmanaged is shown separately in the Managed By column.

info

Because organization policies follow AWS inheritance rules, a single policy can show different statuses depending on the scope you are viewing.

Attachment Detail

Selecting a policy opens a side panel showing its attachment status for each scope at and below your current scope. Each row lists the Scope, its Scope Type (Org, OU, or Account), the attachment Status, and an available Action. Use Quick Search to find a specific scope, or toggle Show Unattached Scopes to include scopes where the policy isn't attached.

[AI GENERATED] The Organization Policies attachment detail panel in Cloud Permissions Firewall, listing each scope at and below the current scope with its scope type, attachment status, and available action.[AI GENERATED] The Organization Policies attachment detail panel in Cloud Permissions Firewall, listing each scope at and below the current scope with its scope type, attachment status, and available action.

Import an Existing Policy

Importing converts an unmanaged policy into a CPF-managed policy. Once managed, you can edit the policy and attach or detach it through CPF.

Because CPF cannot directly attach or detach a policy that was applied outside CPF, the original unmanaged policy must be detached and the new managed policy re-deployed in its place. CPF tracks this for you and tells you exactly what to do.

How importing works:

  1. Select an unmanaged policy and choose to manage (import) it. CPF stages the change.
  2. On the Pending Changes screen, a warning banner notifies you that the original unmanaged policy must be detached and gives explicit detachment instructions — for example, "Detach policy X from scope Y."
  3. Deploy the new managed policy from the Pending Changes screen.
  4. Detach the original unmanaged policy as instructed.

warning

If you do not detach the original policy and there is not enough policy space at the scope, deployment fails — the same way it does for any other control that exceeds available SCP or RCP space.

Resolve a Policy Conflict

A Has Conflicts badge means both a CPF-managed policy and the original unmanaged copy of that policy are attached at the same scope. This happens when you import and attach a policy through CPF but don't detach the original policy you created outside CPF — leaving two duplicate policies attached and wasting attachment space.

To clear the conflict, detach the original unmanaged policy from the scope. The CPF-managed copy stays in place.

Example:

You write your own SCP, BlockRootUsers, and attach it at the organization root. In CPF you then manage that policy, attach the managed copy at the root, and deploy. After the deploy, both the original and the managed copy are attached at the root, so CPF shows a Has Conflicts badge. Detach the original BlockRootUsers policy to clear the conflict and reclaim the attachment space.


Edit a Managed Policy

Once a policy is managed, you can edit its content directly in CPF. CPF accepts customer-supplied SCPs and RCPs in JSON or YAML, and validates the policy as you edit so you can catch problems before deploying.

After you save a change, CPF stages it as a pending change. Deploy it from the Pending Changes screen to apply it to your AWS Organization.

info

Unmanaged policies cannot be edited. Import a policy first to make it managed, then edit it.


Attach and Detach Policies

Organization Policies follows AWS's native attach/detach model. You navigate to the scope — organization root, organizational unit (OU), or account — where you want a policy to apply, and attach or detach it there. This mirrors how AWS Organizations works, so the behavior matches what you already expect from the AWS console.

When you attach or detach a managed policy, CPF stages the change and applies it on deployment, respecting your organization's hierarchy and inheritance rules.


Deploy Changes

All managed-policy changes — imports, edits, attachments, and detachments — are staged as pending changes and applied through CPF's standard deployment process.

On the Pending Changes screen, organization policy changes appear alongside your other staged controls, each labeled with its Policy Type and target Scope. When a change requires you to detach an existing unmanaged policy first, a warning banner at the top of the screen lists each policy you must manually detach — and the scope to detach it from — before deploying.

[AI GENERATED] The Pending Changes screen in Cloud Permissions Firewall showing staged organization policy changes and a warning banner listing the unmanaged policies to detach before deploying.[AI GENERATED] The Pending Changes screen in Cloud Permissions Firewall showing staged organization policy changes and a warning banner listing the unmanaged policies to detach before deploying.

Reference: See Deploying Changes in AWS for how CPF deploys staged changes through CloudFormation.


Manage Policy Space

AWS enforces limits on how many policies you can attach at each scope and how large each policy can be. Organization Policies helps you stay within those limits by consolidating and intelligently splitting policy content, freeing up scarce SCP and RCP slots and avoiding quota exhaustion.

tip

Before importing several large policies, review your available policy space. Consolidating overlapping policies and removing unused ones gives CPF more room to deploy and manage your organization's policies.

Reference: Learn how CPF uses Service Control Policies (SCPs) and Resource Control Policies (RCPs), including how to optimize your SCP space.