Amazon Web Services announces declarative policies

Posted on: Dec 1, 2024

Today, AWS announces the general availability of declarative policies, a new management policy type within AWS Organizations. These policies simplify the way customers enforce durable intent, such as baseline configuration for AWS services within their organization. For example, customers can configure EC2 to allow instance launches using AMIs vended by specific providers and block public access in their VPC with a few simple clicks or commands for their entire organization using declarative policies.

Declarative policies are designed to prevent actions that are non-compliant with the policy. The configuration defined in the declarative policy is maintained even when services add new APIs or features, or when customers add new principals or accounts to their organization. With declarative policies, governance teams have access to the account status report which provides insight into the current configuration for an AWS service across their organization. This helps them access readiness to enforce configuration at scale. Administrators can provide additional transparency to end users by configuring custom error messages to redirect them to internal wikis or ticketing systems through declarative policies.

To get started, navigate to the AWS Organizations console to create and attach declarative policies. You can also use AWS Control Tower, AWS CLI or CloudFormation templates to configure these policies. Declarative policies today support EC2, EBS and VPC configurations with support for other services coming soon. To learn more see documentation and blog post.