Puppet Task: organizations_aws_detach_policy

Defined in:: tasks/organizations_aws_detach_policy.json,
tasks/organizations_aws_detach_policy.rb

Overview

Detaches a policy from a target root, organizational unit (OU), or account. If the policy being detached is a service control policy (SCP), the changes to permissions for IAM users and roles in affected accounts are immediate. Note: Every root, OU, and account must have at least one SCP attached. If you want to replace the default FullAWSAccess policy with one that limits the permissions that can be delegated, then you must attach the replacement policy before you can remove the default one. This is the authorization strategy of whitelisting. If you instead attach a second SCP and leave the FullAWSAccess SCP still attached, and specify 'Effect': 'Deny' in the second SCP to override the 'Effect': 'Allow' in the FullAWSAccess policy (or any other attached SCP), then you are using the authorization strategy of blacklisting. This operation can be called only from the organization's master account.

Supports noop? false

Parameters

policy_id (Optional[String[1]]) —
target_id (Optional[String[1]]) —