Declarative policies, a new feature that enables you to express and enforce desired configuration for a specific AWS Service at scale throughout your organization.
Customers frequently establish organisational requirements for the configuration of cloud resources. For instance, it could be necessary to restrict public access to Amazon EBS snapshots. They desire that these guidelines be established once in a central location and applied to all of their accounts, including those that join the company later. Additionally, they want a helpful, actionable error message that explains how to correct the configuration to be sent to the cloud operator if they try to setup a resource in a way that does not comply with the standard.
By enabling you to specify and enforce appropriate configuration for AWS services with a few clicks or commands, declarative policies help you overcome these difficulties. Once you attach the policy, AWS will automatically make sure that the intended state is enforced throughout your multi-account environment (or portions of it).
For example, you can choose to “block public access for VPCs.” This method simplifies the process of reaching the intended configuration. Even when new features or APIs are added, the configuration remains unchanged after it has been set.
Declarative policies also give administrators insight into the current state of service attributes throughout their environment. In contrast to access control policies, which do not allow information to be leaked to unauthorised individuals, end users are able to view customised error messages that are set up by the administrators of their organisation and direct them to internal resources or support channels.
The ABSA Group works in a highly regulated environment, and as adds new services, it employs Config rules to identify infractions and SCP policy exclusions to limit actions. But for each new feature or API, they have to make an exception.
Declarative policies currently support the following services: Amazon Elastic Block Store (Amazon EBS), Amazon Virtual Private Cloud (Amazon VPC), and Amazon Elastic Compute Cloud (Amazon EC2). Enforcing IMDSv2, permitting troubleshooting via serial terminal, permitting Amazon Machine Image (AMI) settings, and preventing public access to Amazon EBS snapshots, Amazon EC2 AMI, and VPC are among the available service attributes. The declarative policy that is implemented at the organisational level, organisational unit (OU), or account level will be passed down to newly added accounts.
AWS Control Tower, AWS CloudFormation, AWS Command Line Interface (AWS CLI), or an organization’s console. Policies can be implemented at the account, OU, or organisation level. Declarative policies, when connected, stop non-compliant actions whether they were triggered by an AWS service utilising a service-linked role or by an AWS Identity and Access Management (IAM) role you created.
How to begin using declarative policies
Select Policies from the navigation pane of the AWS Organisations dashboard. Under the list of supported policy types, select declarative policies for EC2.

To activate the feature, select Enable declarative policies for EC2.

You can specify and apply required EC2 configurations to every account in my AWS Organizations after declarative policies are enabled.
As the administrator of the company, it want to use the account status report, a feature of declarative policies, to know the current state of my AWS environment before your develop declarative rules. The report covers all accounts and AWS with in a chosen organizational scope and is available as a summary view and a comprehensive CSV file. It assists you in determining preparedness before affixing a policy.
You select Generate status report on the following page. Under Report S3 URI, select an Amazon Simple Storage Service (Amazon S3) bucket and select accounts and OUs to be included in the report’s scope.
Note that in order for the S3 bucket to hold the status report, the following policy needs to be applied to it:
{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “DeclarativePoliciesReportBucket”, “Effect”: “Allow”, “Principal”: { “Service”: [ “report.declarative-policies-ec2.amazonaws.com” ] }, “Action”: [ “s3:PutObject” ], “Resource”: “arn:aws:s3:::<bucketName>/*”, “Condition”: { “StringEquals”: { “aws:SourceArn”: “arn:<partition>:declarative-policies-ec2:<region>:<accountId>:*” } } } ] }
The report is saved in the Amazon S3 bucket it designated after it is finished. Its may select from a variety of reports in the Reports option on the View account status report page to see the current state of different attributes.

you can examine the CSV file that contains the comprehensive readiness report in the Amazon S3 bucket you supplied. Keep an eye on your current situation in various places within your organization unit.
Proceed with developing a policy after evaluating the account status. On the Declarative policies for EC2 page, select Create policy.
To manage the permitted image criteria for AMIs, select Allowed Image Settings as a second attribute. This is helpful because you can make sure that every instance launch uses a golden AMI that is generated by an account or group of accounts in your company, or one that is supplied by a provider such as Ubuntu or Amazon. Under Allowed Image Settings, select Enabled.
Declarative policies make end users feel less frustrated by offering openness and customisable error messages. When members of the organisation are unable to carry out a restricted action, you can choose to create a custom error message to be shown. You can select Create Policy to finish the policy generation procedure.
Now you have to affix the policy to your company or particular OUs. Under Actions, select the Attach policy option.
Select the Attach policy after selecting organization or particular OUs.
All subsequent non-compliant operations will fail when an account joins an organisation or an OU, with the exception of VPC Block Public Access, which will immediately restrict public access. This is because the declarative policy associated with the account takes effect immediately. The account’s current resources won’t be removed.
Currently accessible
By lowering the complexity associated with policy administration, ensuring uniform enforcement across accounts, and providing administrators and end users with transparency, declarative policies simplify governance for AWS customers.
Declarative policies are now accessible in the China, AWS GovCloud (US), and AWS commercial regions.