config:PutOrganizationConfigRule

Write

config:PutOrganizationConfigRule is a Write access-level action in the config service. Grants permission to add or update organization config rule for your entire organization evaluating whether your AWS resources comply with your desired configurations

Resource types

ARNs that config:PutOrganizationConfigRule can be scoped to in an IAM policy.

arn:${Partition}:config:${Region}:${Account}:organization-config-rule/${OrganizationConfigRuleId}
OrganizationConfigRule

Condition keys

Keys you can use in the Condition block of a policy that grants config:PutOrganizationConfigRule.

aws:ResourceTag/${TagKey} String

Filters access by tag-value associated with the resource

Dependent actions

To use config:PutOrganizationConfigRule you may also need to grant:

Example IAM policy

A minimal policy that allows config:PutOrganizationConfigRule. Replace "Resource": "*" with a specific ARN to follow least privilege.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowConfigPutOrganizationConfigRule",
      "Effect": "Allow",
      "Action": "config:PutOrganizationConfigRule",
      "Resource": "*"
    }
  ]
}

Related actions in config

View all config actions →