# How can I attach an AWS Organization policy to a child account or Organizational Unit (OU)?

Scenario:-  
To attach a policy to a child account or an Organizational Unit (OU) in AWS Organizations, follow these steps:

* **Log In to AWS Management Console:**
    
    * Use the **management account** or a delegated administrator account for AWS Organizations.
        
* **Navigate to AWS Organizations:**
    
    * Open the [AWS Organizations Console](https://console.aws.amazon.com/organizations/).
        
* **Access Policies:**
    
    * In the left-hand menu, click on **Policies** and choose the type of policy (e.g., Service Control Policies, Tag Policies, etc.).
        
* **Select and Attach Policy:**
    
    * Find the policy you want to attach and click on it.
        
    * Click **Attach Policy**, then select the target (OU or child account) from the list.
        
    * Confirm the action by clicking **Attach** again.
        
* **Review Effective Policies:**
    
    * Navigate to the **Accounts** section in AWS Organizations.
        
    * Select the account or OU and click **Effective Policies** to verify the applied policies.
        

### Scenario:

When you log in with a child account and attempt to add an organization-level policy, you receive the error:

## *"****You don't have permission to see this page because the management account has not granted you permission to view policies.****"*

### Resolution:

This error occurs because organization-level policies can only be managed by the **management account** or delegated administrator accounts. Child accounts do not have default permissions to view or add these policies.

#### Steps to Resolve:

1. **Verify Account Roles and Permissions:**
    
    * Ensure you are logged in with a child account.
        
    * Check if there are Service Control Policies (SCPs) applied to the child account that restrict access.
        
2. **Contact the Management Account Administrator:**
    
    * Request the management account administrator to grant permissions to your child account for viewing policies.
        
    
    Example SCP to allow policy viewing:
    
    ```json
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "organizations:DescribePolicy",
                    "organizations:ListPolicies",
                    "organizations:AttachPolicy"
                ],
                "Resource": "*"
            }
        ]
    }
    ```
    
3. **Use the Management Account for Policy Management:**
    
    * If permissions cannot be granted, ask the management account administrator to log in and perform the required actions.
        
4. **Delegate Access with IAM Roles:**
    
    * The management account can create a role with necessary permissions and allow the child account to assume the role.
        
    * Example Role Policy for Delegation:
        
    * ```json
          {
              "Version": "2012-10-17",
              "Statement": [
                  {
                      "Effect": "Allow",
                      "Action": [
                          "organizations:DescribePolicy",
                          "organizations:ListPolicies",
                          "organizations:AttachPolicy"
                      ],
                      "Resource": "*"
                  }
              ]
          }
        ```
        
5. **Attach Policies Through Delegated Access:**
    
    * Once access is delegated, the child account can assume the role and attach policies to specific OUs or accounts.
        

### Important Notes:

* Policies must be attached from the **management account** unless permissions are explicitly delegated.
    
* SCPs applied at the root or OU level might restrict child account permissions.
