Attaches a policy to a root, an organizational unit (OU), or an individual
account. How the policy affects accounts depends on the type of policy.
Refer to the AWS Organizations User Guide for information about
each policy type:
Creates an AWS account that is automatically a member of the organization
whose credentials made the request. This is an asynchronous request that
AWS performs in the background. Because CreateAccount
operates asynchronously, it can return a successful completion message
even though account initialization might still be in progress. You might
need to wait a few minutes before you can successfully access the account.
To check the status of the request, do one of the following:
Creates an AWS organization. The account whose user is calling the
CreateOrganization operation automatically becomes the management
account of the new organization.
Creates an organizational unit (OU) within a root or parent OU. An OU is a
container for accounts that enables you to organize your accounts to apply
policies according to your business requirements. The number of levels
deep that you can nest OUs is dependent upon the policy types enabled for
that root. For service control policies, the limit is five.
Deletes the organization. You can delete an organization only by using
credentials from the management account. The organization must be empty of
member accounts.
Deletes the specified policy from your organization. Before you perform
this operation, you must first detach the policy from all organizational
units (OUs), roots, and accounts.
Removes the specified member AWS account as a delegated administrator for
the specified AWS service.
You can run this action only for AWS services that support this feature.
For a current list of services that support it, see the column Supports
Delegated Administrator in the table at AWS
Services that you can use with AWS Organizations in the AWS
Organizations User Guide.
Returns the contents of the effective policy for specified policy type and
account. The effective policy is the aggregation of any policies of the
specified type that the account inherits, plus any policy of that type
that is directly attached to the account.
Retrieves information about a previously requested handshake. The
handshake ID comes from the response to the original
InviteAccountToOrganization operation that generated the handshake.
Detaches a policy from a target root, organizational unit (OU), or
account.
Every root, OU, and account must have at least one SCP attached. If you
want to replace the default FullAWSAccess policy with an SCP
that limits the permissions that can be delegated, you must attach the
replacement SCP before you can remove the default SCP. This is the
authorization strategy of an "allow
list". If you instead attach a second SCP and leave the
FullAWSAccess SCP still attached, and specify "Effect":
"Deny" in the second SCP to override the "Effect":
"Allow" in the FullAWSAccess policy (or any other
attached SCP), you're using the authorization strategy of a "deny
list".
Disables the integration of an AWS service (the service that is specified
by ServicePrincipal) with AWS Organizations. When you disable
integration, the specified service no longer can create a service-linked
role in new accounts in your organization. This means the
service can't perform operations on your behalf on any new accounts in
your organization. The service can still perform operations in older
accounts until the service completes its clean-up from AWS Organizations.
Disables an organizational policy type in a root. A policy of a certain
type can be attached to entities in a root only if that type is enabled in
the root. After you perform this operation, you no longer can attach
policies of the specified type to that root or to any organizational unit
(OU) or account in that root. You can undo this by using the
EnablePolicyType operation.
Enables all features in an organization. This enables the use of
organization policies that can restrict the services and actions that can
be called in each account. Until you enable all features, you have access
only to consolidated billing, and you can't use any of the advanced
account administration features that AWS Organizations supports. For more
information, see Enabling
All Features in Your Organization in the AWS Organizations User
Guide.
After you enable all features, you can separately enable or disable
individual policy types in a root using EnablePolicyType and
DisablePolicyType. To see the status of policy types in a root, use
ListRoots.
Enables the integration of an AWS service (the service that is specified
by ServicePrincipal) with AWS Organizations. When you enable
integration, you allow the specified service to create a service-linked
role in all the accounts in your organization. This allows the service
to perform operations on your behalf in your organization and its
accounts.
For more information about enabling services to integrate with AWS
Organizations, see Integrating
AWS Organizations with Other AWS Services in the AWS Organizations
User Guide.
Enables a policy type in a root. After you enable a policy type in a root,
you can attach policies of that type to the root, any organizational unit
(OU), or account in that root. You can undo this by using the
DisablePolicyType operation.
Sends an invitation to another account to join your organization as a
member account. AWS Organizations sends email on your behalf to the email
address that is associated with the other account's owner. The invitation
is implemented as a Handshake whose details are in the response.
Removes a member account from its parent organization. This version of the
operation is performed by the account that wants to leave. To remove a
member account as a user in the management account, use
RemoveAccountFromOrganization instead.
Lists all the accounts in the organization. To request only the accounts
in a specified root or organizational unit (OU), use the
ListAccountsForParent operation instead.
This operation can be called only from the organization's management
account or by a member account that is a delegated administrator for an
AWS service.
Lists the accounts in an organization that are contained by the specified
target root or organizational unit (OU). If you specify the root, you get
a list of all the accounts that aren't in any OU. If you specify an OU,
you get a list of all the accounts in only that OU and not in any child
OUs. To get a list of all accounts in the organization, use the
ListAccounts operation.
This operation can be called only from the organization's management
account or by a member account that is a delegated administrator for an
AWS service.
Returns a list of the AWS services that you enabled to integrate with your
organization. After a service on this list creates the resources that it
requires for the integration, it can perform operations on your
organization and its accounts.
Lists all of the organizational units (OUs) or accounts that are contained
in the specified parent OU or root. This operation, along with
ListParents enables you to traverse the tree structure that makes
up this root.
This operation can be called only from the organization's management
account or by a member account that is a delegated administrator for an
AWS service.
Lists the account creation requests that match the specified status that
is currently being tracked for the organization.
This operation can be called only from the organization's management
account or by a member account that is a delegated administrator for an
AWS service.
Lists the handshakes that are associated with the organization that the
requesting user is part of. The ListHandshakesForOrganization
operation returns a list of handshake structures. Each structure contains
details and status about a handshake.
Lists the organizational units (OUs) in a parent organizational unit or
root.
This operation can be called only from the organization's management
account or by a member account that is a delegated administrator for an
AWS service.
Lists the root or organizational units (OUs) that serve as the immediate
parent of the specified child OU or account. This operation, along with
ListChildren enables you to traverse the tree structure that makes
up this root.
This operation can be called only from the organization's management
account or by a member account that is a delegated administrator for an
AWS service.
Retrieves the list of all policies in an organization of a specified type.
This operation can be called only from the organization's management
account or by a member account that is a delegated administrator for an
AWS service.
Lists the policies that are directly attached to the specified target
root, organizational unit (OU), or account. You must specify the policy
type that you want included in the returned list.
This operation can be called only from the organization's management
account or by a member account that is a delegated administrator for an
AWS service.
Lists the roots that are defined in the current organization.
This operation can be called only from the organization's management
account or by a member account that is a delegated administrator for an
AWS service.
Lists all the roots, organizational units (OUs), and accounts that the
specified policy is attached to.
This operation can be called only from the organization's management
account or by a member account that is a delegated administrator for an
AWS service.
Enables the specified member account to administer the Organizations
features of the specified AWS service. It grants read-only access to AWS
Organizations service data. The account still requires IAM permissions to
access and administer the AWS service.
Renames the specified organizational unit (OU). The ID and ARN don't
change. The child OUs and accounts remain in place, and any attached
policies of the OU remain attached.
Updates an existing policy with a new name, description, or content. If
you don't supply any parameter, that value remains unchanged. You can't
change a policy's type.
