AWS API Changes

2025/09/09 - AWS Organizations - 4 updated api methods

Changes Documentation updates for AWS Organizations APIs.

DescribeAccount (updated)

Link ¶
Changes (response)

{'Account': {'State': 'PENDING_ACTIVATION | ACTIVE | SUSPENDED | '
                      'PENDING_CLOSURE | CLOSED'}}

Retrieves Organizations-related information about the specified account.

This operation can be called only from the organization's management account or by a member account that is a delegated administrator.

See also: AWS API Documentation

Request Syntax

client.describe_account(
    AccountId='string'
)

type AccountId:

string

param AccountId:

[REQUIRED]

The unique identifier (ID) of the Amazon Web Services account that you want information about. You can get the ID from the ListAccounts or ListAccountsForParent operations.

The regex pattern for an account ID string requires exactly 12 digits.

rtype:

dict

returns:

Response Syntax

{
    'Account': {
        'Id': 'string',
        'Arn': 'string',
        'Email': 'string',
        'Name': 'string',
        'Status': 'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE',
        'State': 'PENDING_ACTIVATION'|'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE'|'CLOSED',
        'JoinedMethod': 'INVITED'|'CREATED',
        'JoinedTimestamp': datetime(2015, 1, 1)
    }
}

Response Structure

(dict) --
- Account (dict) --
  
  A structure that contains information about the requested account.
  
  Warning
  
  The Status parameter in the API response will be retired on September 9, 2026. Although both the account State and account Status parameters are currently available in the Organizations APIs ( DescribeAccount, ListAccounts, ListAccountsForParent), we recommend that you update your scripts or other code to use the State parameter instead of Status before September 9, 2026.
  - Id (string) --
    
    The unique identifier (ID) of the account.
    
    The regex pattern for an account ID string requires exactly 12 digits.
  - Arn (string) --
    
    The Amazon Resource Name (ARN) of the account.
    
    For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference.
  - Email (string) --
    
    The email address associated with the Amazon Web Services account.
    
    The regex pattern for this parameter is a string of characters that represents a standard internet email address.
  - Name (string) --
    
    The friendly name of the account.
    
    The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.
  - Status (string) --
    
    The status of the account in the organization.
    
    Warning
    
    The Status parameter in the Account object will be retired on September 9, 2026. Although both the account State and account Status parameters are currently available in the Organizations APIs ( DescribeAccount, ListAccounts, ListAccountsForParent), we recommend that you update your scripts or other code to use the State parameter instead of Status before September 9, 2026.
  - State (string) --
    
    Each state represents a specific phase in the account lifecycle. Use this information to manage account access, automate workflows, or trigger actions based on account state changes.
    
    For more information about account states and their implications, see Monitor the state of your Amazon Web Services accounts in the Organizations User Guide.
  - JoinedMethod (string) --
    
    The method by which the account joined the organization.
  - JoinedTimestamp (datetime) --
    
    The date the account became a part of the organization.

ListAccounts (updated)

Link ¶
Changes (response)

{'Accounts': {'State': 'PENDING_ACTIVATION | ACTIVE | SUSPENDED | '
                       'PENDING_CLOSURE | CLOSED'}}

Lists all the accounts in the organization. To request only the accounts in a specified root or organizational unit (OU), use the ListAccountsForParent operation instead.

This operation can be called only from the organization's management account or by a member account that is a delegated administrator.

See also: AWS API Documentation

Request Syntax

client.list_accounts(
    NextToken='string',
    MaxResults=123
)

type NextToken:

string

param NextToken:

The parameter for receiving additional results if you receive a NextToken response in a previous request. A NextToken response indicates that more output is available. Set this parameter to the value of the previous call's NextToken response to indicate where the output should continue from.

type MaxResults:

integer

param MaxResults:

The total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the maximum you specify, the NextToken response element is present and has a value (is not null). Include that value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that Organizations might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

rtype:

dict

returns:

Response Syntax

{
    'Accounts': [
        {
            'Id': 'string',
            'Arn': 'string',
            'Email': 'string',
            'Name': 'string',
            'Status': 'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE',
            'State': 'PENDING_ACTIVATION'|'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE'|'CLOSED',
            'JoinedMethod': 'INVITED'|'CREATED',
            'JoinedTimestamp': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

(dict) --
- Accounts (list) --
  
  A list of objects in the organization.
  
  Warning
  
  The Status parameter in the API response will be retired on September 9, 2026. Although both the account State and account Status parameters are currently available in the Organizations APIs ( DescribeAccount, ListAccounts, ListAccountsForParent), we recommend that you update your scripts or other code to use the State parameter instead of Status before September 9, 2026.
  - (dict) --
    
    Contains information about an Amazon Web Services account that is a member of an organization.
    - Id (string) --
      
      The unique identifier (ID) of the account.
      
      The regex pattern for an account ID string requires exactly 12 digits.
    - Arn (string) --
      
      The Amazon Resource Name (ARN) of the account.
      
      For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference.
    - Email (string) --
      
      The email address associated with the Amazon Web Services account.
      
      The regex pattern for this parameter is a string of characters that represents a standard internet email address.
    - Name (string) --
      
      The friendly name of the account.
      
      The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.
    - Status (string) --
      
      The status of the account in the organization.
      
      Warning
      
      The Status parameter in the Account object will be retired on September 9, 2026. Although both the account State and account Status parameters are currently available in the Organizations APIs ( DescribeAccount, ListAccounts, ListAccountsForParent), we recommend that you update your scripts or other code to use the State parameter instead of Status before September 9, 2026.
    - State (string) --
      
      Each state represents a specific phase in the account lifecycle. Use this information to manage account access, automate workflows, or trigger actions based on account state changes.
      
      For more information about account states and their implications, see Monitor the state of your Amazon Web Services accounts in the Organizations User Guide.
    - JoinedMethod (string) --
      
      The method by which the account joined the organization.
    - JoinedTimestamp (datetime) --
      
      The date the account became a part of the organization.
- NextToken (string) --
  
  If present, indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null.

ListAccountsForParent (updated)

Link ¶
Changes (response)

{'Accounts': {'State': 'PENDING_ACTIVATION | ACTIVE | SUSPENDED | '
                       'PENDING_CLOSURE | CLOSED'}}

Lists the accounts in an organization that are contained by the specified target root or organizational unit (OU). If you specify the root, you get a list of all the accounts that aren't in any OU. If you specify an OU, you get a list of all the accounts in only that OU and not in any child OUs. To get a list of all accounts in the organization, use the ListAccounts operation.

This operation can be called only from the organization's management account or by a member account that is a delegated administrator.

See also: AWS API Documentation

Request Syntax

client.list_accounts_for_parent(
    ParentId='string',
    NextToken='string',
    MaxResults=123
)

type ParentId:

string

param ParentId:

[REQUIRED]

The unique identifier (ID) for the parent root or organization unit (OU) whose accounts you want to list.

type NextToken:

string

param NextToken:

type MaxResults:

integer

param MaxResults:

rtype:

dict

returns:

Response Syntax

{
    'Accounts': [
        {
            'Id': 'string',
            'Arn': 'string',
            'Email': 'string',
            'Name': 'string',
            'Status': 'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE',
            'State': 'PENDING_ACTIVATION'|'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE'|'CLOSED',
            'JoinedMethod': 'INVITED'|'CREATED',
            'JoinedTimestamp': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

(dict) --
- Accounts (list) --
  
  A list of the accounts in the specified root or OU.
  
  Warning
  
  The Status parameter in the API response will be retired on September 9, 2026. Although both the account State and account Status parameters are currently available in the Organizations APIs ( DescribeAccount, ListAccounts, ListAccountsForParent), we recommend that you update your scripts or other code to use the State parameter instead of Status before September 9, 2026.
  - (dict) --
    
    Contains information about an Amazon Web Services account that is a member of an organization.
    - Id (string) --
      
      The unique identifier (ID) of the account.
      
      The regex pattern for an account ID string requires exactly 12 digits.
    - Arn (string) --
      
      The Amazon Resource Name (ARN) of the account.
      
      For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference.
    - Email (string) --
      
      The email address associated with the Amazon Web Services account.
      
      The regex pattern for this parameter is a string of characters that represents a standard internet email address.
    - Name (string) --
      
      The friendly name of the account.
      
      The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.
    - Status (string) --
      
      The status of the account in the organization.
      
      Warning
      
      The Status parameter in the Account object will be retired on September 9, 2026. Although both the account State and account Status parameters are currently available in the Organizations APIs ( DescribeAccount, ListAccounts, ListAccountsForParent), we recommend that you update your scripts or other code to use the State parameter instead of Status before September 9, 2026.
    - State (string) --
      
      Each state represents a specific phase in the account lifecycle. Use this information to manage account access, automate workflows, or trigger actions based on account state changes.
      
      For more information about account states and their implications, see Monitor the state of your Amazon Web Services accounts in the Organizations User Guide.
    - JoinedMethod (string) --
      
      The method by which the account joined the organization.
    - JoinedTimestamp (datetime) --
      
      The date the account became a part of the organization.
- NextToken (string) --
  
  If present, indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null.

ListAccountsWithInvalidEffectivePolicy (updated)

Link ¶
Changes (response)

{'Accounts': {'State': 'PENDING_ACTIVATION | ACTIVE | SUSPENDED | '
                       'PENDING_CLOSURE | CLOSED'}}

Lists all the accounts in an organization that have invalid effective policies. An invalid effective policy is an effective policy that fails validation checks, resulting in the effective policy not being fully enforced on all the intended accounts within an organization.

This operation can be called only from the organization's management account or by a member account that is a delegated administrator.

See also: AWS API Documentation

Request Syntax

client.list_accounts_with_invalid_effective_policy(
    PolicyType='TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY'|'CHATBOT_POLICY'|'DECLARATIVE_POLICY_EC2'|'SECURITYHUB_POLICY',
    NextToken='string',
    MaxResults=123
)

type PolicyType:

string

param PolicyType:

[REQUIRED]

The type of policy that you want information about. You can specify one of the following values:

type NextToken:

string

param NextToken:

type MaxResults:

integer

param MaxResults:

rtype:

dict

returns:

Response Syntax

{
    'Accounts': [
        {
            'Id': 'string',
            'Arn': 'string',
            'Email': 'string',
            'Name': 'string',
            'Status': 'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE',
            'State': 'PENDING_ACTIVATION'|'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE'|'CLOSED',
            'JoinedMethod': 'INVITED'|'CREATED',
            'JoinedTimestamp': datetime(2015, 1, 1)
        },
    ],
    'PolicyType': 'TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY'|'CHATBOT_POLICY'|'DECLARATIVE_POLICY_EC2'|'SECURITYHUB_POLICY',
    'NextToken': 'string'
}

Response Structure

(dict) --
- Accounts (list) --
  
  The accounts in the organization which have an invalid effective policy for the specified policy type.
  - (dict) --
    
    Contains information about an Amazon Web Services account that is a member of an organization.
    - Id (string) --
      
      The unique identifier (ID) of the account.
      
      The regex pattern for an account ID string requires exactly 12 digits.
    - Arn (string) --
      
      The Amazon Resource Name (ARN) of the account.
      
      For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference.
    - Email (string) --
      
      The email address associated with the Amazon Web Services account.
      
      The regex pattern for this parameter is a string of characters that represents a standard internet email address.
    - Name (string) --
      
      The friendly name of the account.
      
      The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.
    - Status (string) --
      
      The status of the account in the organization.
      
      Warning
      
      The Status parameter in the Account object will be retired on September 9, 2026. Although both the account State and account Status parameters are currently available in the Organizations APIs ( DescribeAccount, ListAccounts, ListAccountsForParent), we recommend that you update your scripts or other code to use the State parameter instead of Status before September 9, 2026.
    - State (string) --
      
      Each state represents a specific phase in the account lifecycle. Use this information to manage account access, automate workflows, or trigger actions based on account state changes.
      
      For more information about account states and their implications, see Monitor the state of your Amazon Web Services accounts in the Organizations User Guide.
    - JoinedMethod (string) --
      
      The method by which the account joined the organization.
    - JoinedTimestamp (datetime) --
      
      The date the account became a part of the organization.
- PolicyType (string) --
  
  The specified policy type. One of the following values:
- NextToken (string) --
  
  If present, indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null.