AWS API Changes

2025/08/12 - AWS Organizations - 2 new api methods

Changes This release introduces 2 new APIs in Organizations: 1. ListAccountsWithInvalidEffectivePolicy 2. ListEffectivePolicyValidationErrors

ListAccountsWithInvalidEffectivePolicy (new)

Link ¶

Lists all the accounts in an organization that have invalid effective policies. An invalid effective policy is an effective policy that fails validation checks, resulting in the effective policy not being fully enforced on all the intended accounts within an organization.

This operation can be called only from the organization's management account or by a member account that is a delegated administrator.

See also: AWS API Documentation

Request Syntax

client.list_accounts_with_invalid_effective_policy(
    PolicyType='TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY'|'CHATBOT_POLICY'|'DECLARATIVE_POLICY_EC2'|'SECURITYHUB_POLICY',
    NextToken='string',
    MaxResults=123
)

type PolicyType:

string

param PolicyType:

[REQUIRED]

The type of policy that you want information about. You can specify one of the following values:

type NextToken:

string

param NextToken:

The parameter for receiving additional results if you receive a NextToken response in a previous request. A NextToken response indicates that more output is available. Set this parameter to the value of the previous call's NextToken response to indicate where the output should continue from.

type MaxResults:

integer

param MaxResults:

The total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the maximum you specify, the NextToken response element is present and has a value (is not null). Include that value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that Organizations might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

rtype:

dict

returns:

Response Syntax

{
    'Accounts': [
        {
            'Id': 'string',
            'Arn': 'string',
            'Email': 'string',
            'Name': 'string',
            'Status': 'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE',
            'JoinedMethod': 'INVITED'|'CREATED',
            'JoinedTimestamp': datetime(2015, 1, 1)
        },
    ],
    'PolicyType': 'TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY'|'CHATBOT_POLICY'|'DECLARATIVE_POLICY_EC2'|'SECURITYHUB_POLICY',
    'NextToken': 'string'
}

Response Structure

(dict) --
- Accounts (list) --
  
  The accounts in the organization which have an invalid effective policy for the specified policy type.
  - (dict) --
    
    Contains information about an Amazon Web Services account that is a member of an organization.
    - Id (string) --
      
      The unique identifier (ID) of the account.
      
      The regex pattern for an account ID string requires exactly 12 digits.
    - Arn (string) --
      
      The Amazon Resource Name (ARN) of the account.
      
      For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference.
    - Email (string) --
      
      The email address associated with the Amazon Web Services account.
      
      The regex pattern for this parameter is a string of characters that represents a standard internet email address.
    - Name (string) --
      
      The friendly name of the account.
      
      The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.
    - Status (string) --
      
      The status of the account in the organization.
    - JoinedMethod (string) --
      
      The method by which the account joined the organization.
    - JoinedTimestamp (datetime) --
      
      The date the account became a part of the organization.
- PolicyType (string) --
  
  The specified policy type. One of the following values:
- NextToken (string) --
  
  If present, indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null.

ListEffectivePolicyValidationErrors (new)

Link ¶

Lists all the validation errors on an effective policy for a specified account and policy type.

This operation can be called only from the organization's management account or by a member account that is a delegated administrator.

See also: AWS API Documentation

Request Syntax

client.list_effective_policy_validation_errors(
    AccountId='string',
    PolicyType='TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY'|'CHATBOT_POLICY'|'DECLARATIVE_POLICY_EC2'|'SECURITYHUB_POLICY',
    NextToken='string',
    MaxResults=123
)

type AccountId:

string

param AccountId:

[REQUIRED]

The ID of the account that you want details about. Specifying an organization root or organizational unit (OU) as the target is not supported.

type PolicyType:

string

param PolicyType:

[REQUIRED]

The type of policy that you want information about. You can specify one of the following values:

type NextToken:

string

param NextToken:

type MaxResults:

integer

param MaxResults:

rtype:

dict

returns:

Response Syntax

{
    'AccountId': 'string',
    'PolicyType': 'TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY'|'CHATBOT_POLICY'|'DECLARATIVE_POLICY_EC2'|'SECURITYHUB_POLICY',
    'Path': 'string',
    'EvaluationTimestamp': datetime(2015, 1, 1),
    'NextToken': 'string',
    'EffectivePolicyValidationErrors': [
        {
            'ErrorCode': 'string',
            'ErrorMessage': 'string',
            'PathToError': 'string',
            'ContributingPolicies': [
                'string',
            ]
        },
    ]
}

Response Structure

(dict) --
- AccountId (string) --
  
  The ID of the specified account.
- PolicyType (string) --
  
  The specified policy type. One of the following values:
- Path (string) --
  
  The path in the organization where the specified account exists.
- EvaluationTimestamp (datetime) --
  
  The time when the latest effective policy was generated for the specified account.
- NextToken (string) --
  
  If present, indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null.
- EffectivePolicyValidationErrors (list) --
  
  The EffectivePolicyValidationError object contains details about the validation errors that occurred when generating or enforcing an effective policy, such as which policies contributed to the error and location of the error.
  - (dict) --
    
    Contains details about the validation errors that occurred when generating or enforcing an effective policy, such as which policies contributed to the error and location of the error.
    - ErrorCode (string) --
      
      The error code for the validation error. For example, ELEMENTS_TOO_MANY.
    - ErrorMessage (string) --
      
      The error message for the validation error.
    - PathToError (string) --
      
      The path within the effective policy where the validation error occurred.
    - ContributingPolicies (list) --
      
      The individual policies inherited and attached to the account which contributed to the validation error.
      - (string) --