Organizations / Client / list_accounts_with_invalid_effective_policy

list_accounts_with_invalid_effective_policy

Organizations.Client.list_accounts_with_invalid_effective_policy(**kwargs)

Lists all the accounts in an organization that have invalid effective policies. An invalid effective policy is an effective policy that fails validation checks, resulting in the effective policy not being fully enforced on all the intended accounts within an organization.

You can only call this operation from the management account or a member account that is a delegated administrator.

See also: AWS API Documentation

Request Syntax

response = client.list_accounts_with_invalid_effective_policy(
    PolicyType='TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY'|'CHATBOT_POLICY'|'DECLARATIVE_POLICY_EC2'|'SECURITYHUB_POLICY'|'INSPECTOR_POLICY'|'UPGRADE_ROLLOUT_POLICY'|'BEDROCK_POLICY'|'S3_POLICY'|'NETWORK_SECURITY_DIRECTOR_POLICY',
    NextToken='string',
    MaxResults=123
)

Parameters:

• PolicyType (string) –

  [REQUIRED]

  The type of policy that you want information about. You can specify one of the following values:

  • DECLARATIVE_POLICY_EC2

  • BACKUP_POLICY

  • TAG_POLICY

  • CHATBOT_POLICY

  • AISERVICES_OPT_OUT_POLICY

  • SECURITYHUB_POLICY

  • UPGRADE_ROLLOUT_POLICY

  • INSPECTOR_POLICY

  • BEDROCK_POLICY

  • S3_POLICY

  • NETWORK_SECURITY_DIRECTOR_POLICY

• NextToken (string) – The parameter for receiving additional results if you receive a NextToken response in a previous request. A NextToken response indicates that more output is available. Set this parameter to the value of the previous call’s NextToken response to indicate where the output should continue from.

• MaxResults (integer) – The maximum number of items to return in the response. If more results exist than the specified MaxResults value, a token is included in the response so that you can retrieve the remaining results.

Return type:

dict

Returns:

Response Syntax

{
    'Accounts': [
        {
            'Id': 'string',
            'Arn': 'string',
            'Email': 'string',
            'Name': 'string',
            'Status': 'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE',
            'State': 'PENDING_ACTIVATION'|'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE'|'CLOSED',
            'JoinedMethod': 'INVITED'|'CREATED',
            'JoinedTimestamp': datetime(2015, 1, 1)
        },
    ],
    'PolicyType': 'TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY'|'CHATBOT_POLICY'|'DECLARATIVE_POLICY_EC2'|'SECURITYHUB_POLICY'|'INSPECTOR_POLICY'|'UPGRADE_ROLLOUT_POLICY'|'BEDROCK_POLICY'|'S3_POLICY'|'NETWORK_SECURITY_DIRECTOR_POLICY',
    'NextToken': 'string'
}

Response Structure

• (dict) –

  • Accounts (list) –

    The accounts in the organization which have an invalid effective policy for the specified policy type.

    • (dict) –

      Contains information about an Amazon Web Services account that is a member of an organization.

      • Id (string) –

        The unique identifier (ID) of the account.

        The regex pattern for an account ID string requires exactly 12 digits.

      • Arn (string) –

        The Amazon Resource Name (ARN) of the account.

        For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference.

      • Email (string) –

        The email address associated with the Amazon Web Services account.

        The regex pattern for this parameter is a string of characters that represents a standard internet email address.

      • Name (string) –

        The friendly name of the account.

        The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.

      • Status (string) –

        The status of the account in the organization.

        Warning

        The Status parameter in the Account object will be retired on September 9, 2026. Although both the account State and account Status parameters are currently available in the Organizations APIs ( DescribeAccount, ListAccounts, ListAccountsForParent), we recommend that you update your scripts or other code to use the State parameter instead of Status before September 9, 2026.

      • State (string) –

        Each state represents a specific phase in the account lifecycle. Use this information to manage account access, automate workflows, or trigger actions based on account state changes.

        For more information about account states and their implications, see Monitor the state of your Amazon Web Services accounts in the Organizations User Guide.

      • JoinedMethod (string) –

        The method by which the account joined the organization.

      • JoinedTimestamp (datetime) –

        The date the account became a part of the organization.

  • PolicyType (string) –

    The specified policy type. One of the following values:

    • DECLARATIVE_POLICY_EC2

    • BACKUP_POLICY

    • TAG_POLICY

    • CHATBOT_POLICY

    • AISERVICES_OPT_OUT_POLICY

    • SECURITYHUB_POLICY

    • UPGRADE_ROLLOUT_POLICY

    • INSPECTOR_POLICY

    • BEDROCK_POLICY

    • S3_POLICY

    • NETWORK_SECURITY_DIRECTOR_POLICY

  • NextToken (string) –

    If present, indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null.

Exceptions

• Organizations.Client.exceptions.AccessDeniedException

• Organizations.Client.exceptions.AWSOrganizationsNotInUseException

• Organizations.Client.exceptions.ConstraintViolationException

• Organizations.Client.exceptions.EffectivePolicyNotFoundException

• Organizations.Client.exceptions.ServiceException

• Organizations.Client.exceptions.TooManyRequestsException

• Organizations.Client.exceptions.InvalidInputException

• Organizations.Client.exceptions.UnsupportedAPIEndpointException