Skip to main content

AWS - Organizations

This Integration is part of the AWS Organizations Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Manage Amazon Web Services accounts and their resources. For AWS Organizations quotas, guidelines and restrictions, see the AWS Organizations Quotas page.

Configure AWS - Organizations in Cortex#

ParameterDescriptionRequired
Role ArnThe Amazon Resource Name (ARN) of the role to assume.False
Role Session NameAn identifier for the assumed role session.False
Role Session DurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.False
Access KeyFalse
Secret KeyFalse
TimeoutThe time in seconds until a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified, a default of 10 seconds will be used.False
RetriesThe maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time.False
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-org-root-list#


List the roots that are defined in the current organization.

Base Command#

aws-org-root-list

Input#

Argument NameDescriptionRequired
limitThe number of roots to return. Default is 50.Optional
page_sizeThe number of roots to return per page. The maximum is 1000.Optional
next_tokenThe token denoting the next page of roots, as given by the response of the previous run of this command under the context key "AWS.Organizations.RootNextToken".Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.Root.IdStringThe unique identifier (ID) of the root.
AWS.Organizations.Root.ArnStringThe Amazon Resource Name (ARN) of the root.
AWS.Organizations.Root.NameStringThe friendly name of the root.
AWS.Organizations.Root.PolicyTypes.TypeStringThe name of the policy type.
AWS.Organizations.Root.PolicyTypes.StatusStringThe status of the policy type as it relates to the associated root.
AWS.Organizations.RootNextTokenStringIf not null, indicates that more output is available than is included in the current response. Use this value in the next_token argument in a subsequent call of the command to get the next part of the output.

Command example#

!aws-org-root-list

Context Example#

{
"AWS": {
"Organizations": {
"Root": {
"Arn": "arn:aws:organizations::111222333444:root/o-abcde12345/r-ab12",
"Id": "r-ab12",
"Name": "Root",
"PolicyTypes": [
{
"Status": "ENABLED",
"Type": "BACKUP_POLICY"
},
{
"Status": "ENABLED",
"Type": "SERVICE_CONTROL_POLICY"
}
]
},
"RootNextToken": null
}
}
}

Human Readable Output#

AWS Organization Roots#

IdArnName
r-ab12arn:aws:organizations::111222333444:root/o-abcde12345/r-ab12Root

aws-org-children-list#


List all of the organizational units (OUs) or accounts that are contained in the specified parent OU or root.

Base Command#

aws-org-children-list

Input#

Argument NameDescriptionRequired
parent_idThe unique identifier (ID) for the parent root or organizational unit whose children are to be listed.Required
child_typeFilters the output to include only the specified child type. Possible values are: Account, OrganizationalUnit.Required
limitThe number of children to return. Default is 50.Optional
page_sizeThe number of children to return per page. The maximum is 1000.Optional
next_tokenThe token denoting the next page of children as given by the response of the previous run of this command under the context key "AWS.Organizations.ChildrenNextToken".Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.Children.IdStringThe unique identifier (ID) of the child entity.
AWS.Organizations.Children.TypeStringThe type of the child entity.
AWS.Organizations.Children.ParentIdStringThe unique identifier (ID) for the parent root or organizational unit of the child entity.
AWS.Organizations.ChildrenNextTokenStringIf not null, indicates that more output is available than is included in the current response. Use this value in the next_token argument in a subsequent call of the command to get the next part of the output.

Command example#

!aws-org-children-list parent_id="r-ab12" child_type="OrganizationalUnit"

Context Example#

{
"AWS": {
"Organizations": {
"Children": {
"Id": "ou-ab12-abcd1234",
"ParentId": "r-ab12",
"Type": "ORGANIZATIONAL_UNIT"
},
"ChildrenNextToken": null
}
}
}

Human Readable Output#

AWS Account r-ab12 Children#

IdType
ou-ab12-abcd1234ORGANIZATIONAL_UNIT

aws-org-parent-list#


Lists all of the organizational units (OUs) or accounts that are a parent OU or root of the specified child. This command returns only the immediate parents in the hierarchy.

Base Command#

aws-org-parent-list

Input#

Argument NameDescriptionRequired
child_idThe unique identifier (ID) of the organizational unit or account whose parent containers you want to list. Don't specify a root.
This value can be retrieved by running the command "aws-org-account-list".
Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.Parent.IdStringThe unique identifier (ID) of the parent entity.
AWS.Organizations.Parent.TypeStringThe type of the parent entity.
AWS.Organizations.Parent.ChildIdStringThe unique identifier (ID) of the organizational unit or account of the child of the parent entity.

Command example#

!aws-org-parent-list child_id="ou-ab12-abcd1234"

Context Example#

{
"AWS": {
"Organizations": {
"Parent": {
"ChildId": "ou-ab12-abcd1234",
"Id": "r-ab12",
"Type": "ROOT"
}
}
}
}

Human Readable Output#

AWS Account ou-ab12-abcd1234 Parent#

IdType
r-ab12ROOT

aws-org-organization-unit-get#


Retrieve information about an organizational unit (OU). This command can be called only from the organization's management account or by a member account that is a delegated administrator for an Amazon Web Services service.

Base Command#

aws-org-organization-unit-get

Input#

Argument NameDescriptionRequired
organization_unit_idThe unique identifier (ID) of the organizational unit to retrieve details about.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.OrganizationUnit.IdStringThe unique identifier (ID) associated with the organizational unit.
AWS.Organizations.OrganizationUnit.ArnStringThe Amazon Resource Name (ARN) of the organizational unit.
AWS.Organizations.OrganizationUnit.NameStringThe friendly name of the organizational unit.

Command example#

!aws-org-organization-unit-get organization_unit_id=ou-ab12-abcd1234

Context Example#

{
"AWS": {
"Organizations": {
"OrganizationUnit": {
"Arn": "arn:aws:organizations::111222333444:ou/o-abcde12345/ou-ab12-abcd1234",
"Id": "ou-ab12-abcd1234",
"Name": "Name OU"
}
}
}
}

Human Readable Output#

AWS Organization Unit#

IdArnName
ou-ab12-abcd1234arn:aws:organizations::111222333444:ou/o-abcde12345/ou-ab12-abcd1234Name OU

aws-org-account-list#


Lists all the accounts in the organization or a specific account by ID.

Base Command#

aws-org-account-list

Input#

Argument NameDescriptionRequired
account_idGet a specific account by ID.Optional
limitThe number of accounts to return. Default is 50.Optional
page_sizeThe number of accounts to return per page. The maximum is 1000.Optional
next_tokenThe token denoting the next page of accounts, as given by the response of the previous run of this command under the context key "AWS.Organizations.AccountNextToken".Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.Account.IdStringThe unique identifier (ID) of the account.
AWS.Organizations.Account.ArnStringThe Amazon Resource Name (ARN) of the account.
AWS.Organizations.Account.EmailStringThe email address associated with the Amazon Web Services account.
AWS.Organizations.Account.NameStringThe friendly name of the account.
AWS.Organizations.Account.StatusStringThe status of the account in the organization.
AWS.Organizations.Account.JoinedMethodStringThe method by which the account joined the organization.
AWS.Organizations.Account.JoinedTimestampDateThe date the account became a part of the organization.
AWS.Organizations.AccountNextTokenStringIf not null, indicates that more output is available than is included in the current response. Use this value in the next_token argument in a subsequent call of the command to get the next part of the output.

Command example#

!aws-org-account-list account_id=111222333444

Context Example#

{
"AWS": {
"Organizations": {
"Account": {
"Arn": "arn:aws:organizations::111222333444:account/o-abcde12345/111222333444",
"Email": "user@xsoar.com",
"Id": "111222333444",
"JoinedMethod": "CREATED",
"JoinedTimestamp": "2023-09-04 09:17:14.299000+00:00",
"Name": "Name",
"Status": "ACTIVE"
}
}
}
}

Human Readable Output#

AWS Organization Accounts#

IdArnNameEmailJoinedMethodJoinedTimestampStatus
111222333444arn:aws:organizations::111222333444:account/o-abcde12345/111222333444Nameuser@xsoar.comCREATED2023-09-04 09:17:14.299000+00:00ACTIVE

Command example#

!aws-org-account-list

Context Example#

{
"AWS": {
"Organizations": {
"Account": [
{
"Arn": "arn:aws:organizations::111222333444:account/o-abcde12345/111222333444",
"Email": "user@xsoar.com",
"Id": "111222333444",
"JoinedMethod": "CREATED",
"JoinedTimestamp": "2023-09-04 09:17:14.299000+00:00",
"Name": "Name",
"Status": "ACTIVE"
},
{
"Arn": "arn:aws:organizations::111222333444:account/o-abcde12345/111222333444",
"Email": "user@xsoar.com",
"Id": "111222333444",
"JoinedMethod": "INVITED",
"JoinedTimestamp": "2022-07-25 09:11:23.528000+00:00",
"Name": "ferrum-techs",
"Status": "SUSPENDED"
}
],
"AccountNextToken": null
}
}
}

Human Readable Output#

AWS Organization Accounts#

IdArnNameEmailJoinedMethodJoinedTimestampStatus
111222333444arn:aws:organizations::111222333444:account/o-abcde12345/111222333444Nameuser@xsoar.comCREATED2023-09-04 09:17:14.299000+00:00ACTIVE
111222333444arn:aws:organizations::111222333444:account/o-abcde12345/111222333444ferrum-techsuser@xsoar.comINVITED2022-07-25 09:11:23.528000+00:00SUSPENDED

aws-org-organization-get#


Retrieves information about the organization that the user's account belongs to.

Base Command#

aws-org-organization-get

Input#

Argument NameDescriptionRequired
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.Organization.IdStringThe unique identifier (ID) of the organization.
AWS.Organizations.Organization.ArnStringThe Amazon Resource Name (ARN) of the organization.
AWS.Organizations.Organization.FeatureSetStringSpecifies the functionality that currently is available to the organization. If set to “ALL”, then all features are enabled and policies can be applied to accounts in the organization. If set to “CONSOLIDATED_BILLING”, then only consolidated billing functionality is available.
AWS.Organizations.Organization.MasterAccountArnStringThe Amazon Resource Name (ARN) of the account that is designated as the management account for the organization.
AWS.Organizations.Organization.MasterAccountIdStringThe unique identifier (ID) of the management account of the organization.
AWS.Organizations.Organization.MasterAccountEmailStringThe email address that is associated with the Amazon Web Services account that is designated as the management account for the organization.

Command example#

!aws-org-organization-get

Context Example#

{
"AWS": {
"Organizations": {
"Organization": {
"Arn": "arn:aws:organizations::111222333444:organization/o-abcde12345",
"AvailablePolicyTypes": [
{
"Status": "ENABLED",
"Type": "SERVICE_CONTROL_POLICY"
}
],
"FeatureSet": "ALL",
"Id": "o-abcde12345",
"MasterAccountArn": "arn:aws:organizations::111222333444:account/o-abcde12345/111222333444",
"MasterAccountEmail": "user@xsoar.com",
"MasterAccountId": "111222333444"
}
}
}
}

Human Readable Output#

AWS Organization#

IdArnFeatureSetMasterAccountArnMasterAccountIdMasterAccountEmail
o-abcde12345arn:aws:organizations::111222333444:organization/o-abcde12345ALLarn:aws:organizations::111222333444:account/o-abcde12345/111222333444111222333444user@xsoar.com

aws-org-organization-unit-create#


Creates an organizational unit (OU) within a root or parent OU. An OU is a container for accounts that enables the organization of accounts to apply policies according to business requirements. The number of levels deep that OUs can be nested is dependent upon the policy types enabled for that root. For service control policies, the limit is five.

Base Command#

aws-org-organization-unit-create

Input#

Argument NameDescriptionRequired
nameThe friendly name to assign to the new organizational unit.Required
parent_idThe unique identifier (ID) of the parent root or organizational unit to create the new organizational unit in. This value can be retrieved by running the command "aws-org-root-list".Required
tagsA comma-separated list of tags to attach to the newly created organizational unit. Each tag should be in the format: "key=value".Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.OrganizationUnit.IdStringThe unique identifier (ID) associated with this organizational unit.
AWS.Organizations.OrganizationUnit.ArnStringThe Amazon Resource Name (ARN) of this organizational unit.
AWS.Organizations.OrganizationUnit.NameStringThe friendly name of this organizational unit.

Command example#

!aws-org-organization-unit-create name=test parent_id=r-12ab tags="new=true,key=value"

Context Example#

{
"AWS": {
"Organizations": {
"OrganizationUnit": {
"Arn": "arn:aws:organizations::111222333444:ou/o-abcde12345/ou-ab12-abcd1234",
"Id": "ou-ab12-abcd1234",
"Name": "test"
}
}
}
}

Human Readable Output#

AWS Organization Unit#

IdNameArn
ou-ab12-abcd1234testarn:aws:organizations::111222333444:ou/o-abcde12345/ou-ab12-abcd1234

aws-org-organization-unit-rename#


Renames the specified organizational unit (OU). The ID and ARN don’t change. The child OUs and accounts remain in place, and any attached policies of the OU remain attached.

Base Command#

aws-org-organization-unit-rename

Input#

Argument NameDescriptionRequired
organizational_unit_idThe unique identifier (ID) of the OU to rename. This value can be retrieved by running the command "aws-org-parent-list".Required
nameThe new name to assign to the organizational unit.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command example#

!aws-org-organization-unit-rename name=new_name organizational_unit_id=ou-ab12-abcd1234

Human Readable Output#

AWS organization unit ou-ab12-abcd1234 successfully renamed to new_name.

aws-org-organization-unit-delete#


Deletes an organizational unit (OU) from a root or another OU. All accounts and child OUs must first be removed.

Base Command#

aws-org-organization-unit-delete

Input#

Argument NameDescriptionRequired
organizational_unit_idThe unique identifier (ID) of the organizational unit that you want to delete.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command example#

!aws-org-organization-unit-delete organizational_unit_id=ou-ab12-abcd1234

Human Readable Output#

AWS organizational unit ou-ab12-abcd1234 deleted successfully.

aws-org-policy-list#


Retrieves the list of all policies in an organization of a specified type.

Base Command#

aws-org-policy-list

Input#

Argument NameDescriptionRequired
policy_typeSpecifies the type of policy to include in the response. Possible values are: Service Control Policy, Tag Policy, Backup Policy, AI Services Opt Out Policy.Required
limitThe number of policies to return. Default is 50.Optional
page_sizeThe number of policies to return per page. The maximum is 1000.Optional
next_tokenThe token denoting the next page of policies, as given by the response of the previous run of this command under the context key "AWS.Organizations.PolicyNextToken".Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.Policy.IdStringThe unique identifier (ID) of the policy.
AWS.Organizations.Policy.ArnStringThe Amazon Resource Name (ARN) of the policy.
AWS.Organizations.Policy.NameStringThe friendly name of the policy.
AWS.Organizations.Policy.DescriptionStringThe description of the policy.
AWS.Organizations.Policy.TypeStringThe type of policy.
AWS.Organizations.Policy.AwsManagedBooleanIndicates whether the specified policy is an Amazon Web Services managed policy. If true, the policy can be attached to roots, organizational units, or accounts, but cannot be edited.
AWS.Organizations.PolicyNextTokenStringIf not null, indicates that more output is available than is included in the current response. Use this value as the next_token argument in a subsequent call of the command to get the next part of the output.

Command example#

!aws-org-policy-list policy_type="Service Control Policy"

Context Example#

{
"AWS": {
"Organizations": {
"Policy": [
{
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"AwsManaged": true,
"Description": "Allows access to every operation",
"Id": "p-FullAWSAccess",
"Name": "FullAWSAccess",
"Type": "SERVICE_CONTROL_POLICY"
},
{
"Arn": "arn:aws:organizations::111222333444:policy/o-abcde12345/service_control_policy/p-1234abcd",
"AwsManaged": false,
"Description": "Used for test purposes",
"Id": "p-1234abcd",
"Name": "Test",
"Type": "SERVICE_CONTROL_POLICY"
}
],
"PolicyNextToken": null
}
}
}

Human Readable Output#

AWS Organization Policies#

IdArnNameDescriptionTypeAwsManaged
p-FullAWSAccessarn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccessFullAWSAccessAllows access to every operationSERVICE_CONTROL_POLICYtrue
p-1234abcdarn:aws:organizations::111222333444:policy/o-abcde12345/service_control_policy/p-1234abcdTestUsed for test purposesSERVICE_CONTROL_POLICYfalse

aws-org-policy-get#


Retrieves information about a policy.

Base Command#

aws-org-policy-get

Input#

Argument NameDescriptionRequired
policy_idThe unique identifier (ID) of the policy that you want details about. This value can be retrieved by running the command "aws-org-policy-list".Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.Policy.IdStringThe unique identifier (ID) of the policy.
AWS.Organizations.Policy.ArnStringThe Amazon Resource Name (ARN) of the policy.
AWS.Organizations.Policy.NameStringThe friendly name of the policy.
AWS.Organizations.Policy.DescriptionStringThe description of the policy.
AWS.Organizations.Policy.TypeStringThe type of policy.
AWS.Organizations.Policy.AwsManagedBooleanIndicates whether the specified policy is an Amazon Web Services managed policy. If true, the policy can be attached to roots, organizational units, or accounts, but cannot be edited.

Command example#

!aws-org-policy-get policy_id=p-1234abcd

Context Example#

{
"AWS": {
"Organizations": {
"Policy": {
"Arn": "arn:aws:organizations::111222333444:policy/o-abcde12345/service_control_policy/p-1234abcd",
"AwsManaged": false,
"Description": "Used for test purposes",
"Id": "p-1234abcd",
"Name": "Test",
"Type": "SERVICE_CONTROL_POLICY"
}
}
}
}

Human Readable Output#

AWS Organization Policies#

IdArnNameDescriptionTypeAwsManaged
p-1234abcdarn:aws:organizations::111222333444:policy/o-abcde12345/service_control_policy/p-1234abcdTestUsed for test purposesSERVICE_CONTROL_POLICYfalse

aws-org-policy-attach#


Attaches a policy to a root, an organizational unit (OU), or an individual account.

Base Command#

aws-org-policy-attach

Input#

Argument NameDescriptionRequired
policy_idThe unique identifier (ID) of the policy to attach to the target. This value can be retrieved by running the command "aws-org-policy-list".Required
target_idThe unique identifier (ID) of the root, organizational unit, or account to attach the policy to. This value can be retrieved by running the command "aws-org-root-list" or "aws-org-account-list".Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command example#

!aws-org-policy-attach policy_id=p-1234abcd target_id=ou-ab12-abcd1234

Human Readable Output#

AWS Organizations policy p-1234abcd successfully attached.

aws-org-policy-target-list#


Lists all the roots, organizational units (OUs), and accounts that the specified policy is attached to.

Base Command#

aws-org-policy-target-list

Input#

Argument NameDescriptionRequired
policy_idThe unique identifier (ID) of the policy whose attachments are to be listed.Required
limitThe number of policies to return. Default is 50.Optional
page_sizeThe number of policies to return per page. The maximum is 1000.Optional
next_tokenThe token denoting the next page of policies, as given by the response of the previous run of this command under the context key "AWS.Organizations.PolicyTargetNextToken".Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.PolicyTarget.TargetIdStringThe unique identifier (ID) of the policy target.
AWS.Organizations.PolicyTarget.ArnStringThe Amazon Resource Name (ARN) of the policy target.
AWS.Organizations.PolicyTarget.NameStringThe friendly name of the policy target.
AWS.Organizations.PolicyTarget.TypeStringThe type of the policy target.
AWS.Organizations.PolicyTarget.PolicyIdStringThe unique identifier (ID) of the policy.
AWS.Organizations.PolicyTargetNextTokenStringIf not null, indicates that more output is available than is included in the current response. Use this value as the next_token argument in a subsequent call of the command to get the next part of the output.

Command example#

!aws-org-policy-target-list policy_id=p-1234abcd

Context Example#

{
"AWS": {
"Organizations": {
"PolicyTarget": {
"Arn": "arn:aws:organizations::111222333444:ou/o-abcde12345/ou-ab12-abcd1234",
"Name": "to_add_policy",
"PolicyId": "p-1234abcd",
"TargetId": "ou-ab12-abcd1234",
"Type": "ORGANIZATIONAL_UNIT"
},
"PolicyTargetNextToken": null
}
}
}

Human Readable Output#

AWS Organization p-1234abcd Targets#

TargetIdArnNameType
ou-ab12-abcd1234arn:aws:organizations::111222333444:ou/o-abcde12345/ou-ab12-abcd1234to_add_policyORGANIZATIONAL_UNIT

aws-org-target-policy-list#


Lists the policies that are directly attached to the specified target root, organizational unit (OU), or account.

Base Command#

aws-org-target-policy-list

Input#

Argument NameDescriptionRequired
policy_typeThe type of policy to include in the returned list. Possible values are: Service Control Policy, Tag Policy, Backup Policy, AI Services Opt Out Policy.Required
target_idThe unique identifier (ID) of the root, organizational unit, or account whose policies are to be listed.Required
limitThe number of policies to return. Default is 50.Optional
page_sizeThe number of policies to return per page. The maximum is 1000.Optional
next_tokenThe token denoting the next page of policies, as given by the response of the previous run of this command under the context key "AWS.Organizations.PolicyNextToken".Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.TargetPolicy.IdStringThe unique identifier (ID) of the policy.
AWS.Organizations.TargetPolicy.ArnStringThe Amazon Resource Name (ARN) of the policy.
AWS.Organizations.TargetPolicy.NameStringThe friendly name of the policy.
AWS.Organizations.TargetPolicy.DescriptionStringThe description of the policy.
AWS.Organizations.TargetPolicy.TypeStringThe type of policy.
AWS.Organizations.TargetPolicy.AwsManagedBooleanIndicates whether the specified policy is an Amazon Web Services managed policy. If true, the policy can be attached to roots, organizational units, or accounts, but cannot be edited.
AWS.Organizations.TargetIdStringThe unique identifier (ID) of the target.
AWS.Organizations.TargetPolicyNextTokenStringIf not null, indicates that more output is available than is included in the current response. Use this value as the next_token argument in a subsequent call of the command to get the next part of the output.

Command example#

!aws-org-target-policy-list target_id=ou-ab12-abcd1234 policy_type="Service Control Policy"

Context Example#

{
"AWS": {
"Organizations": {
"TargetPolicy": [
{
"Arn": "arn:aws:organizations::111222333444:policy/o-abcde12345/service_control_policy/p-1234abcd",
"AwsManaged": false,
"Description": "Used for test purposes",
"Id": "p-1234abcd",
"Name": "Test",
"TargetId": "ou-ab12-abcd1234",
"Type": "SERVICE_CONTROL_POLICY"
},
{
"Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
"AwsManaged": true,
"Description": "Allows access to every operation",
"Id": "p-FullAWSAccess",
"Name": "FullAWSAccess",
"TargetId": "ou-ab12-abcd1234",
"Type": "SERVICE_CONTROL_POLICY"
}
],
"TargetPolicyNextToken": null
}
}
}

Human Readable Output#

AWS Organization ou-ab12-abcd1234 Policies#

IdArnNameDescriptionTypeAwsManaged
p-1234abcdarn:aws:organizations::111222333444:policy/o-abcde12345/service_control_policy/p-1234abcdTestUsed for test purposesSERVICE_CONTROL_POLICYfalse
p-FullAWSAccessarn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccessFullAWSAccessAllows access to every operationSERVICE_CONTROL_POLICYtrue

aws-org-policy-delete#


Deletes the specified policy from the organization. Before performing this operation, the policy must be detached from all organizational units (OUs), roots, and accounts.

Base Command#

aws-org-policy-delete

Input#

Argument NameDescriptionRequired
policy_idThe unique identifier (ID) of the policy that you want to delete. This value can be retrieved by running the command "aws-org-policy-list".Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command example#

!aws-org-policy-delete policy_id=p-1234abcd

Human Readable Output#

AWS Organizations policy p-1234abcd successfully deleted.

aws-org-resource-tag-add#


Adds one or more tags to the specified resource.

Base Command#

aws-org-resource-tag-add

Input#

Argument NameDescriptionRequired
resource_idThe ID of the resource to add a tag to. This value can be retrieved by running the command "aws-org-root-list", "aws-org-account-list", "aws-org-root-list", or "aws-org-policy-list".Required
tagsA comma-separated list of tags to attach to the resource. Each tag should be in the format: "key=value".Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command example#

!aws-org-resource-tag-add resource_id=ou-ab12-abcd1234 tags="test=true,key=value"

Human Readable Output#

AWS Organizations resource ou-ab12-abcd1234 successfully tagged.

aws-org-resource-tag-list#


Lists tags that are attached to the specified resource.

Base Command#

aws-org-resource-tag-list

Input#

Argument NameDescriptionRequired
resource_idThe ID of the resource with the tags to list. This value can be retrieved by running the command "aws-org-root-list", "aws-org-account-list", "aws-org-root-list", or "aws-org-policy-list".Required
next_tokenThe token denoting the next page of tags, as given by the response of the previous run of this command under the context key "AWS.Organizations.TagNextToken".Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.Tag.KeyStringThe key identifier, or name, of the tag.
AWS.Organizations.Tag.ValueStringThe string value that's associated with the key of the tag.
AWS.Organizations.Tag.ResourceIdStringThe unique identifier (ID) of the resource.
AWS.Organizations.TagNextTokenStringIf not null, indicates that more output is available than is included in the current response. Use this value as the next_token argument in a subsequent call of the command to get the next part of the output.

Command example#

!aws-org-resource-tag-list resource_id=ou-ab12-abcd1234

Context Example#

{
"AWS": {
"Organizations": {
"Tag": [
{
"Key": "test",
"ResourceId": "ou-ab12-abcd1234",
"Value": "true"
},
{
"Key": "new",
"ResourceId": "ou-ab12-abcd1234",
"Value": "true"
},
{
"Key": "key",
"ResourceId": "ou-ab12-abcd1234",
"Value": "value"
}
],
"TagNextToken": null
}
}
}

Human Readable Output#

AWS Organization ou-ab12-abcd1234 Tags#

KeyValue
testtrue
newtrue
keyvalue

aws-org-account-create#


Creates an AWS Account that is automatically a member of the organization.

Base Command#

aws-org-account-create

Input#

Argument NameDescriptionRequired
account_nameThe friendly name of the member account.Required
emailThe email address of the owner to assign to the new member account. This email address must not already be associated with another Amazon Web Services account. Use a valid email address to complete account creation.Required
iam_user_access_to_billingIf set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, only the root user of the new account can access account billing information. Possible values are: Allow, Deny. Default is Allow.Optional
role_nameThe name of an IAM role that AWS Organizations automatically pre-configures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. Default is OrganizationAccountAccessRole.Optional
tagsA comma-separated list of tags to attach to the newly created account. Each tag should be in the format: "key=value".Optional
request_idThe ID of the create request that is used for polling.Optional
interval_in_secondsIndicates how long to wait between command executions (in seconds) when the 'polling' argument is true. Minimum value is 10 seconds. Default is 30.Optional
timeoutIndicates the time in seconds until the polling sequence times out. Default is 600.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.Organizations.Account.IdStringThe unique identifier (ID) of the account.
AWS.Organizations.Account.ArnStringThe Amazon Resource Name (ARN) of the account.
AWS.Organizations.Account.EmailStringThe email address associated with the Amazon Web Services account.
AWS.Organizations.Account.NameStringThe friendly name of the account.
AWS.Organizations.Account.StatusStringThe status of the account in the organization.
AWS.Organizations.Account.JoinedMethodStringThe method by which the account joined the organization.
AWS.Organizations.Account.JoinedTimestampDateThe date the account became a part of the organization.

Command example#

!aws-org-account-create account_name="New" email="user@xsoar.com" tags="new=true,test=yes" iam_user_access_to_billing=Deny

Context Example#

{
"AWS": {
"Organizations": {
"Account": {
"Arn": "arn:aws:organizations::111222333444:account/o-abcde12345/111222333444",
"Email": "user@xsoar.com",
"Id": "111222333444",
"JoinedMethod": "CREATED",
"JoinedTimestamp": "2023-09-04 09:17:14.299000+00:00",
"Name": "New",
"Status": "ACTIVE"
}
}
}
}

Human Readable Output#

Creating account:

AWS Organization Accounts#

IdArnNameEmailJoinedMethodJoinedTimestampStatus
111222333444arn:aws:organizations::111222333444:account/o-abcde12345/111222333444Newuser@xsoar.comCREATED2023-09-04 09:17:14.299000+00:00ACTIVE

aws-org-account-move#


Moves an account from one parent to another.

Base Command#

aws-org-account-move

Input#

Argument NameDescriptionRequired
account_idThe unique identifier (ID) of the member account move. This value can be retrieved by running the command "aws-org-account-list".Required
destination_parent_idThe unique identifier (ID) of the root or organizational unit to move the account to.
This value can be retrieved by running the command "aws-org-root-list".
.
Required
source_parent_idThe unique identifier (ID) of the root or organizational unit to move the account from.
This value can be retrieved by running the command "aws-org-parent-list" with the child_id set to the account_id.
.
Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command example#

!aws-org-account-move source_parent_id=r-12ab account_id=111222333444 destination_parent_id=ou-ab12-abcd1234

Human Readable Output#

AWS account 111222333444 moved successfully.

aws-org-account-remove#


Removes an account from the organization. For more information on this action: https://docs.aws.amazon.com/organizations/latest/APIReference/API_RemoveAccountFromOrganization.html

Base Command#

aws-org-account-remove

Input#

Argument NameDescriptionRequired
account_idThe unique identifier (ID) of the member account to be removed from the organization. This can be obtained with the command "aws-organizations-account-list".Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command example#

!aws-org-account-remove account_id=111222333444

Human Readable Output#

AWS account 111222333444 removed successfully.

aws-org-account-close#


Closes an AWS member account within an organization.

Base Command#

aws-org-account-close

Input#

Argument NameDescriptionRequired
account_idThe unique identifier (ID) of the member account to close. This can be obtained with the command "aws-organizations-account-list".Required
interval_in_secondsIndicates how long to wait between command executions (in seconds) when the 'polling' argument is true. Minimum value is 10 seconds. Default is 30.Optional
timeoutIndicates the time in seconds until the polling sequence times out. Default is 600.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command example#

!aws-org-account-close account_id=111222333444

Human Readable Output#

Closing account:

AWS account 111222333444 closed successfully.