AWS - Organizations
AWS Organizations Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
Manage Amazon Web Services accounts and their resources. For AWS Organizations quotas, guidelines and restrictions, see the AWS Organizations Quotas page.
#
Configure AWS - Organizations in CortexParameter | Description | Required |
---|---|---|
Role Arn | The Amazon Resource Name (ARN) of the role to assume. | False |
Role Session Name | An identifier for the assumed role session. | False |
Role Session Duration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | False |
Access Key | False | |
Secret Key | False | |
Timeout | The time in seconds until a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified, a default of 10 seconds will be used. | False |
Retries | The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. | False |
Trust any certificate (not secure) | False | |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
aws-org-root-listList the roots that are defined in the current organization.
#
Base Commandaws-org-root-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | The number of roots to return. Default is 50. | Optional |
page_size | The number of roots to return per page. The maximum is 1000. | Optional |
next_token | The token denoting the next page of roots, as given by the response of the previous run of this command under the context key "AWS.Organizations.RootNextToken". | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.Root.Id | String | The unique identifier (ID) of the root. |
AWS.Organizations.Root.Arn | String | The Amazon Resource Name (ARN) of the root. |
AWS.Organizations.Root.Name | String | The friendly name of the root. |
AWS.Organizations.Root.PolicyTypes.Type | String | The name of the policy type. |
AWS.Organizations.Root.PolicyTypes.Status | String | The status of the policy type as it relates to the associated root. |
AWS.Organizations.RootNextToken | String | If not null, indicates that more output is available than is included in the current response. Use this value in the next_token argument in a subsequent call of the command to get the next part of the output. |
#
Command example!aws-org-root-list
#
Context Example#
Human Readable Output#
AWS Organization Roots
Id Arn Name r-ab12 arn:aws:organizations::111222333444:root/o-abcde12345/r-ab12 Root
#
aws-org-children-listList all of the organizational units (OUs) or accounts that are contained in the specified parent OU or root.
#
Base Commandaws-org-children-list
#
InputArgument Name | Description | Required |
---|---|---|
parent_id | The unique identifier (ID) for the parent root or organizational unit whose children are to be listed. | Required |
child_type | Filters the output to include only the specified child type. Possible values are: Account, OrganizationalUnit. | Required |
limit | The number of children to return. Default is 50. | Optional |
page_size | The number of children to return per page. The maximum is 1000. | Optional |
next_token | The token denoting the next page of children as given by the response of the previous run of this command under the context key "AWS.Organizations.ChildrenNextToken". | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.Children.Id | String | The unique identifier (ID) of the child entity. |
AWS.Organizations.Children.Type | String | The type of the child entity. |
AWS.Organizations.Children.ParentId | String | The unique identifier (ID) for the parent root or organizational unit of the child entity. |
AWS.Organizations.ChildrenNextToken | String | If not null, indicates that more output is available than is included in the current response. Use this value in the next_token argument in a subsequent call of the command to get the next part of the output. |
#
Command example!aws-org-children-list parent_id="r-ab12" child_type="OrganizationalUnit"
#
Context Example#
Human Readable Output#
AWS Account r-ab12 Children
Id Type ou-ab12-abcd1234 ORGANIZATIONAL_UNIT
#
aws-org-parent-listLists all of the organizational units (OUs) or accounts that are a parent OU or root of the specified child. This command returns only the immediate parents in the hierarchy.
#
Base Commandaws-org-parent-list
#
InputArgument Name | Description | Required |
---|---|---|
child_id | The unique identifier (ID) of the organizational unit or account whose parent containers you want to list. Don't specify a root. This value can be retrieved by running the command "aws-org-account-list". | Required |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.Parent.Id | String | The unique identifier (ID) of the parent entity. |
AWS.Organizations.Parent.Type | String | The type of the parent entity. |
AWS.Organizations.Parent.ChildId | String | The unique identifier (ID) of the organizational unit or account of the child of the parent entity. |
#
Command example!aws-org-parent-list child_id="ou-ab12-abcd1234"
#
Context Example#
Human Readable Output#
AWS Account ou-ab12-abcd1234 Parent
Id Type r-ab12 ROOT
#
aws-org-organization-unit-getRetrieve information about an organizational unit (OU). This command can be called only from the organization's management account or by a member account that is a delegated administrator for an Amazon Web Services service.
#
Base Commandaws-org-organization-unit-get
#
InputArgument Name | Description | Required |
---|---|---|
organization_unit_id | The unique identifier (ID) of the organizational unit to retrieve details about. | Required |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.OrganizationUnit.Id | String | The unique identifier (ID) associated with the organizational unit. |
AWS.Organizations.OrganizationUnit.Arn | String | The Amazon Resource Name (ARN) of the organizational unit. |
AWS.Organizations.OrganizationUnit.Name | String | The friendly name of the organizational unit. |
#
Command example!aws-org-organization-unit-get organization_unit_id=ou-ab12-abcd1234
#
Context Example#
Human Readable Output#
AWS Organization Unit
Id Arn Name ou-ab12-abcd1234 arn:aws:organizations::111222333444:ou/o-abcde12345/ou-ab12-abcd1234 Name OU
#
aws-org-account-listLists all the accounts in the organization or a specific account by ID.
#
Base Commandaws-org-account-list
#
InputArgument Name | Description | Required |
---|---|---|
account_id | Get a specific account by ID. | Optional |
limit | The number of accounts to return. Default is 50. | Optional |
page_size | The number of accounts to return per page. The maximum is 1000. | Optional |
next_token | The token denoting the next page of accounts, as given by the response of the previous run of this command under the context key "AWS.Organizations.AccountNextToken". | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.Account.Id | String | The unique identifier (ID) of the account. |
AWS.Organizations.Account.Arn | String | The Amazon Resource Name (ARN) of the account. |
AWS.Organizations.Account.Email | String | The email address associated with the Amazon Web Services account. |
AWS.Organizations.Account.Name | String | The friendly name of the account. |
AWS.Organizations.Account.Status | String | The status of the account in the organization. |
AWS.Organizations.Account.JoinedMethod | String | The method by which the account joined the organization. |
AWS.Organizations.Account.JoinedTimestamp | Date | The date the account became a part of the organization. |
AWS.Organizations.AccountNextToken | String | If not null, indicates that more output is available than is included in the current response. Use this value in the next_token argument in a subsequent call of the command to get the next part of the output. |
#
Command example!aws-org-account-list account_id=111222333444
#
Context Example#
Human Readable Output#
AWS Organization Accounts
Id Arn Name JoinedMethod JoinedTimestamp Status 111222333444 arn:aws:organizations::111222333444:account/o-abcde12345/111222333444 Name user@xsoar.com CREATED 2023-09-04 09:17:14.299000+00:00 ACTIVE
#
Command example!aws-org-account-list
#
Context Example#
Human Readable Output#
AWS Organization Accounts
Id Arn Name JoinedMethod JoinedTimestamp Status 111222333444 arn:aws:organizations::111222333444:account/o-abcde12345/111222333444 Name user@xsoar.com CREATED 2023-09-04 09:17:14.299000+00:00 ACTIVE 111222333444 arn:aws:organizations::111222333444:account/o-abcde12345/111222333444 ferrum-techs user@xsoar.com INVITED 2022-07-25 09:11:23.528000+00:00 SUSPENDED
#
aws-org-organization-getRetrieves information about the organization that the user's account belongs to.
#
Base Commandaws-org-organization-get
#
InputArgument Name | Description | Required |
---|---|---|
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.Organization.Id | String | The unique identifier (ID) of the organization. |
AWS.Organizations.Organization.Arn | String | The Amazon Resource Name (ARN) of the organization. |
AWS.Organizations.Organization.FeatureSet | String | Specifies the functionality that currently is available to the organization. If set to “ALL”, then all features are enabled and policies can be applied to accounts in the organization. If set to “CONSOLIDATED_BILLING”, then only consolidated billing functionality is available. |
AWS.Organizations.Organization.MasterAccountArn | String | The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization. |
AWS.Organizations.Organization.MasterAccountId | String | The unique identifier (ID) of the management account of the organization. |
AWS.Organizations.Organization.MasterAccountEmail | String | The email address that is associated with the Amazon Web Services account that is designated as the management account for the organization. |
#
Command example!aws-org-organization-get
#
Context Example#
Human Readable Output#
AWS Organization
Id Arn FeatureSet MasterAccountArn MasterAccountId MasterAccountEmail o-abcde12345 arn:aws:organizations::111222333444:organization/o-abcde12345 ALL arn:aws:organizations::111222333444:account/o-abcde12345/111222333444 111222333444 user@xsoar.com
#
aws-org-organization-unit-createCreates an organizational unit (OU) within a root or parent OU. An OU is a container for accounts that enables the organization of accounts to apply policies according to business requirements. The number of levels deep that OUs can be nested is dependent upon the policy types enabled for that root. For service control policies, the limit is five.
#
Base Commandaws-org-organization-unit-create
#
InputArgument Name | Description | Required |
---|---|---|
name | The friendly name to assign to the new organizational unit. | Required |
parent_id | The unique identifier (ID) of the parent root or organizational unit to create the new organizational unit in. This value can be retrieved by running the command "aws-org-root-list". | Required |
tags | A comma-separated list of tags to attach to the newly created organizational unit. Each tag should be in the format: "key=value". | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.OrganizationUnit.Id | String | The unique identifier (ID) associated with this organizational unit. |
AWS.Organizations.OrganizationUnit.Arn | String | The Amazon Resource Name (ARN) of this organizational unit. |
AWS.Organizations.OrganizationUnit.Name | String | The friendly name of this organizational unit. |
#
Command example!aws-org-organization-unit-create name=test parent_id=r-12ab tags="new=true,key=value"
#
Context Example#
Human Readable Output#
AWS Organization Unit
Id Name Arn ou-ab12-abcd1234 test arn:aws:organizations::111222333444:ou/o-abcde12345/ou-ab12-abcd1234
#
aws-org-organization-unit-renameRenames the specified organizational unit (OU). The ID and ARN don’t change. The child OUs and accounts remain in place, and any attached policies of the OU remain attached.
#
Base Commandaws-org-organization-unit-rename
#
InputArgument Name | Description | Required |
---|---|---|
organizational_unit_id | The unique identifier (ID) of the OU to rename. This value can be retrieved by running the command "aws-org-parent-list". | Required |
name | The new name to assign to the organizational unit. | Required |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!aws-org-organization-unit-rename name=new_name organizational_unit_id=ou-ab12-abcd1234
#
Human Readable OutputAWS organization unit ou-ab12-abcd1234 successfully renamed to new_name.
#
aws-org-organization-unit-deleteDeletes an organizational unit (OU) from a root or another OU. All accounts and child OUs must first be removed.
#
Base Commandaws-org-organization-unit-delete
#
InputArgument Name | Description | Required |
---|---|---|
organizational_unit_id | The unique identifier (ID) of the organizational unit that you want to delete. | Required |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!aws-org-organization-unit-delete organizational_unit_id=ou-ab12-abcd1234
#
Human Readable OutputAWS organizational unit ou-ab12-abcd1234 deleted successfully.
#
aws-org-policy-listRetrieves the list of all policies in an organization of a specified type.
#
Base Commandaws-org-policy-list
#
InputArgument Name | Description | Required |
---|---|---|
policy_type | Specifies the type of policy to include in the response. Possible values are: Service Control Policy, Tag Policy, Backup Policy, AI Services Opt Out Policy. | Required |
limit | The number of policies to return. Default is 50. | Optional |
page_size | The number of policies to return per page. The maximum is 1000. | Optional |
next_token | The token denoting the next page of policies, as given by the response of the previous run of this command under the context key "AWS.Organizations.PolicyNextToken". | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.Policy.Id | String | The unique identifier (ID) of the policy. |
AWS.Organizations.Policy.Arn | String | The Amazon Resource Name (ARN) of the policy. |
AWS.Organizations.Policy.Name | String | The friendly name of the policy. |
AWS.Organizations.Policy.Description | String | The description of the policy. |
AWS.Organizations.Policy.Type | String | The type of policy. |
AWS.Organizations.Policy.AwsManaged | Boolean | Indicates whether the specified policy is an Amazon Web Services managed policy. If true, the policy can be attached to roots, organizational units, or accounts, but cannot be edited. |
AWS.Organizations.PolicyNextToken | String | If not null, indicates that more output is available than is included in the current response. Use this value as the next_token argument in a subsequent call of the command to get the next part of the output. |
#
Command example!aws-org-policy-list policy_type="Service Control Policy"
#
Context Example#
Human Readable Output#
AWS Organization Policies
Id Arn Name Description Type AwsManaged p-FullAWSAccess arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess FullAWSAccess Allows access to every operation SERVICE_CONTROL_POLICY true p-1234abcd arn:aws:organizations::111222333444:policy/o-abcde12345/service_control_policy/p-1234abcd Test Used for test purposes SERVICE_CONTROL_POLICY false
#
aws-org-policy-getRetrieves information about a policy.
#
Base Commandaws-org-policy-get
#
InputArgument Name | Description | Required |
---|---|---|
policy_id | The unique identifier (ID) of the policy that you want details about. This value can be retrieved by running the command "aws-org-policy-list". | Required |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.Policy.Id | String | The unique identifier (ID) of the policy. |
AWS.Organizations.Policy.Arn | String | The Amazon Resource Name (ARN) of the policy. |
AWS.Organizations.Policy.Name | String | The friendly name of the policy. |
AWS.Organizations.Policy.Description | String | The description of the policy. |
AWS.Organizations.Policy.Type | String | The type of policy. |
AWS.Organizations.Policy.AwsManaged | Boolean | Indicates whether the specified policy is an Amazon Web Services managed policy. If true, the policy can be attached to roots, organizational units, or accounts, but cannot be edited. |
#
Command example!aws-org-policy-get policy_id=p-1234abcd
#
Context Example#
Human Readable Output#
AWS Organization Policies
Id Arn Name Description Type AwsManaged p-1234abcd arn:aws:organizations::111222333444:policy/o-abcde12345/service_control_policy/p-1234abcd Test Used for test purposes SERVICE_CONTROL_POLICY false
#
aws-org-policy-attachAttaches a policy to a root, an organizational unit (OU), or an individual account.
#
Base Commandaws-org-policy-attach
#
InputArgument Name | Description | Required |
---|---|---|
policy_id | The unique identifier (ID) of the policy to attach to the target. This value can be retrieved by running the command "aws-org-policy-list". | Required |
target_id | The unique identifier (ID) of the root, organizational unit, or account to attach the policy to. This value can be retrieved by running the command "aws-org-root-list" or "aws-org-account-list". | Required |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!aws-org-policy-attach policy_id=p-1234abcd target_id=ou-ab12-abcd1234
#
Human Readable OutputAWS Organizations policy p-1234abcd successfully attached.
#
aws-org-policy-target-listLists all the roots, organizational units (OUs), and accounts that the specified policy is attached to.
#
Base Commandaws-org-policy-target-list
#
InputArgument Name | Description | Required |
---|---|---|
policy_id | The unique identifier (ID) of the policy whose attachments are to be listed. | Required |
limit | The number of policies to return. Default is 50. | Optional |
page_size | The number of policies to return per page. The maximum is 1000. | Optional |
next_token | The token denoting the next page of policies, as given by the response of the previous run of this command under the context key "AWS.Organizations.PolicyTargetNextToken". | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.PolicyTarget.TargetId | String | The unique identifier (ID) of the policy target. |
AWS.Organizations.PolicyTarget.Arn | String | The Amazon Resource Name (ARN) of the policy target. |
AWS.Organizations.PolicyTarget.Name | String | The friendly name of the policy target. |
AWS.Organizations.PolicyTarget.Type | String | The type of the policy target. |
AWS.Organizations.PolicyTarget.PolicyId | String | The unique identifier (ID) of the policy. |
AWS.Organizations.PolicyTargetNextToken | String | If not null, indicates that more output is available than is included in the current response. Use this value as the next_token argument in a subsequent call of the command to get the next part of the output. |
#
Command example!aws-org-policy-target-list policy_id=p-1234abcd
#
Context Example#
Human Readable Output#
AWS Organization p-1234abcd Targets
TargetId Arn Name Type ou-ab12-abcd1234 arn:aws:organizations::111222333444:ou/o-abcde12345/ou-ab12-abcd1234 to_add_policy ORGANIZATIONAL_UNIT
#
aws-org-target-policy-listLists the policies that are directly attached to the specified target root, organizational unit (OU), or account.
#
Base Commandaws-org-target-policy-list
#
InputArgument Name | Description | Required |
---|---|---|
policy_type | The type of policy to include in the returned list. Possible values are: Service Control Policy, Tag Policy, Backup Policy, AI Services Opt Out Policy. | Required |
target_id | The unique identifier (ID) of the root, organizational unit, or account whose policies are to be listed. | Required |
limit | The number of policies to return. Default is 50. | Optional |
page_size | The number of policies to return per page. The maximum is 1000. | Optional |
next_token | The token denoting the next page of policies, as given by the response of the previous run of this command under the context key "AWS.Organizations.PolicyNextToken". | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.TargetPolicy.Id | String | The unique identifier (ID) of the policy. |
AWS.Organizations.TargetPolicy.Arn | String | The Amazon Resource Name (ARN) of the policy. |
AWS.Organizations.TargetPolicy.Name | String | The friendly name of the policy. |
AWS.Organizations.TargetPolicy.Description | String | The description of the policy. |
AWS.Organizations.TargetPolicy.Type | String | The type of policy. |
AWS.Organizations.TargetPolicy.AwsManaged | Boolean | Indicates whether the specified policy is an Amazon Web Services managed policy. If true, the policy can be attached to roots, organizational units, or accounts, but cannot be edited. |
AWS.Organizations.TargetId | String | The unique identifier (ID) of the target. |
AWS.Organizations.TargetPolicyNextToken | String | If not null, indicates that more output is available than is included in the current response. Use this value as the next_token argument in a subsequent call of the command to get the next part of the output. |
#
Command example!aws-org-target-policy-list target_id=ou-ab12-abcd1234 policy_type="Service Control Policy"
#
Context Example#
Human Readable Output#
AWS Organization ou-ab12-abcd1234 Policies
Id Arn Name Description Type AwsManaged p-1234abcd arn:aws:organizations::111222333444:policy/o-abcde12345/service_control_policy/p-1234abcd Test Used for test purposes SERVICE_CONTROL_POLICY false p-FullAWSAccess arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess FullAWSAccess Allows access to every operation SERVICE_CONTROL_POLICY true
#
aws-org-policy-deleteDeletes the specified policy from the organization. Before performing this operation, the policy must be detached from all organizational units (OUs), roots, and accounts.
#
Base Commandaws-org-policy-delete
#
InputArgument Name | Description | Required |
---|---|---|
policy_id | The unique identifier (ID) of the policy that you want to delete. This value can be retrieved by running the command "aws-org-policy-list". | Required |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!aws-org-policy-delete policy_id=p-1234abcd
#
Human Readable OutputAWS Organizations policy p-1234abcd successfully deleted.
#
aws-org-resource-tag-addAdds one or more tags to the specified resource.
#
Base Commandaws-org-resource-tag-add
#
InputArgument Name | Description | Required |
---|---|---|
resource_id | The ID of the resource to add a tag to. This value can be retrieved by running the command "aws-org-root-list", "aws-org-account-list", "aws-org-root-list", or "aws-org-policy-list". | Required |
tags | A comma-separated list of tags to attach to the resource. Each tag should be in the format: "key=value". | Required |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!aws-org-resource-tag-add resource_id=ou-ab12-abcd1234 tags="test=true,key=value"
#
Human Readable OutputAWS Organizations resource ou-ab12-abcd1234 successfully tagged.
#
aws-org-resource-tag-listLists tags that are attached to the specified resource.
#
Base Commandaws-org-resource-tag-list
#
InputArgument Name | Description | Required |
---|---|---|
resource_id | The ID of the resource with the tags to list. This value can be retrieved by running the command "aws-org-root-list", "aws-org-account-list", "aws-org-root-list", or "aws-org-policy-list". | Required |
next_token | The token denoting the next page of tags, as given by the response of the previous run of this command under the context key "AWS.Organizations.TagNextToken". | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.Tag.Key | String | The key identifier, or name, of the tag. |
AWS.Organizations.Tag.Value | String | The string value that's associated with the key of the tag. |
AWS.Organizations.Tag.ResourceId | String | The unique identifier (ID) of the resource. |
AWS.Organizations.TagNextToken | String | If not null, indicates that more output is available than is included in the current response. Use this value as the next_token argument in a subsequent call of the command to get the next part of the output. |
#
Command example!aws-org-resource-tag-list resource_id=ou-ab12-abcd1234
#
Context Example#
Human Readable Output#
AWS Organization ou-ab12-abcd1234 Tags
Key Value test true new true key value
#
aws-org-account-createCreates an AWS Account that is automatically a member of the organization.
#
Base Commandaws-org-account-create
#
InputArgument Name | Description | Required |
---|---|---|
account_name | The friendly name of the member account. | Required |
The email address of the owner to assign to the new member account. This email address must not already be associated with another Amazon Web Services account. Use a valid email address to complete account creation. | Required | |
iam_user_access_to_billing | If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, only the root user of the new account can access account billing information. Possible values are: Allow, Deny. Default is Allow. | Optional |
role_name | The name of an IAM role that AWS Organizations automatically pre-configures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. Default is OrganizationAccountAccessRole. | Optional |
tags | A comma-separated list of tags to attach to the newly created account. Each tag should be in the format: "key=value". | Optional |
request_id | The ID of the create request that is used for polling. | Optional |
interval_in_seconds | Indicates how long to wait between command executions (in seconds) when the 'polling' argument is true. Minimum value is 10 seconds. Default is 30. | Optional |
timeout | Indicates the time in seconds until the polling sequence times out. Default is 600. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.Organizations.Account.Id | String | The unique identifier (ID) of the account. |
AWS.Organizations.Account.Arn | String | The Amazon Resource Name (ARN) of the account. |
AWS.Organizations.Account.Email | String | The email address associated with the Amazon Web Services account. |
AWS.Organizations.Account.Name | String | The friendly name of the account. |
AWS.Organizations.Account.Status | String | The status of the account in the organization. |
AWS.Organizations.Account.JoinedMethod | String | The method by which the account joined the organization. |
AWS.Organizations.Account.JoinedTimestamp | Date | The date the account became a part of the organization. |
#
Command example!aws-org-account-create account_name="New" email="user@xsoar.com" tags="new=true,test=yes" iam_user_access_to_billing=Deny
#
Context Example#
Human Readable OutputCreating account:
#
AWS Organization Accounts
Id Arn Name JoinedMethod JoinedTimestamp Status 111222333444 arn:aws:organizations::111222333444:account/o-abcde12345/111222333444 New user@xsoar.com CREATED 2023-09-04 09:17:14.299000+00:00 ACTIVE
#
aws-org-account-moveMoves an account from one parent to another.
#
Base Commandaws-org-account-move
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The unique identifier (ID) of the member account move. This value can be retrieved by running the command "aws-org-account-list". | Required |
destination_parent_id | The unique identifier (ID) of the root or organizational unit to move the account to. This value can be retrieved by running the command "aws-org-root-list". . | Required |
source_parent_id | The unique identifier (ID) of the root or organizational unit to move the account from. This value can be retrieved by running the command "aws-org-parent-list" with the child_id set to the account_id. . | Required |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!aws-org-account-move source_parent_id=r-12ab account_id=111222333444 destination_parent_id=ou-ab12-abcd1234
#
Human Readable OutputAWS account 111222333444 moved successfully.
#
aws-org-account-removeRemoves an account from the organization. For more information on this action: https://docs.aws.amazon.com/organizations/latest/APIReference/API_RemoveAccountFromOrganization.html
#
Base Commandaws-org-account-remove
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The unique identifier (ID) of the member account to be removed from the organization. This can be obtained with the command "aws-organizations-account-list". | Required |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!aws-org-account-remove account_id=111222333444
#
Human Readable OutputAWS account 111222333444 removed successfully.
#
aws-org-account-closeCloses an AWS member account within an organization.
#
Base Commandaws-org-account-close
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The unique identifier (ID) of the member account to close. This can be obtained with the command "aws-organizations-account-list". | Required |
interval_in_seconds | Indicates how long to wait between command executions (in seconds) when the 'polling' argument is true. Minimum value is 10 seconds. Default is 30. | Optional |
timeout | Indicates the time in seconds until the polling sequence times out. Default is 600. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!aws-org-account-close account_id=111222333444
#
Human Readable OutputClosing account:
AWS account 111222333444 closed successfully.