Modifies the parameters for a capacity provider.
", "UpdateCluster": "Updates the cluster.
", "UpdateClusterSettings": "Modifies the settings to use for a cluster.
", - "UpdateContainerAgent": "Updates the Amazon ECS container agent on a specified container instance. Updating the Amazon ECS container agent does not interrupt running tasks or services on the container instance. The process for updating the agent differs depending on whether your container instance was launched with the Amazon ECS-optimized AMI or another operating system.
UpdateContainerAgent requires the Amazon ECS-optimized AMI or Amazon Linux with the ecs-init service installed and running. For help updating the Amazon ECS container agent on other operating systems, see Manually Updating the Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide.
Updates the Amazon ECS container agent on a specified container instance. Updating the Amazon ECS container agent does not interrupt running tasks or services on the container instance. The process for updating the agent differs depending on whether your container instance was launched with the Amazon ECS-optimized AMI or another operating system.
The UpdateContainerAgent API isn't supported for container instances using the Amazon ECS-optimized Amazon Linux 2 (arm64) AMI. To update the container agent, you can update the ecs-init package which will update the agent. For more information, see Updating the Amazon ECS container agent in the Amazon Elastic Container Service Developer Guide.
The UpdateContainerAgent API requires an Amazon ECS-optimized AMI or Amazon Linux AMI with the ecs-init service installed and running. For help updating the Amazon ECS container agent on other operating systems, see Manually updating the Amazon ECS container agent in the Amazon Elastic Container Service Developer Guide.
Modifies the status of an Amazon ECS container instance.
Once a container instance has reached an ACTIVE state, you can change the status of a container instance to DRAINING to manually remove an instance from a cluster, for example to perform system updates, update the Docker daemon, or scale down the cluster size.
A container instance cannot be changed to DRAINING until it has reached an ACTIVE status. If the instance is in any other status, an error will be received.
When you set a container instance to DRAINING, Amazon ECS prevents new tasks from being scheduled for placement on the container instance and replacement service tasks are started on other container instances in the cluster if the resources are available. Service tasks on the container instance that are in the PENDING state are stopped immediately.
Service tasks on the container instance that are in the RUNNING state are stopped and replaced according to the service's deployment configuration parameters, minimumHealthyPercent and maximumPercent. You can change the deployment configuration of your service using UpdateService.
If minimumHealthyPercent is below 100%, the scheduler can ignore desiredCount temporarily during task replacement. For example, desiredCount is four tasks, a minimum of 50% allows the scheduler to stop two existing tasks before starting two new tasks. If the minimum is 100%, the service scheduler can't remove existing tasks until the replacement tasks are considered healthy. Tasks for services that do not use a load balancer are considered healthy if they are in the RUNNING state. Tasks for services that use a load balancer are considered healthy if they are in the RUNNING state and the container instance they are hosted on is reported as healthy by the load balancer.
The maximumPercent parameter represents an upper limit on the number of running tasks during task replacement, which enables you to define the replacement batch size. For example, if desiredCount is four tasks, a maximum of 200% starts four new tasks before stopping the four tasks to be drained, provided that the cluster resources required to do this are available. If the maximum is 100%, then replacement tasks can't start until the draining tasks have stopped.
Any PENDING or RUNNING tasks that do not belong to a service are not affected. You must wait for them to finish or stop them manually.
A container instance has completed draining when it has no more RUNNING tasks. You can verify this using ListTasks.
When a container instance has been drained, you can set a container instance to ACTIVE status and once it has reached that status the Amazon ECS scheduler can begin scheduling tasks on the instance again.
Updating the task placement strategies and constraints on an Amazon ECS service remains in preview and is a Beta Service as defined by and subject to the Beta Service Participation Service Terms located at https://aws.amazon.com/service-terms (\"Beta Terms\"). These Beta Terms apply to your participation in this preview.
Modifies the parameters of a service.
For services using the rolling update (ECS) deployment controller, the desired count, deployment configuration, network configuration, task placement constraints and strategies, or task definition used can be updated.
For services using the blue/green (CODE_DEPLOY) deployment controller, only the desired count, deployment configuration, task placement constraints and strategies, and health check grace period can be updated using this API. If the network configuration, platform version, or task definition need to be updated, a new AWS CodeDeploy deployment should be created. For more information, see CreateDeployment in the AWS CodeDeploy API Reference.
For services using an external deployment controller, you can update only the desired count, task placement constraints and strategies, and health check grace period using this API. If the launch type, load balancer, network configuration, platform version, or task definition need to be updated, you should create a new task set. For more information, see CreateTaskSet.
You can add to or subtract from the number of instantiations of a task definition in a service by specifying the cluster that the service is running in and a new desiredCount parameter.
If you have updated the Docker image of your application, you can create a new task definition with that image and deploy it to your service. The service scheduler uses the minimum healthy percent and maximum percent parameters (in the service's deployment configuration) to determine the deployment strategy.
If your updated Docker image uses the same tag as what is in the existing task definition for your service (for example, my_image:latest), you do not need to create a new revision of your task definition. You can update the service using the forceNewDeployment option. The new tasks launched by the deployment pull the current image/tag combination from your repository when they start.
You can also update the deployment configuration of a service. When a deployment is triggered by updating the task definition of a service, the service scheduler uses the deployment configuration parameters, minimumHealthyPercent and maximumPercent, to determine the deployment strategy.
If minimumHealthyPercent is below 100%, the scheduler can ignore desiredCount temporarily during a deployment. For example, if desiredCount is four tasks, a minimum of 50% allows the scheduler to stop two existing tasks before starting two new tasks. Tasks for services that do not use a load balancer are considered healthy if they are in the RUNNING state. Tasks for services that use a load balancer are considered healthy if they are in the RUNNING state and the container instance they are hosted on is reported as healthy by the load balancer.
The maximumPercent parameter represents an upper limit on the number of running tasks during a deployment, which enables you to define the deployment batch size. For example, if desiredCount is four tasks, a maximum of 200% starts four new tasks before stopping the four older tasks (provided that the cluster resources required to do this are available).
When UpdateService stops a task during a deployment, the equivalent of docker stop is issued to the containers running in the task. This results in a SIGTERM and a 30-second timeout, after which SIGKILL is sent and the containers are forcibly stopped. If the container handles the SIGTERM gracefully and exits within 30 seconds from receiving it, no SIGKILL is sent.
When the service scheduler launches new tasks, it determines task placement in your cluster with the following logic:
Determine which of the container instances in your cluster can support your service's task definition (for example, they have the required CPU, memory, ports, and container instance attributes).
By default, the service scheduler attempts to balance tasks across Availability Zones in this manner (although you can choose a different placement strategy):
Sort the valid container instances by the fewest number of running tasks for this service in the same Availability Zone as the instance. For example, if zone A has one running service task and zones B and C each have zero, valid container instances in either zone B or C are considered optimal for placement.
Place the new service task on a valid container instance in an optimal Availability Zone (based on the previous steps), favoring container instances with the fewest number of running tasks for this service.
When the service scheduler stops running tasks, it attempts to maintain balance across the Availability Zones in your cluster using the following logic:
Sort the container instances by the largest number of running tasks for this service in the same Availability Zone as the instance. For example, if zone A has one running service task and zones B and C each have two, container instances in either zone B or C are considered optimal for termination.
Stop the task on a container instance in an optimal Availability Zone (based on the previous steps), favoring container instances with the largest number of running tasks for this service.
Modifies which task set in a service is the primary task set. Any parameters that are updated on the primary task set in a service will transition to the service. This is used when a service uses the EXTERNAL deployment controller type. For more information, see Amazon ECS Deployment Types in the Amazon Elastic Container Service Developer Guide.
If the essential parameter of a container is marked as true, and that container fails or stops for any reason, all other containers that are part of the task are stopped. If the essential parameter of a container is marked as false, then its failure does not affect the rest of the containers in a task. If this parameter is omitted, a container is assumed to be essential.
All tasks must have at least one essential container. If you have an application that is composed of multiple containers, you should group containers that are used for a common purpose into components, and separate the different components into multiple task definitions. For more information, see Application Architecture in the Amazon Elastic Container Service Developer Guide.
", - "ContainerDefinition$disableNetworking": "When this parameter is true, networking is disabled within the container. This parameter maps to NetworkDisabled in the Create a container section of the Docker Remote API.
This parameter is not supported for Windows containers or tasks that use the awsvpc network mode.
When this parameter is true, networking is disabled within the container. This parameter maps to NetworkDisabled in the Create a container section of the Docker Remote API.
This parameter is not supported for Windows containers.
When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user). This parameter maps to Privileged in the Create a container section of the Docker Remote API and the --privileged option to docker run.
This parameter is not supported for Windows containers or tasks run on AWS Fargate.
When this parameter is true, the container is given read-only access to its root file system. This parameter maps to ReadonlyRootfs in the Create a container section of the Docker Remote API and the --read-only option to docker run.
This parameter is not supported for Windows containers or tasks that use the awsvpc network mode.
When this parameter is true, the container is given read-only access to its root file system. This parameter maps to ReadonlyRootfs in the Create a container section of the Docker Remote API and the --read-only option to docker run.
This parameter is not supported for Windows containers.
When this parameter is true, this allows you to deploy containerized applications that require stdin or a tty to be allocated. This parameter maps to OpenStdin in the Create a container section of the Docker Remote API and the --interactive option to docker run.
When this parameter is true, a TTY is allocated. This parameter maps to Tty in the Create a container section of the Docker Remote API and the --tty option to docker run.
If true, allows you to delete a service even if it has not been scaled down to zero tasks. It is only necessary to use this if the service is using the REPLICA scheduling strategy.
The full description of the new capacity provider.
", - "DeleteCapacityProviderResponse$capacityProvider": null, - "UpdateCapacityProviderResponse$capacityProvider": null + "DeleteCapacityProviderResponse$capacityProvider": "The details of the capacity provider.
", + "UpdateCapacityProviderResponse$capacityProvider": "Details about the capacity provider.
" } }, "CapacityProviderField": { @@ -326,9 +326,9 @@ "Clusters$member": null, "CreateClusterResponse$cluster": "The full description of your new cluster.
", "DeleteClusterResponse$cluster": "The full description of the deleted cluster.
", - "PutClusterCapacityProvidersResponse$cluster": null, - "UpdateClusterResponse$cluster": null, - "UpdateClusterSettingsResponse$cluster": null + "PutClusterCapacityProvidersResponse$cluster": "Details about the cluster.
", + "UpdateClusterResponse$cluster": "Details about the cluster.
", + "UpdateClusterSettingsResponse$cluster": "Details about the cluster
" } }, "ClusterConfiguration": { @@ -643,7 +643,7 @@ "DeploymentController": { "base": "The deployment controller to use for the service. For more information, see Amazon ECS Deployment Types in the Amazon Elastic Container Service Developer Guide.
", "refs": { - "CreateServiceRequest$deploymentController": "The deployment controller to use for the service.
", + "CreateServiceRequest$deploymentController": "The deployment controller to use for the service. If no deployment controller is specified, the default value of ECS is used.
The deployment controller type the service is using. When using the DescribeServices API, this field is omitted if the service is using the ECS deployment controller type.
The environment variables to send to the container. You can add new environment variables, which are added to the container at launch, or you can override the existing environment variables from the Docker image or the task definition. You must also specify a container name.
" } }, + "EphemeralStorage": { + "base": "The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate. For more information, see Fargate task storage in the Amazon ECS User Guide for AWS Fargate.
This parameter is only supported for tasks hosted on AWS Fargate using platform version 1.4.0 or later.
The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate. For more information, see Fargate task storage in the Amazon ECS User Guide for AWS Fargate.
This parameter is only supported for tasks hosted on AWS Fargate using platform version 1.4.0 or later.
The ephemeral storage settings for the task.
", + "TaskDefinition$ephemeralStorage": "The ephemeral storage settings to use for tasks run with the task definition.
", + "TaskOverride$ephemeralStorage": "The ephemeral storage setting override for the task.
This parameter is only supported for tasks hosted on AWS Fargate using platform version 1.4.0 or later.
The details of the execute command configuration.
", "refs": { @@ -1019,6 +1028,7 @@ "Deployment$pendingCount": "The number of tasks in the deployment that are in the PENDING status.
The number of tasks in the deployment that are in the RUNNING status.
The number of consecutively failed tasks in the deployment. A task is considered a failure if the service scheduler can't launch the task, the task doesn't transition to a RUNNING state, or if it fails any of its defined health checks and is stopped.
Once a service deployment has one or more successfully running tasks, the failed task count resets to zero and stops being evaluated.
The total amount, in GiB, of ephemeral storage to set for the task. The minimum supported value is 21 GiB and the maximum supported value is 200 GiB.
The maximum number of account setting results returned by ListAccountSettings in paginated output. When this parameter is used, ListAccountSettings only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another ListAccountSettings request with the returned nextToken value. This value can be between 1 and 10. If this parameter is not used, then ListAccountSettings returns up to 10 results and a nextToken value if applicable.
When the integerValue type is set, the value of the resource must be an integer.
The desired number of instantiations of the task definition to keep running on the service. This value is specified when the service is created with CreateService, and it can be modified with UpdateService.
", @@ -1251,7 +1261,7 @@ "base": "The managed scaling settings for the Auto Scaling group capacity provider.
When managed scaling is enabled, Amazon ECS manages the scale-in and scale-out actions of the Auto Scaling group. Amazon ECS manages a target tracking scaling policy using an Amazon ECS-managed CloudWatch metric with the specified targetCapacity value as the target value for the metric. For more information, see Using Managed Scaling in the Amazon Elastic Container Service Developer Guide.
If managed scaling is disabled, the user must manage the scaling of the Auto Scaling group.
", "refs": { "AutoScalingGroupProvider$managedScaling": "The managed scaling settings for the Auto Scaling group capacity provider.
", - "AutoScalingGroupProviderUpdate$managedScaling": null + "AutoScalingGroupProviderUpdate$managedScaling": "The managed scaling settings for the Auto Scaling group capacity provider.
" } }, "ManagedScalingInstanceWarmupPeriod": { @@ -1321,13 +1331,13 @@ "base": "An object representing the network configuration for a task or service.
", "refs": { "CreateServiceRequest$networkConfiguration": "The network configuration for the service. This parameter is required for task definitions that use the awsvpc network mode to receive their own elastic network interface, and it is not supported for other network modes. For more information, see Task networking in the Amazon Elastic Container Service Developer Guide.
An object representing the network configuration for a task set.
", "Deployment$networkConfiguration": "The VPC subnet and security group configuration for tasks that receive their own elastic network interface by using the awsvpc networking mode.
The network configuration for the task. This parameter is required for task definitions that use the awsvpc network mode to receive their own elastic network interface, and it is not supported for other network modes. For more information, see Task Networking in the Amazon Elastic Container Service Developer Guide.
The VPC subnet and security group configuration for tasks that receive their own elastic network interface by using the awsvpc networking mode.
The VPC subnet and security group configuration for tasks that receive their own elastic network interface by using the awsvpc networking mode.
The network configuration for the task set.
", - "UpdateServiceRequest$networkConfiguration": null + "UpdateServiceRequest$networkConfiguration": "An object representing the network configuration for the service.
" } }, "NetworkInterface": { @@ -1432,7 +1442,7 @@ } }, "PortMapping": { - "base": "Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition.
If you are using containers in a task with the awsvpc or host network mode, exposed ports should be specified using containerPort. The hostPort can be left blank or it must be the same value as the containerPort.
After a task reaches the RUNNING status, manual and automatic host and container port assignments are visible in the networkBindings section of DescribeTasks API responses.
Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition.
If you are using containers in a task with the awsvpc or host network mode, exposed ports should be specified using containerPort. The hostPort can be left blank or it must be the same value as the containerPort.
You cannot expose the same container port for multiple protocols. An error will be returned if this is attempted
After a task reaches the RUNNING status, manual and automatic host and container port assignments are visible in the networkBindings section of DescribeTasks API responses.
The configuration details for the App Mesh proxy.
For tasks using the EC2 launch type, the container instances require at least version 1.26.0 of the container agent and at least version 1.26.0-1 of the ecs-init package to enable a proxy configuration. If your container instances are launched from the Amazon ECS-optimized AMI version 20190301 or later, then they contain the required versions of the container agent and ecs-init. For more information, see Amazon ECS-optimized Linux AMI
The configuration details for the App Mesh proxy.
For tasks hosted on Amazon EC2 instances, the container instances require at least version 1.26.0 of the container agent and at least version 1.26.0-1 of the ecs-init package to enable a proxy configuration. If your container instances are launched from the Amazon ECS-optimized AMI version 20190301 or later, then they contain the required versions of the container agent and ecs-init. For more information, see Amazon ECS-optimized AMI versions in the Amazon Elastic Container Service Developer Guide.
The configuration details for the App Mesh proxy.
Your Amazon ECS container instances require at least version 1.26.0 of the container agent and at least version 1.26.0-1 of the ecs-init package to enable a proxy configuration. If your container instances are launched from the Amazon ECS-optimized AMI version 20190301 or later, then they contain the required versions of the container agent and ecs-init. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
A floating-point percentage of the desired number of tasks to place and keep running in the task set.
", "refs": { - "CreateTaskSetRequest$scale": null, + "CreateTaskSetRequest$scale": "A floating-point percentage of the desired number of tasks to place and keep running in the task set.
", "TaskSet$scale": "A floating-point percentage of the desired number of tasks to place and keep running in the task set.
", - "UpdateTaskSetRequest$scale": null + "UpdateTaskSetRequest$scale": "A floating-point percentage of the desired number of tasks to place and keep running in the task set.
" } }, "ScaleUnit": { @@ -1694,7 +1704,7 @@ "ServiceRegistries": { "base": null, "refs": { - "CreateServiceRequest$serviceRegistries": "The details of the service discovery registries to assign to this service. For more information, see Service discovery.
Service discovery is supported for Fargate tasks if you are using platform version v1.1.0 or later. For more information, see AWS Fargate platform versions.
The details of the service discovery registry to associate with this service. For more information, see Service discovery.
Each service may be associated with one service registry. Multiple service registries per service isn't supported.
The details of the service discovery registries to assign to this task set. For more information, see Service Discovery.
", "Service$serviceRegistries": "The details of the service discovery registries to assign to this service. For more information, see Service Discovery.
", "TaskSet$serviceRegistries": "The details of the service discovery registries to assign to this task set. For more information, see Service discovery.
" @@ -1722,7 +1732,7 @@ "base": "The current account setting for a resource.
", "refs": { "DeleteAccountSettingResponse$setting": "The account setting for the specified principal ARN.
", - "PutAccountSettingDefaultResponse$setting": null, + "PutAccountSettingDefaultResponse$setting": "The current setting for a resource.
", "PutAccountSettingResponse$setting": "The current account setting for a resource.
", "Settings$member": null } @@ -1817,7 +1827,7 @@ "ContainerDefinition$name": "The name of a container. If you are linking multiple containers together in a task definition, the name of one container can be entered in the links of another container to connect the containers. Up to 255 letters (uppercase and lowercase), numbers, and hyphens are allowed. This parameter maps to name in the Create a container section of the Docker Remote API and the --name option to docker run.
The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with either repository-url/image:tag or repository-url/image@digest . Up to 255 letters (uppercase and lowercase), numbers, hyphens, underscores, colons, periods, forward slashes, and number signs are allowed. This parameter maps to Image in the Create a container section of the Docker Remote API and the IMAGE parameter of docker run.
When a new task starts, the Amazon ECS container agent pulls the latest version of the specified image and tag for the container to use. However, subsequent updates to a repository image are not propagated to already running tasks.
Images in Amazon ECR repositories can be specified by either using the full registry/repository:tag or registry/repository@digest. For example, 012345678910.dkr.ecr.<region-name>.amazonaws.com/<repository-name>:latest or 012345678910.dkr.ecr.<region-name>.amazonaws.com/<repository-name>@sha256:94afd1f2e64d908bc90dbca0035a5b567EXAMPLE.
Images in official repositories on Docker Hub use a single name (for example, ubuntu or mongo).
Images in other repositories on Docker Hub are qualified with an organization name (for example, amazon/amazon-ecs-agent).
Images in other online repositories are qualified further by a domain name (for example, quay.io/assemblyline/ubuntu).
The hostname to use for your container. This parameter maps to Hostname in the Create a container section of the Docker Remote API and the --hostname option to docker run.
The hostname parameter is not supported if you are using the awsvpc network mode.
The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run.
When running tasks using the host network mode, you should not run containers using the root user (UID 0). It is considered best practice to use a non-root user.
You can specify the user using the following formats. If specifying a UID or GID, you must specify it as a positive integer.
user
user:group
uid
uid:gid
user:gid
uid:group
This parameter is not supported for Windows containers or tasks that use the awsvpc network mode.
The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run.
When running tasks using the host network mode, you should not run containers using the root user (UID 0). It is considered best practice to use a non-root user.
You can specify the user using the following formats. If specifying a UID or GID, you must specify it as a positive integer.
user
user:group
uid
uid:gid
user:gid
uid:group
This parameter is not supported for Windows containers.
The working directory in which to run commands inside the container. This parameter maps to WorkingDir in the Create a container section of the Docker Remote API and the --workdir option to docker run.
The name of a container.
", "ContainerInstance$containerInstanceArn": "The Amazon Resource Name (ARN) of the container instance. The ARN contains the arn:aws:ecs namespace, followed by the Region of the container instance, the AWS account ID of the container instance owner, the container-instance namespace, and then the container instance ID. For example, arn:aws:ecs:region:aws_account_id:container-instance/container_instance_ID.
The name of the key-value pair. For environment variables, this is the name of the environment variable.
", "KeyValuePair$value": "The value of the key-value pair. For environment variables, this is the value of the environment variable.
", "ListAccountSettingsRequest$value": "The value of the account settings with which to filter results. You must also specify an account setting name to use this parameter.
", - "ListAccountSettingsRequest$principalArn": "The ARN of the principal, which can be an IAM user, IAM role, or the root user. If this field is omitted, the account settings are listed only for the authenticated user.
", + "ListAccountSettingsRequest$principalArn": "The ARN of the principal, which can be an IAM user, IAM role, or the root user. If this field is omitted, the account settings are listed only for the authenticated user.
Federated users assume the account setting of the root user and can't have explicit account settings set for them.
The nextToken value returned from a ListAccountSettings request indicating that more results are available to fulfill the request and further calls will be needed. If maxResults was provided, it is possible the number of results to be fewer than maxResults.
This token should be treated as an opaque identifier that is only used to retrieve the next items in a list and not for other programmatic purposes.
The nextToken value to include in a future ListAccountSettings request. When the results of a ListAccountSettings request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
The short name or full Amazon Resource Name (ARN) of the cluster to list attributes. If you do not specify a cluster, the default cluster is assumed.
", @@ -1968,7 +1978,7 @@ "ProxyConfiguration$containerName": "The name of the container that will serve as the App Mesh proxy.
", "PutAccountSettingDefaultRequest$value": "The account setting value for the specified principal ARN. Accepted values are enabled and disabled.
The account setting value for the specified principal ARN. Accepted values are enabled and disabled.
The ARN of the principal, which can be an IAM user, IAM role, or the root user. If you specify the root user, it modifies the account setting for all IAM users, IAM roles, and the root user of the account unless an IAM user or role explicitly overrides these settings. If this field is omitted, the setting is changed only for the authenticated user.
", + "PutAccountSettingRequest$principalArn": "The ARN of the principal, which can be an IAM user, IAM role, or the root user. If you specify the root user, it modifies the account setting for all IAM users, IAM roles, and the root user of the account unless an IAM user or role explicitly overrides these settings. If this field is omitted, the setting is changed only for the authenticated user.
Federated users assume the account setting of the root user and can't have explicit account settings set for them.
The short name or full Amazon Resource Name (ARN) of the cluster that contains the resource to apply attributes. If you do not specify a cluster, the default cluster is assumed.
", "PutClusterCapacityProvidersRequest$cluster": "The short name or full Amazon Resource Name (ARN) of the cluster to modify the capacity provider settings for. If you do not specify a cluster, the default cluster is assumed.
", "RegisterContainerInstanceRequest$cluster": "The short name or full Amazon Resource Name (ARN) of the cluster with which to register your container instance. If you do not specify a cluster, the default cluster is assumed.
", @@ -2103,11 +2113,11 @@ "AwsVpcConfiguration$subnets": "The IDs of the subnets associated with the task or service. There is a limit of 16 subnets that can be specified per AwsVpcConfiguration.
All specified subnets must be from the same VPC.
The IDs of the security groups associated with the task or service. If you do not specify a security group, the default security group for the VPC is used. There is a limit of 5 security groups that can be specified per AwsVpcConfiguration.
All specified security groups must be from the same VPC.
The capacity providers associated with the cluster.
", - "ContainerDefinition$links": "The links parameter allows containers to communicate with each other without the need for port mappings. This parameter is only supported if the network mode of a task definition is bridge. The name:internalName construct is analogous to name:alias in Docker links. Up to 255 letters (uppercase and lowercase), numbers, and hyphens are allowed. For more information about linking Docker containers, go to Legacy container links in the Docker documentation. This parameter maps to Links in the Create a container section of the Docker Remote API and the --link option to docker run.
This parameter is not supported for Windows containers or tasks that use the awsvpc network mode.
Containers that are collocated on a single container instance may be able to communicate with each other without requiring links or host port mappings. Network isolation is achieved on the container instance using security groups and VPC settings.
The links parameter allows containers to communicate with each other without the need for port mappings. This parameter is only supported if the network mode of a task definition is bridge. The name:internalName construct is analogous to name:alias in Docker links. Up to 255 letters (uppercase and lowercase), numbers, and hyphens are allowed. For more information about linking Docker containers, go to Legacy container links in the Docker documentation. This parameter maps to Links in the Create a container section of the Docker Remote API and the --link option to docker run.
This parameter is not supported for Windows containers.
Containers that are collocated on a single container instance may be able to communicate with each other without requiring links or host port mappings. Network isolation is achieved on the container instance using security groups and VPC settings.
Early versions of the Amazon ECS container agent do not properly handle entryPoint parameters. If you have problems using entryPoint, update your container agent or enter your commands and arguments as command array items instead.
The entry point that is passed to the container. This parameter maps to Entrypoint in the Create a container section of the Docker Remote API and the --entrypoint option to docker run. For more information, see https://docs.docker.com/engine/reference/builder/#entrypoint.
The command that is passed to the container. This parameter maps to Cmd in the Create a container section of the Docker Remote API and the COMMAND parameter to docker run. For more information, see https://docs.docker.com/engine/reference/builder/#cmd. If there are multiple arguments, each argument should be a separated string in the array.
A list of DNS servers that are presented to the container. This parameter maps to Dns in the Create a container section of the Docker Remote API and the --dns option to docker run.
This parameter is not supported for Windows containers or tasks that use the awsvpc network mode.
A list of DNS search domains that are presented to the container. This parameter maps to DnsSearch in the Create a container section of the Docker Remote API and the --dns-search option to docker run.
This parameter is not supported for Windows containers or tasks that use the awsvpc network mode.
A list of DNS servers that are presented to the container. This parameter maps to Dns in the Create a container section of the Docker Remote API and the --dns option to docker run.
This parameter is not supported for Windows containers.
A list of DNS search domains that are presented to the container. This parameter maps to DnsSearch in the Create a container section of the Docker Remote API and the --dns-search option to docker run.
This parameter is not supported for Windows containers.
A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems. This field is not valid for containers in tasks using the Fargate launch type.
With Windows containers, this parameter can be used to reference a credential spec file when configuring a container for Active Directory authentication. For more information, see Using gMSAs for Windows Containers in the Amazon Elastic Container Service Developer Guide.
This parameter maps to SecurityOpt in the Create a container section of the Docker Remote API and the --security-opt option to docker run.
The Amazon ECS container agent running on a container instance must register with the ECS_SELINUX_CAPABLE=true or ECS_APPARMOR_CAPABLE=true environment variables before containers placed on that instance can use these security options. For more information, see Amazon ECS Container Agent Configuration in the Amazon Elastic Container Service Developer Guide.
For more information about valid values, see Docker Run Security Configuration.
Valid values: \"no-new-privileges\" | \"apparmor:PROFILE\" | \"label:value\" | \"credentialspec:CredentialSpecFilePath\"
", "ContainerOverride$command": "The command to send to the container that overrides the default command from the Docker image or the task definition. You must also specify a container name.
", "CreateClusterRequest$capacityProviders": "The short name of one or more capacity providers to associate with the cluster. A capacity provider must be associated with a cluster before it can be included as part of the default capacity provider strategy of the cluster or used in a capacity provider strategy when calling the CreateService or RunTask actions.
If specifying a capacity provider that uses an Auto Scaling group, the capacity provider must already be created and not already associated with another cluster. New Auto Scaling group capacity providers can be created with the CreateCapacityProvider API operation.
To use a AWS Fargate capacity provider, specify either the FARGATE or FARGATE_SPOT capacity providers. The AWS Fargate capacity providers are available to all accounts and only need to be associated with a cluster to be used.
The PutClusterCapacityProviders API operation is used to update the list of available capacity providers for a cluster after the cluster is created.
", @@ -2339,11 +2349,11 @@ "TaskSet": { "base": "Information about a set of Amazon ECS tasks in either an AWS CodeDeploy or an EXTERNAL deployment. An Amazon ECS task set includes details such as the desired number of tasks, how many tasks are running, and whether the task set serves production traffic.
Information about a set of Amazon ECS tasks in either an AWS CodeDeploy or an EXTERNAL deployment. A task set includes details such as the desired number of tasks, how many tasks are running, and whether the task set serves production traffic.
Details about the task set.
", "TaskSets$member": null, - "UpdateServicePrimaryTaskSetResponse$taskSet": null, - "UpdateTaskSetResponse$taskSet": null + "UpdateServicePrimaryTaskSetResponse$taskSet": "Details about the task set.
", + "UpdateTaskSetResponse$taskSet": "Details about the task set.
" } }, "TaskSetField": { @@ -2431,7 +2441,7 @@ } }, "Ulimit": { - "base": "The ulimit settings to pass to the container.
The ulimit settings to pass to the container.
Amazon ECS tasks hosted on Fargate use the default resource limit values set by the operating system with the exception of the nofile resource limit parameter which Fargate overrides. The nofile resource limit sets a restriction on the number of open files that a container can use. The default nofile soft limit is 1024 and hard limit is 4096.
A list of ulimits to set in the container. If a ulimit value is specified in a task definition, it will override the default values set by Docker. This parameter maps to Ulimits in the Create a container section of the Docker Remote API and the --ulimit option to docker run. Valid naming values are displayed in the Ulimit data type. This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
This parameter is not supported for Windows containers or tasks that use the awsvpc network mode.
A list of ulimits to set in the container. If a ulimit value is specified in a task definition, it will override the default values set by Docker. This parameter maps to Ulimits in the Create a container section of the Docker Remote API and the --ulimit option to docker run. Valid naming values are displayed in the Ulimit data type.
Amazon ECS tasks hosted on Fargate use the default resource limit values set by the operating system with the exception of the nofile resource limit parameter which Fargate overrides. The nofile resource limit sets a restriction on the number of open files that a container can use. The default nofile soft limit is 1024 and hard limit is 4096.
This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
This parameter is not supported for Windows containers.
The current status of the account as the delegated administrator of Amazon Macie for the organization.
" } }, + "AllowsUnencryptedObjectUploads" : { + "base" : null, + "refs" : { + "BucketMetadata$AllowsUnencryptedObjectUploads" : "Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are uploaded to the bucket. Possible values are:
FALSE - The bucket policy requires server-side encryption of new objects. PutObject requests must include the x-amz-server-side-encryption header and the value for that header must be AES256 or aws:kms.
TRUE - The bucket doesn't have a bucket policy or it has a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, it doesn't require PutObject requests to include the x-amz-server-side-encryption header and it doesn't require the value for that header to be AES256 or aws:kms.
UNKNOWN - Amazon Macie can't determine whether the bucket policy requires server-side encryption of new objects.
Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are uploaded to the bucket. Possible values are:
FALSE - The bucket policy requires server-side encryption of new objects. PutObject requests must include the x-amz-server-side-encryption header and the value for that header must be AES256 or aws:kms.
TRUE - The bucket doesn't have a bucket policy or it has a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, it doesn't require PutObject requests to include the x-amz-server-side-encryption header and it doesn't require the value for that header to be AES256 or aws:kms.
UNKNOWN - Amazon Macie can't determine whether the bucket policy requires server-side encryption of objects.
Provides information about an API operation that an entity invoked for an affected resource.
", "refs" : { @@ -149,15 +156,21 @@ } }, "BucketCountByEncryptionType" : { - "base" : "Provides information about the number of S3 buckets that use certain types of server-side encryption by default or don't encrypt new objects by default.
", + "base" : "Provides information about the number of S3 buckets that use certain types of server-side encryption by default or don't encrypt new objects by default. For detailed information about these settings, see Setting default server-side encryption behavior for Amazon S3 buckets in the Amazon Simple Storage Service User Guide.
", "refs" : { - "GetBucketStatisticsResponse$BucketCountByEncryptionType" : "The total number of buckets, grouped by default server-side encryption type. This object also reports the total number of buckets that don't encrypt new objects by default.
" + "GetBucketStatisticsResponse$BucketCountByEncryptionType" : "The total number of buckets that use certain types of server-side encryption to encrypt new objects by default. This object also reports the total number of buckets that don't encrypt new objects by default.
" } }, "BucketCountBySharedAccessType" : { - "base" : "Provides information about the number of S3 buckets that are shared with other AWS accounts.
", + "base" : "Provides information about the number of S3 buckets that are and aren't shared with other AWS accounts.
", + "refs" : { + "GetBucketStatisticsResponse$BucketCountBySharedAccessType" : "The total number of buckets that are and aren't shared with another AWS account.
" + } + }, + "BucketCountPolicyAllowsUnencryptedObjectUploads" : { + "base" : "Provides information about the number of S3 buckets whose bucket policies do and don't require server-side encryption of objects when objects are uploaded to the buckets.
", "refs" : { - "GetBucketStatisticsResponse$BucketCountBySharedAccessType" : "The total number of buckets that are shared with another AWS account.
" + "GetBucketStatisticsResponse$BucketCountByObjectEncryptionRequirement" : "The total number of buckets whose bucket policies do and don't require server-side encryption of objects when objects are uploaded to the buckets.
" } }, "BucketCriteria" : { @@ -187,11 +200,11 @@ "BucketPermissionConfiguration" : { "base" : "Provides information about the account-level and bucket-level permissions settings for an S3 bucket.
", "refs" : { - "BucketPublicAccess$PermissionConfiguration" : "The account-level and bucket-level permissions for the bucket.
" + "BucketPublicAccess$PermissionConfiguration" : "The account-level and bucket-level permissions settings for the bucket.
" } }, "BucketPolicy" : { - "base" : "Provides information about the permissions settings of a bucket policy for an S3 bucket.
", + "base" : "Provides information about the permissions settings of the bucket policy for an S3 bucket.
", "refs" : { "BucketLevelPermissions$BucketPolicy" : "The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn't been defined for the bucket.
" } @@ -974,7 +987,7 @@ "S3BucketOwner" : { "base" : "Provides information about the user who owns an S3 bucket.
", "refs" : { - "S3Bucket$Owner" : "The display name and account identifier for the user who owns the bucket.
" + "S3Bucket$Owner" : "The display name and AWS account ID for the user who owns the bucket.
" } }, "S3Destination" : { @@ -1512,7 +1525,7 @@ "BucketCriteriaAdditionalProperties$Neq" : "The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
", "CreateClassificationJobRequest$CustomDataIdentifierIds" : "The custom data identifiers to use for data analysis and classification.
", "CreateCustomDataIdentifierRequest$IgnoreWords" : "An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression is the same as any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4 - 90 characters. Ignore words are case sensitive.
", - "CreateCustomDataIdentifierRequest$Keywords" : "An array that lists specific character sequences (keywords), one of which must be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 4 - 90 characters. Keywords aren't case sensitive.
", + "CreateCustomDataIdentifierRequest$Keywords" : "An array that lists specific character sequences (keywords), one of which must be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3 - 90 characters. Keywords aren't case sensitive.
", "CreateInvitationsRequest$AccountIds" : "An array that lists AWS account IDs, one for each account to send the invitation to.
", "CriterionAdditionalProperties$Eq" : "The value for the property matches (equals) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
", "CriterionAdditionalProperties$EqExactMatch" : "The value for the property exclusively matches (equals an exact match for) all the specified values. If you specify multiple values, Amazon Macie uses AND logic to join the values.
You can use this operator with the following properties: customDataIdentifiers.detections.arn, customDataIdentifiers.detections.name, resourcesAffected.s3Bucket.tags.key, resourcesAffected.s3Bucket.tags.value, resourcesAffected.s3Object.tags.key, resourcesAffected.s3Object.tags.value, sensitiveData.category, and sensitiveData.detections.type.
", @@ -1529,7 +1542,7 @@ "S3BucketDefinitionForJob$Buckets" : "An array that lists the names of the buckets.
", "SimpleScopeTerm$Values" : "An array that lists the values to use in the condition. If the value for the key property is OBJECT_EXTENSION or OBJECT_KEY, this array can specify multiple values and Amazon Macie uses an OR operator to join the values. Otherwise, this array can specify only one value.
Valid values for each supported property (key) are:
OBJECT_EXTENSION - A string that represents the file name extension of an object. For example: docx or pdf
OBJECT_KEY - A string that represents the key prefix (folder name or path) of an object. For example: logs or awslogs/eventlogs. This value applies a condition to objects whose keys (names) begin with the specified value.
OBJECT_LAST_MODIFIED_DATE - The date and time (in UTC and extended ISO 8601 format) when an object was created or last changed, whichever is latest. For example: 2020-09-28T14:31:13Z
OBJECT_SIZE - An integer that represents the storage size (in bytes) of an object.
TAG - A string that represents a tag key for an object. For advanced options, use a TagScopeTerm object, instead of a SimpleScopeTerm object, to define a tag-based condition for the job.
Macie doesn't support use of wildcard characters in values. Also, string values are case sensitive.
", "TestCustomDataIdentifierRequest$IgnoreWords" : "An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression is the same as any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4 - 90 characters. Ignore words are case sensitive.
", - "TestCustomDataIdentifierRequest$Keywords" : "An array that lists specific character sequences (keywords), one of which must be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 4 - 90 characters. Keywords aren't case sensitive.
", + "TestCustomDataIdentifierRequest$Keywords" : "An array that lists specific character sequences (keywords), one of which must be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3 - 90 characters. Keywords aren't case sensitive.
", "UsageStatisticsFilter$Values" : "An array that lists values to use in the condition, based on the value for the field specified by the key property. If the value for the key property is accountId, this array can specify multiple values. Otherwise, this array can specify only one value.
Valid values for each supported field are:
accountId - The unique identifier for an AWS account.
freeTrialStartDate - The date and time, in UTC and extended ISO 8601 format, when the free trial started for an account.
serviceLimit - A Boolean (true or false) value that indicates whether an account has reached its monthly quota.
total - A string that represents the current estimated cost for an account.
The total number of buckets that allow the general public to have read access to the bucket.
", "BucketCountByEffectivePermission$PubliclyWritable" : "The total number of buckets that allow the general public to have write access to the bucket.
", "BucketCountByEffectivePermission$Unknown" : "The total number of buckets that Amazon Macie wasn't able to evaluate permissions settings for. Macie can't determine whether these buckets are publicly accessible.
", - "BucketCountByEncryptionType$KmsManaged" : "The total number of buckets that use an AWS Key Management Service (AWS KMS) customer master key (CMK) to encrypt new objects by default. These buckets use AWS managed AWS KMS encryption (AWS-KMS) or customer managed AWS KMS encryption (SSE-KMS).
", - "BucketCountByEncryptionType$S3Managed" : "The total number of buckets that use an Amazon S3 managed key to encrypt new objects by default. These buckets use Amazon S3 managed encryption (SSE-S3).
", + "BucketCountByEncryptionType$KmsManaged" : "The total number of buckets that use an AWS Key Management Service (AWS KMS) customer master key (CMK) to encrypt new objects by default. These buckets use AWS managed AWS KMS encryption (AWS-KMS) or customer managed AWS KMS encryption (SSE-KMS) by default.
", + "BucketCountByEncryptionType$S3Managed" : "The total number of buckets that use an Amazon S3 managed key to encrypt new objects by default. These buckets use Amazon S3 managed encryption (SSE-S3) by default.
", "BucketCountByEncryptionType$Unencrypted" : "The total number of buckets that don't encrypt new objects by default. Default encryption is disabled for these buckets.
", + "BucketCountByEncryptionType$Unknown" : "The total number of buckets that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the default encryption settings for these buckets.
", "BucketCountBySharedAccessType$External" : "The total number of buckets that are shared with an AWS account that isn't part of the same Amazon Macie organization.
", "BucketCountBySharedAccessType$Internal" : "The total number of buckets that are shared with an AWS account that's part of the same Amazon Macie organization.
", "BucketCountBySharedAccessType$NotShared" : "The total number of buckets that aren't shared with other AWS accounts.
", "BucketCountBySharedAccessType$Unknown" : "The total number of buckets that Amazon Macie wasn't able to evaluate shared access settings for. Macie can't determine whether these buckets are shared with other AWS accounts.
", + "BucketCountPolicyAllowsUnencryptedObjectUploads$AllowsUnencryptedObjectUploads" : "The total number of buckets that don't have a bucket policy or have a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, the policy doesn't require PutObject requests to include the x-amz-server-side-encryption header and it doesn't require the value for that header to be AES256 or aws:kms.
", + "BucketCountPolicyAllowsUnencryptedObjectUploads$DeniesUnencryptedObjectUploads" : "The total number of buckets whose bucket policies require server-side encryption of new objects. PutObject requests for these buckets must include the x-amz-server-side-encryption header and the value for that header must be AES256 or aws:kms.
", + "BucketCountPolicyAllowsUnencryptedObjectUploads$Unknown" : "The total number of buckets that Amazon Macie wasn't able to evaluate server-side encryption requirements for. Macie can't determine whether the bucket policies for these buckets require server-side encryption of new objects.
", "BucketCriteriaAdditionalProperties$Gt" : "The value for the property is greater than the specified value.
", "BucketCriteriaAdditionalProperties$Gte" : "The value for the property is greater than or equal to the specified value.
", "BucketCriteriaAdditionalProperties$Lt" : "The value for the property is less than the specified value.
", @@ -1579,6 +1596,7 @@ "ObjectCountByEncryptionType$KmsManaged" : "The total number of objects that are encrypted using an AWS Key Management Service (AWS KMS) customer master key (CMK). The objects use AWS managed AWS KMS encryption (AWS-KMS) or customer managed AWS KMS encryption (SSE-KMS).
", "ObjectCountByEncryptionType$S3Managed" : "The total number of objects that are encrypted using an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).
", "ObjectCountByEncryptionType$Unencrypted" : "The total number of objects that aren't encrypted or use client-side encryption.
", + "ObjectCountByEncryptionType$Unknown" : "The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.
", "ObjectLevelStatistics$FileType" : "The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
", "ObjectLevelStatistics$StorageClass" : "The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
", "ObjectLevelStatistics$Total" : "The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
", diff --git a/models/apis/organizations/2016-11-28/docs-2.json b/models/apis/organizations/2016-11-28/docs-2.json index b8cb2aa4130..808ed76b2eb 100644 --- a/models/apis/organizations/2016-11-28/docs-2.json +++ b/models/apis/organizations/2016-11-28/docs-2.json @@ -1,11 +1,11 @@ { "version": "2.0", - "service": "AWS Organizations is a web service that enables you to consolidate your multiple AWS accounts into an organization and centrally manage your accounts and their resources.
This guide provides descriptions of the Organizations operations. For more information about using this service, see the AWS Organizations User Guide.
Support and feedback for AWS Organizations
We welcome your feedback. Send your comments to feedback-awsorganizations@amazon.com or post your feedback and questions in the AWS Organizations support forum. For more information about the AWS support forums, see Forums Help.
Endpoint to call When using the AWS CLI or the AWS SDK
For the current release of Organizations, specify the us-east-1 region for all AWS API and AWS CLI calls made from the commercial AWS Regions outside of China. If calling from one of the AWS Regions in China, then specify cn-northwest-1. You can do this in the AWS CLI by using these parameters and commands:
Use the following parameter with each command to specify both the endpoint and its region:
--endpoint-url https://organizations.us-east-1.amazonaws.com (from commercial AWS Regions outside of China)
or
--endpoint-url https://organizations.cn-northwest-1.amazonaws.com.cn (from AWS Regions in China)
Use the default endpoint, but configure your default region with this command:
aws configure set default.region us-east-1 (from commercial AWS Regions outside of China)
or
aws configure set default.region cn-northwest-1 (from AWS Regions in China)
Use the following parameter with each command to specify the endpoint:
--region us-east-1 (from commercial AWS Regions outside of China)
or
--region cn-northwest-1 (from AWS Regions in China)
Recording API Requests
AWS Organizations supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by AWS CloudTrail, you can determine which requests the Organizations service received, who made the request and when, and so on. For more about AWS Organizations and its support for AWS CloudTrail, see Logging AWS Organizations Events with AWS CloudTrail in the AWS Organizations User Guide. To learn more about AWS CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.
", "operations": { "AcceptHandshake": "Sends a response to the originator of a handshake agreeing to the action proposed by the handshake request.
This operation can be called only by the following principals when they also have the relevant IAM permissions:
Invitation to join or Approve all features request handshakes: only a principal from the member account.
The user who calls the API for an invitation to join must have the organizations:AcceptHandshake permission. If you enabled all features in the organization, the user must also have the iam:CreateServiceLinkedRole permission so that AWS Organizations can create the required service-linked role named AWSServiceRoleForOrganizations. For more information, see AWS Organizations and Service-Linked Roles in the AWS Organizations User Guide.
Enable all features final confirmation handshake: only a principal from the management account.
For more information about invitations, see Inviting an AWS Account to Join Your Organization in the AWS Organizations User Guide. For more information about requests to enable all features in the organization, see Enabling All Features in Your Organization in the AWS Organizations User Guide.
After you accept a handshake, it continues to appear in the results of relevant APIs for only 30 days. After that, it's deleted.
", "AttachPolicy": "Attaches a policy to a root, an organizational unit (OU), or an individual account. How the policy affects accounts depends on the type of policy. Refer to the AWS Organizations User Guide for information about each policy type:
This operation can be called only from the organization's management account.
", "CancelHandshake": "Cancels a handshake. Canceling a handshake sets the handshake state to CANCELED.
This operation can be called only from the account that originated the handshake. The recipient of the handshake can't cancel it, but can use DeclineHandshake instead. After a handshake is canceled, the recipient can no longer respond to that handshake.
After you cancel a handshake, it continues to appear in the results of relevant APIs for only 30 days. After that, it's deleted.
", - "CreateAccount": "Creates an AWS account that is automatically a member of the organization whose credentials made the request. This is an asynchronous request that AWS performs in the background. Because CreateAccount operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:
Use the Id member of the CreateAccountStatus response element from this operation to provide as a parameter to the DescribeCreateAccountStatus operation.
Check the AWS CloudTrail log for the CreateAccountResult event. For information on using AWS CloudTrail with AWS Organizations, see Monitoring the Activity in Your Organization in the AWS Organizations User Guide.
The user who calls the API to create an account must have the organizations:CreateAccount permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named AWSServiceRoleForOrganizations. For more information, see AWS Organizations and Service-Linked Roles in the AWS Organizations User Guide.
If the request includes tags, then the requester must have the organizations:TagResource permission.
AWS Organizations preconfigures the new member account with a role (named OrganizationAccountAccessRole by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.
This operation can be called only from the organization's management account.
For more information about creating accounts, see Creating an AWS Account in Your Organization in the AWS Organizations User Guide.
When you create an account in an organization using the AWS Organizations console, API, or CLI commands, the information required for the account to operate as a standalone account, such as a payment method and signing the end user license agreement (EULA) is not automatically collected. If you must remove an account from your organization later, you can do so only after you provide the missing information. Follow the steps at To leave an organization as a member account in the AWS Organizations User Guide.
If you get an exception that indicates that you exceeded your account limits for the organization, contact AWS Support.
If you get an exception that indicates that the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact AWS Support.
Using CreateAccount to create multiple temporary accounts isn't recommended. You can only close an account from the Billing and Cost Management Console, and you must be signed in as the root user. For information on the requirements and process for closing an account, see Closing an AWS Account in the AWS Organizations User Guide.
When you create a member account with this operation, you can choose whether to create the account with the IAM User and Role Access to Billing Information switch enabled. If you enable it, IAM users and roles that have appropriate permissions can view billing information for the account. If you disable it, only the account root user can access billing information. For information about how to disable this switch for an account, see Granting Access to Your Billing Information and Tools.
Creates an AWS account that is automatically a member of the organization whose credentials made the request. This is an asynchronous request that AWS performs in the background. Because CreateAccount operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:
Use the Id member of the CreateAccountStatus response element from this operation to provide as a parameter to the DescribeCreateAccountStatus operation.
Check the AWS CloudTrail log for the CreateAccountResult event. For information on using AWS CloudTrail with AWS Organizations, see Logging and monitoring in AWS Organizations in the AWS Organizations User Guide.
The user who calls the API to create an account must have the organizations:CreateAccount permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named AWSServiceRoleForOrganizations. For more information, see AWS Organizations and Service-Linked Roles in the AWS Organizations User Guide.
If the request includes tags, then the requester must have the organizations:TagResource permission.
AWS Organizations preconfigures the new member account with a role (named OrganizationAccountAccessRole by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.
This operation can be called only from the organization's management account.
For more information about creating accounts, see Creating an AWS Account in Your Organization in the AWS Organizations User Guide.
When you create an account in an organization using the AWS Organizations console, API, or CLI commands, the information required for the account to operate as a standalone account, such as a payment method and signing the end user license agreement (EULA) is not automatically collected. If you must remove an account from your organization later, you can do so only after you provide the missing information. Follow the steps at To leave an organization as a member account in the AWS Organizations User Guide.
If you get an exception that indicates that you exceeded your account limits for the organization, contact AWS Support.
If you get an exception that indicates that the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact AWS Support.
Using CreateAccount to create multiple temporary accounts isn't recommended. You can only close an account from the Billing and Cost Management Console, and you must be signed in as the root user. For information on the requirements and process for closing an account, see Closing an AWS Account in the AWS Organizations User Guide.
When you create a member account with this operation, you can choose whether to create the account with the IAM User and Role Access to Billing Information switch enabled. If you enable it, IAM users and roles that have appropriate permissions can view billing information for the account. If you disable it, only the account root user can access billing information. For information about how to disable this switch for an account, see Granting Access to Your Billing Information and Tools.
This action is available if all of the following are true:
You're authorized to create accounts in the AWS GovCloud (US) Region. For more information on the AWS GovCloud (US) Region, see the AWS GovCloud User Guide.
You already have an account in the AWS GovCloud (US) Region that is paired with a management account of an organization in the commercial Region.
You call this action from the management account of your organization in the commercial Region.
You have the organizations:CreateGovCloudAccount permission.
AWS Organizations automatically creates the required service-linked role named AWSServiceRoleForOrganizations. For more information, see AWS Organizations and Service-Linked Roles in the AWS Organizations User Guide.
AWS automatically enables AWS CloudTrail for AWS GovCloud (US) accounts, but you should also do the following:
Verify that AWS CloudTrail is enabled to store logs.
Create an S3 bucket for AWS CloudTrail log storage.
For more information, see Verifying AWS CloudTrail Is Enabled in the AWS GovCloud User Guide.
If the request includes tags, then the requester must have the organizations:TagResource permission. The tags are attached to the commercial account associated with the GovCloud account, rather than the GovCloud account itself. To add tags to the GovCloud account, call the TagResource operation in the GovCloud Region after the new GovCloud account exists.
You call this action from the management account of your organization in the commercial Region to create a standalone AWS account in the AWS GovCloud (US) Region. After the account is created, the management account of an organization in the AWS GovCloud (US) Region can invite it to that organization. For more information on inviting standalone accounts in the AWS GovCloud (US) to join an organization, see AWS Organizations in the AWS GovCloud User Guide.
Calling CreateGovCloudAccount is an asynchronous request that AWS performs in the background. Because CreateGovCloudAccount operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:
Use the OperationId response element from this operation to provide as a parameter to the DescribeCreateAccountStatus operation.
Check the AWS CloudTrail log for the CreateAccountResult event. For information on using AWS CloudTrail with Organizations, see Monitoring the Activity in Your Organization in the AWS Organizations User Guide.
When you call the CreateGovCloudAccount action, you create two accounts: a standalone account in the AWS GovCloud (US) Region and an associated account in the commercial Region for billing and support purposes. The account in the commercial Region is automatically a member of the organization whose credentials made the request. Both accounts are associated with the same email address.
A role is created in the new account in the commercial Region that allows the management account in the organization in the commercial Region to assume it. An AWS GovCloud (US) account is then created and associated with the commercial account that you just created. A role is also created in the new AWS GovCloud (US) account that can be assumed by the AWS GovCloud (US) account that is associated with the management account of the commercial organization. For more information and to view a diagram that explains how account access works, see AWS Organizations in the AWS GovCloud User Guide.
For more information about creating accounts, see Creating an AWS Account in Your Organization in the AWS Organizations User Guide.
When you create an account in an organization using the AWS Organizations console, API, or CLI commands, the information required for the account to operate as a standalone account is not automatically collected. This includes a payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. Follow the steps at To leave an organization as a member account in the AWS Organizations User Guide.
If you get an exception that indicates that you exceeded your account limits for the organization, contact AWS Support.
If you get an exception that indicates that the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact AWS Support.
Using CreateGovCloudAccount to create multiple temporary accounts isn't recommended. You can only close an account from the AWS Billing and Cost Management console, and you must be signed in as the root user. For information on the requirements and process for closing an account, see Closing an AWS Account in the AWS Organizations User Guide.
When you create a member account with this operation, you can choose whether to create the account with the IAM User and Role Access to Billing Information switch enabled. If you enable it, IAM users and roles that have appropriate permissions can view billing information for the account. If you disable it, only the account root user can access billing information. For information about how to disable this switch for an account, see Granting Access to Your Billing Information and Tools.
Creates an AWS organization. The account whose user is calling the CreateOrganization operation automatically becomes the management account of the new organization.
This operation must be called using credentials from the account that is to become the new organization's management account. The principal must also have the relevant IAM permissions.
By default (or if you set the FeatureSet parameter to ALL), the new organization is created with all features enabled and service control policies automatically enabled in the root. If you instead choose to create the organization supporting only the consolidated billing features by setting the FeatureSet parameter to CONSOLIDATED_BILLING\", no policy types are enabled by default, and you can't use organization policies
Creates an organizational unit (OU) within a root or parent OU. An OU is a container for accounts that enables you to organize your accounts to apply policies according to your business requirements. The number of levels deep that you can nest OUs is dependent upon the policy types enabled for that root. For service control policies, the limit is five.
For more information about OUs, see Managing Organizational Units in the AWS Organizations User Guide.
If the request includes tags, then the requester must have the organizations:TagResource permission.
This operation can be called only from the organization's management account.
", @@ -29,7 +29,7 @@ "EnableAllFeatures": "Enables all features in an organization. This enables the use of organization policies that can restrict the services and actions that can be called in each account. Until you enable all features, you have access only to consolidated billing, and you can't use any of the advanced account administration features that AWS Organizations supports. For more information, see Enabling All Features in Your Organization in the AWS Organizations User Guide.
This operation is required only for organizations that were created explicitly with only the consolidated billing features enabled. Calling this operation sends a handshake to every invited account in the organization. The feature set change can be finalized and the additional features enabled only after all administrators in the invited accounts approve the change by accepting the handshake.
After you enable all features, you can separately enable or disable individual policy types in a root using EnablePolicyType and DisablePolicyType. To see the status of policy types in a root, use ListRoots.
After all invited member accounts accept the handshake, you finalize the feature set change by accepting the handshake that contains \"Action\": \"ENABLE_ALL_FEATURES\". This completes the change.
After you enable all features in your organization, the management account in the organization can apply policies on all member accounts. These policies can restrict what users and even administrators in those accounts can do. The management account can apply policies that prevent accounts from leaving the organization. Ensure that your account administrators are aware of this.
This operation can be called only from the organization's management account.
", "EnablePolicyType": "Enables a policy type in a root. After you enable a policy type in a root, you can attach policies of that type to the root, any organizational unit (OU), or account in that root. You can undo this by using the DisablePolicyType operation.
This is an asynchronous request that AWS performs in the background. AWS recommends that you first use ListRoots to see the status of policy types for a specified root, and then use this operation.
This operation can be called only from the organization's management account.
You can enable a policy type in a root only if that policy type is available in the organization. To view the status of available policy types in the organization, use DescribeOrganization.
", "InviteAccountToOrganization": "Sends an invitation to another account to join your organization as a member account. AWS Organizations sends email on your behalf to the email address that is associated with the other account's owner. The invitation is implemented as a Handshake whose details are in the response.
You can invite AWS accounts only from the same seller as the management account. For example, if your organization's management account was created by Amazon Internet Services Pvt. Ltd (AISPL), an AWS seller in India, you can invite only other AISPL accounts to your organization. You can't combine accounts from AISPL and AWS or from any other AWS seller. For more information, see Consolidated Billing in India.
If you receive an exception that indicates that you exceeded your account limits for the organization or that the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists after an hour, contact AWS Support.
If the request includes tags, then the requester must have the organizations:TagResource permission.
This operation can be called only from the organization's management account.
", - "LeaveOrganization": "Removes a member account from its parent organization. This version of the operation is performed by the account that wants to leave. To remove a member account as a user in the management account, use RemoveAccountFromOrganization instead.
This operation can be called only from a member account in the organization.
The management account in an organization with all features enabled can set service control policies (SCPs) that can restrict what administrators of member accounts can do. This includes preventing them from successfully calling LeaveOrganization and leaving the organization.
You can leave an organization as a member account only if the account is configured with the information required to operate as a standalone account. When you create an account in an organization using the AWS Organizations console, API, or CLI commands, the information required of standalone accounts is not automatically collected. For each account that you want to make standalone, you must perform the following steps. If any of the steps are already completed for this account, that step doesn't appear.
Choose a support plan
Provide and verify the required contact information
Provide a current payment method
AWS uses the payment method to charge for any billable (not free tier) AWS activity that occurs while the account isn't attached to an organization. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.
The account that you want to leave must not be a delegated administrator account for any AWS service enabled for your organization. If the account is a delegated administrator, you must first change the delegated administrator account to another account that is remaining in the organization.
You can leave an organization only after you enable IAM user access to billing in your account. For more information, see Activating Access to the Billing and Cost Management Console in the AWS Billing and Cost Management User Guide.
After the account leaves the organization, all tags that were attached to the account object in the organization are deleted. AWS accounts outside of an organization do not support tags.
Removes a member account from its parent organization. This version of the operation is performed by the account that wants to leave. To remove a member account as a user in the management account, use RemoveAccountFromOrganization instead.
This operation can be called only from a member account in the organization.
The management account in an organization with all features enabled can set service control policies (SCPs) that can restrict what administrators of member accounts can do. This includes preventing them from successfully calling LeaveOrganization and leaving the organization.
You can leave an organization as a member account only if the account is configured with the information required to operate as a standalone account. When you create an account in an organization using the AWS Organizations console, API, or CLI commands, the information required of standalone accounts is not automatically collected. For each account that you want to make standalone, you must perform the following steps. If any of the steps are already completed for this account, that step doesn't appear.
Choose a support plan
Provide and verify the required contact information
Provide a current payment method
AWS uses the payment method to charge for any billable (not free tier) AWS activity that occurs while the account isn't attached to an organization. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.
The account that you want to leave must not be a delegated administrator account for any AWS service enabled for your organization. If the account is a delegated administrator, you must first change the delegated administrator account to another account that is remaining in the organization.
You can leave an organization only after you enable IAM user access to billing in your account. For more information, see Activating Access to the Billing and Cost Management Console in the AWS Billing and Cost Management User Guide.
After the account leaves the organization, all tags that were attached to the account object in the organization are deleted. AWS accounts outside of an organization do not support tags.
A newly created account has a waiting period before it can be removed from its organization. If you get an error that indicates that a wait period is required, then try again in a few days.
Returns a list of the AWS services that you enabled to integrate with your organization. After a service on this list creates the resources that it requires for the integration, it can perform operations on your organization and its accounts.
For more information about integrating other services with AWS Organizations, including the list of services that currently work with Organizations, see Integrating AWS Organizations with Other AWS Services in the AWS Organizations User Guide.
This operation can be called only from the organization's management account or by a member account that is a delegated administrator for an AWS service.
", "ListAccounts": "Lists all the accounts in the organization. To request only the accounts in a specified root or organizational unit (OU), use the ListAccountsForParent operation instead.
Always check the NextToken response parameter for a null value when calling a List* operation. These operations can occasionally return an empty set of results even when there are more results available. The NextToken response parameter value is null only when there are no more results to display.
This operation can be called only from the organization's management account or by a member account that is a delegated administrator for an AWS service.
", "ListAccountsForParent": "Lists the accounts in an organization that are contained by the specified target root or organizational unit (OU). If you specify the root, you get a list of all the accounts that aren't in any OU. If you specify an OU, you get a list of all the accounts in only that OU and not in any child OUs. To get a list of all accounts in the organization, use the ListAccounts operation.
Always check the NextToken response parameter for a null value when calling a List* operation. These operations can occasionally return an empty set of results even when there are more results available. The NextToken response parameter value is null only when there are no more results to display.
This operation can be called only from the organization's management account or by a member account that is a delegated administrator for an AWS service.
", @@ -238,7 +238,7 @@ } }, "ConstraintViolationException": { - "base": "Performing this operation violates a minimum or maximum value limit. For example, attempting to remove the last service control policy (SCP) from an OU or root, inviting or creating too many accounts to the organization, or attaching too many policies to an account, OU, or root. This exception includes a reason that contains additional information about the violated limit:
Some of the reasons in the following list might not be applicable to this specific API or operation.
ACCOUNT_CANNOT_LEAVE_ORGANIZAION: You attempted to remove the management account from the organization. You can't remove the management account. Instead, after you remove all member accounts, delete the organization itself.
ACCOUNT_CANNOT_LEAVE_WITHOUT_EULA: You attempted to remove an account from the organization that doesn't yet have enough information to exist as a standalone account. This account requires you to first agree to the AWS Customer Agreement. Follow the steps at Removing a member account from your organizationin the AWS Organizations User Guide.
ACCOUNT_CANNOT_LEAVE_WITHOUT_PHONE_VERIFICATION: You attempted to remove an account from the organization that doesn't yet have enough information to exist as a standalone account. This account requires you to first complete phone verification. Follow the steps at Removing a member account from your organization in the AWS Organizations User Guide.
ACCOUNT_CREATION_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of accounts that you can create in one day.
ACCOUNT_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the limit on the number of accounts in an organization. If you need more accounts, contact AWS Support to request an increase in your limit.
Or the number of invitations that you tried to send would cause you to exceed the limit of accounts in your organization. Send fewer invitations or contact AWS Support to request an increase in the number of accounts.
Deleted and closed accounts still count toward your limit.
If you get this exception when running a command immediately after creating the organization, wait one hour and try again. After an hour, if the command continues to fail with this error, contact AWS Support.
CANNOT_REGISTER_MASTER_AS_DELEGATED_ADMINISTRATOR: You attempted to register the management account of the organization as a delegated administrator for an AWS service integrated with Organizations. You can designate only a member account as a delegated administrator.
CANNOT_REMOVE_DELEGATED_ADMINISTRATOR_FROM_ORG: You attempted to remove an account that is registered as a delegated administrator for a service integrated with your organization. To complete this operation, you must first deregister this account as a delegated administrator.
CREATE_ORGANIZATION_IN_BILLING_MODE_UNSUPPORTED_REGION: To create an organization in the specified region, you must enable all features mode.
DELEGATED_ADMINISTRATOR_EXISTS_FOR_THIS_SERVICE: You attempted to register an AWS account as a delegated administrator for an AWS service that already has a delegated administrator. To complete this operation, you must first deregister any existing delegated administrators for this service.
EMAIL_VERIFICATION_CODE_EXPIRED: The email verification code is only valid for a limited period of time. You must resubmit the request and generate a new verfication code.
HANDSHAKE_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of handshakes that you can send in one day.
MASTER_ACCOUNT_ADDRESS_DOES_NOT_MATCH_MARKETPLACE: To create an account in this organization, you first must migrate the organization's management account to the marketplace that corresponds to the management account's address. For example, accounts with India addresses must be associated with the AISPL marketplace. All accounts in an organization must be associated with the same marketplace.
MASTER_ACCOUNT_MISSING_BUSINESS_LICENSE: Applies only to the AWS Regions in China. To create an organization, the master must have an valid business license. For more information, contact customer support.
MASTER_ACCOUNT_MISSING_CONTACT_INFO: To complete this operation, you must first provide a valid contact address and phone number for the management account. Then try the operation again.
MASTER_ACCOUNT_NOT_GOVCLOUD_ENABLED: To complete this operation, the management account must have an associated account in the AWS GovCloud (US-West) Region. For more information, see AWS Organizations in the AWS GovCloud User Guide.
MASTER_ACCOUNT_PAYMENT_INSTRUMENT_REQUIRED: To create an organization with this management account, you first must associate a valid payment instrument, such as a credit card, with the account. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.
MAX_DELEGATED_ADMINISTRATORS_FOR_SERVICE_LIMIT_EXCEEDED: You attempted to register more delegated administrators than allowed for the service principal.
MAX_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to exceed the number of policies of a certain type that can be attached to an entity at one time.
MAX_TAG_LIMIT_EXCEEDED: You have exceeded the number of tags allowed on this resource.
MEMBER_ACCOUNT_PAYMENT_INSTRUMENT_REQUIRED: To complete this operation with this member account, you first must associate a valid payment instrument, such as a credit card, with the account. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.
MIN_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to detach a policy from an entity that would cause the entity to have fewer than the minimum number of policies of a certain type required.
ORGANIZATION_NOT_IN_ALL_FEATURES_MODE: You attempted to perform an operation that requires the organization to be configured to support all features. An organization that supports only consolidated billing features can't perform this operation.
OU_DEPTH_LIMIT_EXCEEDED: You attempted to create an OU tree that is too many levels deep.
OU_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the number of OUs that you can have in an organization.
POLICY_CONTENT_LIMIT_EXCEEDED: You attempted to create a policy that is larger than the maximum size.
POLICY_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the number of policies that you can have in an organization.
TAG_POLICY_VIOLATION: You attempted to create or update a resource with tags that are not compliant with the tag policy requirements for this account.
Performing this operation violates a minimum or maximum value limit. For example, attempting to remove the last service control policy (SCP) from an OU or root, inviting or creating too many accounts to the organization, or attaching too many policies to an account, OU, or root. This exception includes a reason that contains additional information about the violated limit:
Some of the reasons in the following list might not be applicable to this specific API or operation.
ACCOUNT_CANNOT_LEAVE_ORGANIZATION: You attempted to remove the management account from the organization. You can't remove the management account. Instead, after you remove all member accounts, delete the organization itself.
ACCOUNT_CANNOT_LEAVE_WITHOUT_EULA: You attempted to remove an account from the organization that doesn't yet have enough information to exist as a standalone account. This account requires you to first agree to the AWS Customer Agreement. Follow the steps at Removing a member account from your organizationin the AWS Organizations User Guide.
ACCOUNT_CANNOT_LEAVE_WITHOUT_PHONE_VERIFICATION: You attempted to remove an account from the organization that doesn't yet have enough information to exist as a standalone account. This account requires you to first complete phone verification. Follow the steps at Removing a member account from your organization in the AWS Organizations User Guide.
ACCOUNT_CREATION_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of accounts that you can create in one day.
ACCOUNT_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the limit on the number of accounts in an organization. If you need more accounts, contact AWS Support to request an increase in your limit.
Or the number of invitations that you tried to send would cause you to exceed the limit of accounts in your organization. Send fewer invitations or contact AWS Support to request an increase in the number of accounts.
Deleted and closed accounts still count toward your limit.
If you get this exception when running a command immediately after creating the organization, wait one hour and try again. After an hour, if the command continues to fail with this error, contact AWS Support.
CANNOT_REGISTER_MASTER_AS_DELEGATED_ADMINISTRATOR: You attempted to register the management account of the organization as a delegated administrator for an AWS service integrated with Organizations. You can designate only a member account as a delegated administrator.
CANNOT_REMOVE_DELEGATED_ADMINISTRATOR_FROM_ORG: You attempted to remove an account that is registered as a delegated administrator for a service integrated with your organization. To complete this operation, you must first deregister this account as a delegated administrator.
CREATE_ORGANIZATION_IN_BILLING_MODE_UNSUPPORTED_REGION: To create an organization in the specified region, you must enable all features mode.
DELEGATED_ADMINISTRATOR_EXISTS_FOR_THIS_SERVICE: You attempted to register an AWS account as a delegated administrator for an AWS service that already has a delegated administrator. To complete this operation, you must first deregister any existing delegated administrators for this service.
EMAIL_VERIFICATION_CODE_EXPIRED: The email verification code is only valid for a limited period of time. You must resubmit the request and generate a new verfication code.
HANDSHAKE_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of handshakes that you can send in one day.
MASTER_ACCOUNT_ADDRESS_DOES_NOT_MATCH_MARKETPLACE: To create an account in this organization, you first must migrate the organization's management account to the marketplace that corresponds to the management account's address. For example, accounts with India addresses must be associated with the AISPL marketplace. All accounts in an organization must be associated with the same marketplace.
MASTER_ACCOUNT_MISSING_BUSINESS_LICENSE: Applies only to the AWS Regions in China. To create an organization, the master must have a valid business license. For more information, contact customer support.
MASTER_ACCOUNT_MISSING_CONTACT_INFO: To complete this operation, you must first provide a valid contact address and phone number for the management account. Then try the operation again.
MASTER_ACCOUNT_NOT_GOVCLOUD_ENABLED: To complete this operation, the management account must have an associated account in the AWS GovCloud (US-West) Region. For more information, see AWS Organizations in the AWS GovCloud User Guide.
MASTER_ACCOUNT_PAYMENT_INSTRUMENT_REQUIRED: To create an organization with this management account, you first must associate a valid payment instrument, such as a credit card, with the account. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.
MAX_DELEGATED_ADMINISTRATORS_FOR_SERVICE_LIMIT_EXCEEDED: You attempted to register more delegated administrators than allowed for the service principal.
MAX_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to exceed the number of policies of a certain type that can be attached to an entity at one time.
MAX_TAG_LIMIT_EXCEEDED: You have exceeded the number of tags allowed on this resource.
MEMBER_ACCOUNT_PAYMENT_INSTRUMENT_REQUIRED: To complete this operation with this member account, you first must associate a valid payment instrument, such as a credit card, with the account. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.
MIN_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to detach a policy from an entity that would cause the entity to have fewer than the minimum number of policies of a certain type required.
ORGANIZATION_NOT_IN_ALL_FEATURES_MODE: You attempted to perform an operation that requires the organization to be configured to support all features. An organization that supports only consolidated billing features can't perform this operation.
OU_DEPTH_LIMIT_EXCEEDED: You attempted to create an OU tree that is too many levels deep.
OU_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the number of OUs that you can have in an organization.
POLICY_CONTENT_LIMIT_EXCEEDED: You attempted to create a policy that is larger than the maximum size.
POLICY_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the number of policies that you can have in an organization.
TAG_POLICY_VIOLATION: You attempted to create or update a resource with tags that are not compliant with the tag policy requirements for this account.
If the request failed, a description of the reason for the failure.
ACCOUNT_LIMIT_EXCEEDED: The account could not be created because you have reached the limit on the number of accounts in your organization.
CONCURRENT_ACCOUNT_MODIFICATION: You already submitted a request with the same information.
EMAIL_ALREADY_EXISTS: The account could not be created because another AWS account with that email address already exists.
FAILED_BUSINESS_VALIDATION: The AWS account that owns your organization failed to receive business license validation.
GOVCLOUD_ACCOUNT_ALREADY_EXISTS: The account in the AWS GovCloud (US) Region could not be created because this Region already includes an account with that email address.
IDENTITY_INVALID_BUSINESS_VALIDATION: The AWS account that owns your organization can't complete business license validation because it doesn't have valid identity data.
INVALID_ADDRESS: The account could not be created because the address you provided is not valid.
INVALID_EMAIL: The account could not be created because the email address you provided is not valid.
INTERNAL_FAILURE: The account could not be created because of an internal failure. Try again later. If the problem persists, contact Customer Support.
MISSING_BUSINESS_VALIDATION: The AWS account that owns your organization has not received Business Validation.
MISSING_PAYMENT_INSTRUMENT: You must configure the management account with a valid payment method, such as a credit card.
PENDING_BUSINESS_VALIDATION: The AWS account that owns your organization is still in the process of completing business license validation.
UNKNOWN_BUSINESS_VALIDATION: The AWS account that owns your organization has an unknown issue with business license validation.
If the request failed, a description of the reason for the failure.
ACCOUNT_LIMIT_EXCEEDED: The account couldn't be created because you reached the limit on the number of accounts in your organization.
CONCURRENT_ACCOUNT_MODIFICATION: You already submitted a request with the same information.
EMAIL_ALREADY_EXISTS: The account could not be created because another AWS account with that email address already exists.
FAILED_BUSINESS_VALIDATION: The AWS account that owns your organization failed to receive business license validation.
GOVCLOUD_ACCOUNT_ALREADY_EXISTS: The account in the AWS GovCloud (US) Region could not be created because this Region already includes an account with that email address.
IDENTITY_INVALID_BUSINESS_VALIDATION: The AWS account that owns your organization can't complete business license validation because it doesn't have valid identity data.
INVALID_ADDRESS: The account could not be created because the address you provided is not valid.
INVALID_EMAIL: The account could not be created because the email address you provided is not valid.
INTERNAL_FAILURE: The account could not be created because of an internal failure. Try again later. If the problem persists, contact AWS Customer Support.
MISSING_BUSINESS_VALIDATION: The AWS account that owns your organization has not received Business Validation.
MISSING_PAYMENT_INSTRUMENT: You must configure the management account with a valid payment method, such as a credit card.
PENDING_BUSINESS_VALIDATION: The AWS account that owns your organization is still in the process of completing business license validation.
UNKNOWN_BUSINESS_VALIDATION: The AWS account that owns your organization has an unknown issue with business license validation.
The status of the request.
" + "CreateAccountStatus$State": "The status of the asynchronous request to create an AWS account.
" } }, "CreateAccountStates": { @@ -640,7 +640,7 @@ } }, "Handshake": { - "base": "Contains information that must be exchanged to securely establish a relationship between two accounts (an originator and a recipient). For example, when a management account (the originator) invites another account (the recipient) to join its organization, the two accounts exchange information as a series of handshake requests and responses.
Note: Handshakes that are CANCELED, ACCEPTED, or DECLINED show up in lists for only 30 days after entering that state After that they are deleted.
", + "base": "Contains information that must be exchanged to securely establish a relationship between two accounts (an originator and a recipient). For example, when a management account (the originator) invites another account (the recipient) to join its organization, the two accounts exchange information as a series of handshake requests and responses.
Note: Handshakes that are CANCELED, ACCEPTED, or DECLINED show up in lists for only 30 days after entering that state After that they are deleted.
A structure that contains details about the accepted handshake.
", "CancelHandshakeResponse$Handshake": "A structure that contains details about the handshake that you canceled.
", @@ -1362,7 +1362,7 @@ "ServicePrincipal": { "base": null, "refs": { - "DelegatedService$ServicePrincipal": "The name of a service that can request an operation for the specified service. This is typically in the form of a URL, such as: servicename.amazonaws.com.
The name of an AWS service that can request an operation for the specified service. This is typically in the form of a URL, such as: servicename.amazonaws.com.
The service principal name of an AWS service for which the account is a delegated administrator.
Delegated administrator privileges are revoked for only the specified AWS service from the member account. If the specified service is the only service for which the member account is a delegated administrator, the operation also revokes Organizations read action permissions.
", "DisableAWSServiceAccessRequest$ServicePrincipal": "The service principal name of the AWS service for which you want to disable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com.
The service principal name of the AWS service for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com.