Menu
AWS Organizations API Reference
API Reference (API Version 2016-11-28)

UpdatePolicy

Updates an existing policy with a new name, description, or content. If any parameter is not supplied, that value remains unchanged. Note that you cannot change a policy's type.

This operation can be called only from the organization's master account.

Request Syntax

{
   "Content": "string",
   "Description": "string",
   "Name": "string",
   "PolicyId": "string"
}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

Content

If provided, the new content for the policy. The text must be correctly formatted JSON that complies with the syntax for the policy's type. For more information, see Service Control Policy Syntax in the AWS Organizations User Guide.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1000000.

Required: No

Description

If provided, the new description for the policy.

Type: String

Length Constraints: Maximum length of 512.

Required: No

Name

If provided, the new name for the policy.

The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Required: No

PolicyId

The unique identifier (ID) of the policy that you want to update.

The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lower-case letters or digits.

Type: String

Pattern: ^p-[0-9a-zA-Z_]{8,128}$

Required: Yes

Response Syntax

{
   "Policy": { 
      "Content": "string",
      "PolicySummary": { 
         "Arn": "string",
         "AwsManaged": boolean,
         "Description": "string",
         "Id": "string",
         "Name": "string",
         "Type": "string"
      }
   }
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Policy

A structure that contains details about the updated policy, showing the requested changes.

Type: Policy object

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

You don't have permissions to perform the requested operation. The user or role that is making the request must have at least one IAM permissions policy attached that grants the required permissions. For more information, see Access Management in the IAM User Guide.

HTTP Status Code: 400

AWSOrganizationsNotInUseException

Your account is not a member of an organization. To make this request, you must use the credentials of an account that belongs to an organization.

HTTP Status Code: 400

ConcurrentModificationException

The target of the operation is currently being modified by a different request. Try again later.

HTTP Status Code: 400

ConstraintViolationException

Performing this operation violates a minimum or maximum value limit. For example, attempting to removing the last SCP from an OU or root, inviting or creating too many accounts to the organization, or attaching too many policies to an account, OU, or root. This exception includes a reason that contains additional information about the violated limit:

Note

Some of the reasons in the following list might not be applicable to this specific API or operation:

  • ACCOUNT_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the limit on the number of accounts in an organization. If you need more accounts, contact AWS Support to request an increase in your limit.

    Or, The number of invitations that you tried to send would cause you to exceed the limit of accounts in your organization. Send fewer invitations, or contact AWS Support to request an increase in the number of accounts.

    Note: deleted and closed accounts still count toward your limit.

    Important

    If you get an exception that indicates that you exceeded your account limits for the organization or that you can"t add an account because your organization is still initializing, please contact AWS Customer Support.

  • HANDSHAKE_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of handshakes you can send in one day.

  • OU_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the number of organizational units you can have in an organization.

  • OU_DEPTH_LIMIT_EXCEEDED: You attempted to create an organizational unit tree that is too many levels deep.

  • POLICY_NUMBER_LIMIT_EXCEEDED. You attempted to exceed the number of policies that you can have in an organization.

  • MAX_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to exceed the number of policies of a certain type that can be attached to an entity at one time.

  • MIN_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to detach a policy from an entity that would cause the entity to have fewer than the minimum number of policies of a certain type required.

  • ACCOUNT_CANNOT_LEAVE_WITHOUT_EULA: You attempted to remove an account from the organization that does not yet have enough information to exist as a stand-alone account. This account requires you to first agree to the AWS Customer Agreement. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.

  • ACCOUNT_CANNOT_LEAVE_WITHOUT_PHONE_VERIFICATION: You attempted to remove an account from the organization that does not yet have enough information to exist as a stand-alone account. This account requires you to first complete phone verification. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.

  • MASTER_ACCOUNT_PAYMENT_INSTRUMENT_REQUIRED: To create an organization with this account, you first must associate a payment instrument, such as a credit card, with the account. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.

  • MEMBER_ACCOUNT_PAYMENT_INSTRUMENT_REQUIRED: To complete this operation with this member account, you first must associate a payment instrument, such as a credit card, with the account. Follow the steps at To leave an organization when all required account information has not yet been provided in the AWS Organizations User Guide.

  • ACCOUNT_CREATION_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of accounts that you can create in one day.

  • MASTER_ACCOUNT_ADDRESS_DOES_NOT_MATCH_MARKETPLACE: To create an account in this organization, you first must migrate the organization's master account to the marketplace that corresponds to the master account's address. For example, accounts with India addresses must be associated with the AISPL marketplace. All accounts in an organization must be associated with the same marketplace.

  • MASTER_ACCOUNT_MISSING_CONTACT_INFO: To complete this operation, you must first provide contact a valid address and phone number for the master account. Then try the operation again.

HTTP Status Code: 400

DuplicatePolicyException

A policy with the same name already exists.

HTTP Status Code: 400

InvalidInputException

The requested operation failed because you provided invalid values for one or more of the request parameters. This exception includes a reason that contains additional information about the violated limit:

Note

Some of the reasons in the following list might not be applicable to this specific API or operation:

  • INVALID_PARTY_TYPE_TARGET: You specified the wrong type of entity (account, organization, or email) as a party.

  • INVALID_SYNTAX_ORGANIZATION_ARN: You specified an invalid ARN for the organization.

  • INVALID_SYNTAX_POLICY_ID: You specified an invalid policy ID.

  • INVALID_ENUM: You specified a value that is not valid for that parameter.

  • INVALID_FULL_NAME_TARGET: You specified a full name that contains invalid characters.

  • INVALID_LIST_MEMBER: You provided a list to a parameter that contains at least one invalid value.

  • MAX_LENGTH_EXCEEDED: You provided a string parameter that is longer than allowed.

  • MAX_VALUE_EXCEEDED: You provided a numeric parameter that has a larger value than allowed.

  • MIN_LENGTH_EXCEEDED: You provided a string parameter that is shorter than allowed.

  • MIN_VALUE_EXCEEDED: You provided a numeric parameter that has a smaller value than allowed.

  • IMMUTABLE_POLICY: You specified a policy that is managed by AWS and cannot be modified.

  • INVALID_PATTERN: You provided a value that doesn't match the required pattern.

  • INVALID_PATTERN_TARGET_ID: You specified a policy target ID that doesn't match the required pattern.

  • INPUT_REQUIRED: You must include a value for all required parameters.

  • INVALID_PAGINATION_TOKEN: Get the value for the NextToken parameter from the response to a previous call of the operation.

  • MAX_FILTER_LIMIT_EXCEEDED: You can specify only one filter parameter for the operation.

  • MOVING_ACCOUNT_BETWEEN_DIFFERENT_ROOTS: You can move an account only between entities in the same root.

HTTP Status Code: 400

MalformedPolicyDocumentException

The provided policy document does not meet the requirements of the specified policy type. For example, the syntax might be incorrect. For details about service control policy syntax, see Service Control Policy Syntax in the AWS Organizations User Guide.

HTTP Status Code: 400

PolicyNotFoundException

We can't find a policy with the PolicyId that you specified.

HTTP Status Code: 400

ServiceException

AWS Organizations can't complete your request because of an internal service error. Try again later.

HTTP Status Code: 400

TooManyRequestsException

You've sent too many requests in too short a period of time. The limit helps protect against denial-of-service attacks. Try again later.

HTTP Status Code: 400

Examples

Example

The following example shows how to rename a policy and give it a new description. The output confirms the new name and description text:

Sample Request

POST / HTTP/1.1
Host: organizations.us-east-1.amazonaws.com
Accept-Encoding: identity
Content-Length: 182
X-Amz-Target: AWSOrganizationsV20161128.UpdatePolicy
X-Amz-Date: 20160815T205727Z
User-Agent: aws-cli/1.10.18 Python/2.7.8 Linux/2.6.18-164.el5 botocore/1.4.9
Content-Type: application/x-amz-json-1.1
Authorization: AWS4-HMAC-SHA256 
  Credential=AKIAIOSFODNN7EXAMPLE/20160815/us-east-1/organizations/aws4_request,
  SignedHeaders=content-type;host;user-agent;x-amz-date;x-amz-target, 
  Signature=EXAMPLESIGabcdef1234567890abcdef1234567890abcdef123456EXAMPLESIG

{ "PolicyId": "p-examplepolicyid111", "Name": "Renamed-Policy", "Description": "This description replaces the original." }

Sample Response

HTTP/1.1 200 OK
x-amzn-RequestId: EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE
Content-Type: application/x-amz-json-1.1
Content-Length: 394
Date: Mon, 15 Aug 2016 20:57:28 GMT

{
  "Policy": {
    "Content": "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Action\": \"ec2:*\", \"Resource\": \"*\" } }",
    "PolicySummary": {
      "Id": "p-examplepolicyid111",
      "AwsManaged": false,
      "Arn":"arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111",
      "Description": "This description replaces the original.",
      "Name": "Renamed-Policy",
      "Type": "SERVICE_CONTROL_POLICY"
    }
  }
}

Example

The following example shows how to replace the JSON text of the SCP in the preceding example with a new JSON policy text string that allows S3 actions instead of EC2 actions:

Sample Request

POST / HTTP/1.1
Host: organizations.us-east-1.amazonaws.com
Accept-Encoding: identity
Content-Length: 254
X-Amz-Target: AWSOrganizationsV20161128.UpdatePolicy
X-Amz-Date: 20160815T210437Z
User-Agent: aws-cli/1.10.18 Python/2.7.8 Linux/2.6.18-164.el5 botocore/1.4.9
Content-Type: application/x-amz-json-1.1
Authorization: AWS4-HMAC-SHA256 
  Credential=AKIAIOSFODNN7EXAMPLE/20160815/us-east-1/organizations/aws4_request, 
  SignedHeaders=content-type;host;user-agent;x-amz-date;x-amz-target, 
  Signature=EXAMPLESIGabcdef1234567890abcdef1234567890abcdef123456EXAMPLESIG

{ "PolicyId": "p-examplepolicyid111",
  "Content": "{ \"Version\": \"2012-10-17\", \"Statement\": {\"Effect\": \"Allow\", \"Action\": \"s3:*\", \"Resource\": \"*\" } }" }

Sample Response

HTTP/1.1 200 OK
x-amzn-RequestId: EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE
Content-Type: application/x-amz-json-1.1
Content-Length: 336
Date: Mon, 15 Aug 2016 21:04:38 GMT

{
  "Policy": {
    "Content": "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Action\": \"s3:*\", \"Resource\": \"*\" } }",
    "PolicySummary": {    
      "Arn": "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111",
      "AwsManaged": false;
      "Description": "This description replaces the original.",
      "Id": "p-examplepolicyid111",
      "Name": "Renamed-Policy",
      "Type": "SERVICE_CONTROL_POLICY"
    }
  }
}

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: