Viewing details about your organization - AWS Organizations

Viewing details about your organization

You can perform the following tasks to view details about elements of your organization.

Viewing the details of an organization from the management account

When you sign in to the organization's management account in the AWS Organizations console, you can view details of the organization.

Minimum permissions

To view the details of an organization, you must have the following permission:

  • organizations:DescribeOrganization

AWS Management Console

To view the details for your organization

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. Navigate to the Settings page. This page displays details about the organization, including the organization ID and the account name and email address assigned to the organization's management account.

AWS CLI & AWS SDKs

To view the details for your organization

You can use one of the following commands to view details of an organization:

  • AWS CLI: describe-organization

    The following example shows the information included in the output of this command.

    $ aws organizations describe-organization { "Organization": { "Id": "o-aa111bb222", "Arn": "arn:aws:organizations::123456789012:organization/o-aa111bb222", "FeatureSet": "ALL", "MasterAccountArn": "arn:aws:organizations::128716708097:account/o-aa111bb222/123456789012", "MasterAccountId": "123456789012", "MasterAccountEmail": "admin@example.com", "AvailablePolicyTypes": [ ...DEPRECATED - DO NOT USE... ] } }
    Important

    The AvailablePolicyTypes field is deprecated and doesn't contain accurate information about the policies enabled in your organization. To see the accurate and complete list of policy types that are actually enabled for the organization, use the ListRoots command, as described in the AWS CLI portion of the following section.

  • AWS SDKs: DescribeOrganization

Viewing the details of the root

When you sign in to the organization's management account in the AWS Organizations console, you can view details of the root.

Minimum permissions

To view the details of the root, you must have the following permissions:

  • organizations:DescribeOrganization (console only)

  • organizations:ListRoots

The root is the topmost container in the hierarchy of organizational units (OUs) and generally behaves as an OU. However, as the container at the very top of the hierarchy, changes to the root affect every other OU and every AWS account in the organization.

AWS Management Console

To view the details of the root

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. Navigate to the AWS accounts page, and choose the Root OU (its name, not the radio button).

  3. The Root details page appears and displays the details of the root.

AWS CLI & AWS SDKs

To view the details of the root

You can use one of the following commands to view details of a root:

  • AWS CLI: list-roots

    The following example shows how to retrieve the details of the root, including which policy types are currently enabled in the organization:

    $ aws organizations list-roots { "Roots": [ { "Id": "r-a1b2", "Arn": "arn:aws:organizations::123456789012:root/o-aa111bb222/r-a1b2", "Name": "Root", "PolicyTypes": [ { "Type": "BACKUP_POLICY", "Status": "ENABLED" } ] } ] }
  • AWS SDKs: ListRoots

Viewing the details of an OU

When you sign in to the organization's management account in the AWS Organizations console, you can view details of the OUs in your organization.

Minimum permissions

To view the details of an organizational unit (OU), you must have the following permissions:

  • organizations:DescribeOrganizationalUnit

  • organizations:DescribeOrganization – required only when using the Organizations console

  • organizations:ListOrganizationsUnitsForParent– required only when using the Organizations console

  • organizations:ListRoots – required only when using the Organizations console

AWS Management Console

To view details of an OU

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the AWS accounts page, choose the name of the OU (not its radio button) that you want to examine. If the OU that you want is a child of another OU, choose the triangle icon next to its parent OU to expand it and see those in the next level of the hierarchy. Repeat until you find the OU that you want.

    The Organizational unit details box shows the information about the OU.

AWS CLI & AWS SDKs

To view details of an OU

You can use the following commands to view details of an OU:

  • AWS CLI, AWS SDKs:

    The following example shows how to find the ID of on OU using the AWS CLI. You find the OU ID by traversing the hierarchy starting with the list-roots command and then performing list-children on the root and iteratively on each of its children until you find the one you want.

    $ aws organizations list-roots { "Roots": [ { "Id": "r-a1b2", "Arn": "arn:aws:organizations::123456789012:root/o-aa111bb222/r-a1b2", "Name": "Root", "PolicyTypes": [] } ] } $ aws organizations list-children --parent-id r-a1b2 --child-type ORGANIZATIONAL_UNIT { "Children": [ { "Id": "ou-a1b2-f6g7h111", "Type": "ORGANIZATIONAL_UNIT" } ] }

    After you have the OU's ID, the following example shows how to retrieve the details about the OU.

    $ aws organizations describe-organizational-unit --organizational-unit-id ou-a1b2-f6g7h111 { "OrganizationalUnit": { "Id": "ou-a1b2-f6g7h111", "Arn": "arn:aws:organizations::123456789012:ou/o-aa111bb222/ou-a1b2-f6g7h111", "Name": "Production-Apps" } }
  • AWS SDKs:

Viewing details of an account

When you sign in to the organization's management account in the AWS Organizations console, you can view details about your accounts.

Minimum permissions

To view the details of an AWS account, you must have the following permissions:

  • organizations:DescribeAccount

  • organizations:DescribeOrganization – required only when using the Organizations console

  • organizations:ListAccounts – required only when using the Organizations console

AWS Management Console

To view details of an AWS account

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. Navigate to the AWS accounts page and choose the name of the name of the account (not the radio button) that you want to examine. If the account that you want is a child of an OU, you might have to choose the triangle icon next to an OU to expand it and see its children. Repeat until you find the account.

    The Account details box shows the information about the account.

AWS CLI & AWS SDKs

To view details of an AWS account

You can use the following commands to view details of an account:

  • AWS CLI:

    Both commands return the same details for each account included in the response.

    The following example shows how to retrieve the details about a specified account.

    $ aws organizations describe-account --account-id 123456789012 { "Account": { "Id": "123456789012", "Arn": "arn:aws:organizations::123456789012:account/o-aa111bb222/123456789012", "Email": "admin@example.com", "Name": "Example.com Organization's Management Account", "Status": "ACTIVE", "JoinedMethod": "INVITED", "JoinedTimestamp": "2020-11-20T09:04:20.346000-08:00" } }
  • AWS SDKs:

Viewing details of a policy

When you sign in to the organization's management account in the AWS Organizations console, you can view details about your policies.

Minimum permissions

To view the details of a policy, you must have the following permissions:

  • organizations:DescribePolicy

  • organizations:ListPolicies

AWS Management Console

To view the details of a policy

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. Perform one of the following:

    • Navigate to the Policies page, and then choose the policy type for the policy that you want to examine.

    • Navigate to the AWS accounts page, then navigate to an OU or account to which the policy is attached. Finally, choose the Policies tab to see the list of attached policies.

  3. Choose the name of the policy (not the radio button).

    On the Details page for the policy, you can view all of the information about the policy, including the JSON policy text, and the list of OUs and accounts that the policy is attached to.

AWS CLI & AWS SDKs

To view the details of a policy

You can use one of the following commands to view details of a policy:

  • AWS CLI:

    The following example shows how to find the policy ID of the policy that you want to examine. You must specify a policy type, and the command returns all policies of only that type.

    $ aws organizations list-policies --filter BACKUP_POLICY { "Policies": [ { "Id": "p-i9j8k7l6m5", "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/backup_policy/p-i9j8k7l6m5", "Name": "test-backup-policy", "Description": "test-policy-description", "Type": "BACKUP_POLICY", "AwsManaged": false } ] }

    The response includes all of the details except the JSON policy document.

    The following example shows how to retrieve the details of only the specified policy, including the JSON policy document.

    $ aws organizations describe-policy --policy-id p-i9j8k7l6m5 { "Policies": [ { "Id": "p-i9j8k7l6m5", "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/backup_policy/p-i9j8k7l6m5", "Name": "test-backup-policy", "Description": "test-policy-description", "Type": "BACKUP_POLICY", "AwsManaged": false }, "Content": "{\"plans\":{\"My-Backup-Plan\":{\"regions\":{\"@@assign\":[\"us-west-2\"]},\"rules\":{\"My-Backup-Rule\" :{\"target_backup_vault_name\":{\"@@assign\":\"My-Primary-Backup-Vault\"}}},\"selections\":{\"tags\":{ \"My-Backup-Plan-Resource-Assignment\":{\"iam_role_arn\":{\"@@assign\":\"arn:aws:iam::$account:role/ My-Backup-Role\"},\"tag_key\":{\"@@assign\":\"Stage\"},\"tag_value\":{\"@@assign\":[\"Production\"]}}}}}}}" ] }
  • AWS SDKs: