# PutOrganizationConformancePack
Deploys conformance packs across member accounts in an Amazon Organization. For information on how many organization conformance packs and how many Amazon Config rules you can have per account, see [https://docs.amazonaws.cn/config/latest/developerguide/configlimits.html](https://docs.amazonaws.cn/config/latest/developerguide/configlimits.html) in the * Amazon Config Developer Guide*.
Only a management account and a delegated administrator can call this API. When calling this API with a delegated administrator, you must ensure Amazon Organizations `ListDelegatedAdministrator` permissions are added. An organization can have up to 3 delegated administrators.
**Important**
When you use `PutOrganizationConformancePack` to deploy conformance packs across member accounts, the operation can create Amazon Config rules and remediation actions without requiring `config:PutConfigRule` or `config:PutRemediationConfigurations` permissions in member account IAM policies.
This API uses the `AWSServiceRoleForConfigConforms` service-linked role in each member account to create conformance pack resources. This service-linked role includes the permissions to create Amazon Config rules and remediation configurations, even if member account IAM policies explicitly deny these actions.
This API enables organization service access for `config-multiaccountsetup.amazonaws.com` through the `EnableAWSServiceAccess` action and creates a service-linked role `AWSServiceRoleForConfigMultiAccountSetup` in the management or delegated administrator account of your organization. The service-linked role is created only when the role does not exist in the caller account. To use this API with delegated administrator, register a delegated administrator by calling Amazon Organization `register-delegate-admin` for `config-multiaccountsetup.amazonaws.com`.
**Note**
Prerequisite: Ensure you call `EnableAllFeatures` API to enable all features in an organization.
You must specify either the `TemplateS3Uri` or the `TemplateBody` parameter, but not both. If you provide both Amazon Config uses the `TemplateS3Uri` parameter and ignores the `TemplateBody` parameter.
Amazon Config sets the state of a conformance pack to CREATE\$1IN\$1PROGRESS and UPDATE\$1IN\$1PROGRESS until the conformance pack is created or updated. You cannot update a conformance pack while it is in this state.
## Request Syntax
```
{
"ConformancePackInputParameters": [
{
"ParameterName": "string",
"ParameterValue": "string"
}
],
"DeliveryS3Bucket": "string",
"DeliveryS3KeyPrefix": "string",
"ExcludedAccounts": [ "string" ],
"OrganizationConformancePackName": "string",
"TemplateBody": "string",
"TemplateS3Uri": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [ConformancePackInputParameters](#API_PutOrganizationConformancePack_RequestSyntax) **
A list of `ConformancePackInputParameter` objects.
Type: Array of [ConformancePackInputParameter](API_ConformancePackInputParameter.md) objects
Array Members: Minimum number of 0 items. Maximum number of 60 items.
Required: No
** [DeliveryS3Bucket](#API_PutOrganizationConformancePack_RequestSyntax) **
The name of the Amazon S3 bucket where Amazon Config stores conformance pack templates.
This field is optional. If used, it must be prefixed with `awsconfigconforms`.
Type: String
Length Constraints: Minimum length of 0. Maximum length of 63.
Required: No
** [DeliveryS3KeyPrefix](#API_PutOrganizationConformancePack_RequestSyntax) **
The prefix for the Amazon S3 bucket.
This field is optional.
Type: String
Length Constraints: Minimum length of 0. Maximum length of 1024.
Required: No
** [ExcludedAccounts](#API_PutOrganizationConformancePack_RequestSyntax) **
A list of Amazon Web Services accounts to be excluded from an organization conformance pack while deploying a conformance pack.
Type: Array of strings
Array Members: Minimum number of 0 items. Maximum number of 1000 items.
Pattern: `\d{12}`
Required: No
** [OrganizationConformancePackName](#API_PutOrganizationConformancePack_RequestSyntax) **
Name of the organization conformance pack you want to create.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: `[a-zA-Z][-a-zA-Z0-9]*`
Required: Yes
** [TemplateBody](#API_PutOrganizationConformancePack_RequestSyntax) **
A string that contains the full conformance pack template body. Structure containing the template body with a minimum length of 1 byte and a maximum length of 51,200 bytes.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 51200.
Required: No
** [TemplateS3Uri](#API_PutOrganizationConformancePack_RequestSyntax) **
Location of file containing the template body. The uri must point to the conformance pack template (max size: 300 KB).
You must have access to read Amazon S3 bucket. In addition, in order to ensure a successful deployment, the template object must not be in an [archived storage class](https://docs.amazonaws.cn/AmazonS3/latest/userguide/storage-class-intro.html) if this parameter is passed.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 1024.
Pattern: `s3://.*`
Required: No
## Response Syntax
```
{
"OrganizationConformancePackArn": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [OrganizationConformancePackArn](#API_PutOrganizationConformancePack_ResponseSyntax) **
ARN of the organization conformance pack.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** InsufficientPermissionsException **
Indicates one of the following errors:
+ For [PutConfigRule](https://docs.amazonaws.cn/config/latest/APIReference/API_PutConfigRule.html), the rule cannot be created because the IAM role assigned to Amazon Config lacks permissions to perform the config:Put\$1 action.
+ For [PutConfigRule](https://docs.amazonaws.cn/config/latest/APIReference/API_PutConfigRule.html), the Amazon Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.
+ For [PutOrganizationConfigRule](https://docs.amazonaws.cn/config/latest/APIReference/API_PutOrganizationConfigRule.html), organization Amazon Config rule cannot be created because you do not have permissions to call IAM `GetRole` action or create a service-linked role.
+ For [PutConformancePack](https://docs.amazonaws.cn/config/latest/APIReference/API_PutConformancePack.html) and [PutOrganizationConformancePack](https://docs.amazonaws.cn/config/latest/APIReference/API_PutOrganizationConformancePack.html), a conformance pack cannot be created because you do not have the following permissions:
+ You do not have permission to call IAM `GetRole` action or create a service-linked role.
+ You do not have permission to read Amazon S3 bucket or call SSM:GetDocument.
+ For [PutServiceLinkedConfigurationRecorder](https://docs.amazonaws.cn/config/latest/APIReference/API_PutServiceLinkedConfigurationRecorder.html), a service-linked configuration recorder cannot be created because you do not have the following permissions: IAM `CreateServiceLinkedRole`.
HTTP Status Code: 400
** MaxNumberOfOrganizationConformancePacksExceededException **
You have reached the limit of the number of organization conformance packs you can create in an account. For more information, see [https://docs.amazonaws.cn/config/latest/developerguide/configlimits.html](https://docs.amazonaws.cn/config/latest/developerguide/configlimits.html) in the * Amazon Config Developer Guide*.
HTTP Status Code: 400
** NoAvailableOrganizationException **
Organization is no longer available.
HTTP Status Code: 400
** OrganizationAccessDeniedException **
For `PutConfigurationAggregator` API, you can see this exception for the following reasons:
+ No permission to call `EnableAWSServiceAccess` API
+ The configuration aggregator cannot be updated because your Amazon Organization management account or the delegated administrator role changed. Delete this aggregator and create a new one with the current Amazon Organization.
+ The configuration aggregator is associated with a previous Amazon Organization and Amazon Config cannot aggregate data with current Amazon Organization. Delete this aggregator and create a new one with the current Amazon Organization.
+ You are not a registered delegated administrator for Amazon Config with permissions to call `ListDelegatedAdministrators` API. Ensure that the management account registers delagated administrator for Amazon Config service principal name before the delegated administrator creates an aggregator.
For all `OrganizationConfigRule` and `OrganizationConformancePack` APIs, Amazon Config throws an exception if APIs are called from member accounts. All APIs must be called from organization management account.
HTTP Status Code: 400
** OrganizationAllFeaturesNotEnabledException **
Amazon Config resource cannot be created because your organization does not have all features enabled.
HTTP Status Code: 400
** OrganizationConformancePackTemplateValidationException **
You have specified a template that is not valid or supported.
HTTP Status Code: 400
** ResourceInUseException **
You see this exception in the following cases:
+ For DeleteConfigRule, Amazon Config is deleting this rule. Try your request again later.
+ For DeleteConfigRule, the rule is deleting your evaluation results. Try your request again later.
+ For DeleteConfigRule, a remediation action is associated with the rule and Amazon Config cannot delete this rule. Delete the remediation action associated with the rule before deleting the rule and try your request again later.
+ For PutConfigOrganizationRule, organization Amazon Config rule deletion is in progress. Try your request again later.
+ For DeleteOrganizationConfigRule, organization Amazon Config rule creation is in progress. Try your request again later.
+ For PutConformancePack and PutOrganizationConformancePack, a conformance pack creation, update, and deletion is in progress. Try your request again later.
+ For DeleteConformancePack, a conformance pack creation, update, and deletion is in progress. Try your request again later.
HTTP Status Code: 400
** ValidationException **
The requested operation is not valid. You will see this exception if there are missing required fields or if the input value fails the validation.
For [PutStoredQuery](https://docs.amazonaws.cn/config/latest/APIReference/API_PutStoredQuery.html), one of the following errors:
+ There are missing required fields.
+ The input value fails the validation.
+ You are trying to create more than 300 queries.
For [DescribeConfigurationRecorders](https://docs.amazonaws.cn/config/latest/APIReference/API_DescribeConfigurationRecorders.html) and [DescribeConfigurationRecorderStatus](https://docs.amazonaws.cn/config/latest/APIReference/API_DescribeConfigurationRecorderStatus.html), one of the following errors:
+ You have specified more than one configuration recorder.
+ You have provided a service principal for service-linked configuration recorder that is not valid.
For [AssociateResourceTypes](https://docs.amazonaws.cn/config/latest/APIReference/API_AssociateResourceTypes.html) and [DisassociateResourceTypes](https://docs.amazonaws.cn/config/latest/APIReference/API_DisassociateResourceTypes.html), one of the following errors:
+ Your configuraiton recorder has a recording strategy that does not allow the association or disassociation of resource types.
+ One or more of the specified resource types are already associated or disassociated with the configuration recorder.
+ For service-linked configuration recorders, the configuration recorder does not record one or more of the specified resource types.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+ [Amazon Command Line Interface V2](https://docs.amazonaws.cn/goto/cli2/config-2014-11-12/PutOrganizationConformancePack)
+ [Amazon SDK for .NET V4](https://docs.amazonaws.cn/goto/DotNetSDKV4/config-2014-11-12/PutOrganizationConformancePack)
+ [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/config-2014-11-12/PutOrganizationConformancePack)
+ [Amazon SDK for Go v2](https://docs.amazonaws.cn/goto/SdkForGoV2/config-2014-11-12/PutOrganizationConformancePack)
+ [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/config-2014-11-12/PutOrganizationConformancePack)
+ [Amazon SDK for JavaScript V3](https://docs.amazonaws.cn/goto/SdkForJavaScriptV3/config-2014-11-12/PutOrganizationConformancePack)
+ [Amazon SDK for Kotlin](https://docs.amazonaws.cn/goto/SdkForKotlin/config-2014-11-12/PutOrganizationConformancePack)
+ [Amazon SDK for PHP V3](https://docs.amazonaws.cn/goto/SdkForPHPV3/config-2014-11-12/PutOrganizationConformancePack)
+ [Amazon SDK for Python](https://docs.amazonaws.cn/goto/boto3/config-2014-11-12/PutOrganizationConformancePack)
+ [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/config-2014-11-12/PutOrganizationConformancePack)