Viewing details about your organization - Amazon Organizations
Viewing the details of an organization from the management accountViewing the details of the root containerViewing the details of an OUViewing details of an accountViewing details of a policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Viewing details about your organization

You can perform the following tasks to view details about elements of your organization.

Viewing the details of an organization from the management account

When you sign in to the organization's management account in the Amazon Organizations console, you can view details of the organization.

Minimum permissions

To view the details of an organization, you must have the following permission:

  • organizations:DescribeOrganization

Amazon Web Services Management Console
To view the details for your organization

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. Navigate to the Settings page. This page displays details about the organization, including the organization ID and the account name and email address assigned to the organization's management account.

Amazon CLI & Amazon SDKs
To view the details for your organization

You can use one of the following commands to view details of an organization:

  • Amazon CLI: describe-organization

    The following example shows the information included in the output of this command.

    $ aws organizations describe-organization
{
    "Organization": {
        "Id": "o-aa111bb222",
        "Arn": "arn:aws-cn:organizations::123456789012:organization/o-aa111bb222",
        "FeatureSet": "ALL",
        "MasterAccountArn": "arn:aws-cn:organizations::128716708097:account/o-aa111bb222/123456789012",
        "MasterAccountId": "123456789012",
        "MasterAccountEmail": "admin@example.com",
        "AvailablePolicyTypes": [ ...DEPRECATED - DO NOT USE... ]
    }
}
    Important

    The AvailablePolicyTypes field is deprecated and doesn't contain accurate information about the policies enabled in your organization. To see the accurate and complete list of policy types that are actually enabled for the organization, use the ListRoots command, as described in the Amazon CLI portion of the following section.

  • Amazon SDKs: DescribeOrganization

Viewing the details of the root container

When you sign in to the organization's management account in the Amazon Organizations console, you can view details of the root container.

Minimum permissions

To view the details of root, you must have the following permissions:

  • organizations:DescribeOrganization (console only)

  • organizations:ListRoots

The root is the topmost container in the hierarchy of organizational units (OUs) and generally behaves as an OU. However, as the container at the very top of the hierarchy, changes to the root affect every other OU and every Amazon Web Services account in the organization.

Amazon Web Services Management Console
To view the details of the root

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. Navigate to the Amazon Web Services accounts page, and choose the Root OU (its name, not the radio button).

  3. The Root details page appears and displays the details of the root.

Amazon CLI & Amazon SDKs
To view the details of the root

You can use one of the following commands to view details of a root:

  • Amazon CLI: list-roots

    The following example shows how to retrieve the details of the root, including which policy types are currently enabled in the organization:

    $ aws organizations list-roots
{
    "Roots": [
        {
            "Id": "r-a1b2",
            "Arn": "arn:aws-cn:organizations::123456789012:root/o-aa111bb222/r-a1b2",
            "Name": "Root",
            "PolicyTypes": [
                {
                    "Type": "BACKUP_POLICY",
                    "Status": "ENABLED"
                }
            ]
        }
    ]
}

  • Amazon SDKs: ListRoots

Viewing the details of an OU

When you sign in to the organization's management account in the Amazon Organizations console, you can view details of the OUs in your organization.

Minimum permissions

To view the details of an organizational unit (OU), you must have the following permissions:

  • organizations:DescribeOrganizationalUnit

  • organizations:DescribeOrganization – required only when using the Organizations console

  • organizations:ListOrganizationsUnitsForParent– required only when using the Organizations console

  • organizations:ListRoots – required only when using the Organizations console

Amazon Web Services Management Console
To view details of an OU

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Amazon Web Services accounts page, choose the name of the OU (not its radio button) that you want to examine. If the OU that you want is a child of another OU, choose the triangle icon next to its parent OU to expand it and see those in the next level of the hierarchy. Repeat until you find the OU that you want.

    The Organizational unit details box shows the information about the OU.

Amazon CLI & Amazon SDKs
To view details of an OU

You can use the following commands to view details of an OU:

  • Amazon CLI, Amazon SDKs:

    The following example shows how to find the ID of on OU using the Amazon CLI. You find the OU ID by traversing the hierarchy starting with the list-roots command and then performing list-children on the root and iteratively on each of its children until you find the one you want.

    $ aws organizations list-roots
{
    "Roots": [
        {
            "Id": "r-a1b2",
            "Arn": "arn:aws-cn:organizations::123456789012:root/o-aa111bb222/r-a1b2",
            "Name": "Root",
            "PolicyTypes": []
        }
    ]
}
$ aws organizations list-children --parent-id r-a1b2 --child-type ORGANIZATIONAL_UNIT
{
    "Children": [
        {
            "Id": "ou-a1b2-f6g7h111",
            "Type": "ORGANIZATIONAL_UNIT"
        }
    ]
}

    After you have the OU's ID, the following example shows how to retrieve the details about the OU.

    $ aws organizations describe-organizational-unit --organizational-unit-id ou-a1b2-f6g7h111
{
    "OrganizationalUnit": {
        "Id": "ou-a1b2-f6g7h111",
        "Arn": "arn:aws-cn:organizations::123456789012:ou/o-aa111bb222/ou-a1b2-f6g7h111",
        "Name": "Production-Apps"
    }
}

  • Amazon SDKs:

Viewing details of an account

When you sign in to the organization's management account in the Amazon Organizations console, you can view details about your accounts.

Minimum permissions

To view the details of an Amazon Web Services account, you must have the following permissions:

  • organizations:DescribeAccount

  • organizations:DescribeOrganization – required only when using the Organizations console

  • organizations:ListAccounts – required only when using the Organizations console

Amazon Web Services Management Console
To view details of an Amazon Web Services account

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. Navigate to the Amazon Web Services accounts page and choose the name of the name of the account (not the radio button) that you want to examine. If the account that you want is a child of an OU, you might have to choose the triangle icon next to an OU to expand it and see its children. Repeat until you find the account.

    The Account details box shows the information about the account.

Amazon CLI & Amazon SDKs
To view details of an Amazon Web Services account

You can use the following commands to view details of an account:

  • Amazon CLI:

    Both commands return the same details for each account included in the response.

    The following example shows how to retrieve the details about a specified account.

    $ aws organizations describe-account --account-id 123456789012

{
    "Account": {
        "Id": "123456789012",
        "Arn": "arn:aws-cn:organizations::123456789012:account/o-aa111bb222/123456789012",
        "Email": "admin@example.com",
        "Name": "Example.com Organization's Management Account",
        "Status": "ACTIVE",
        "JoinedMethod": "INVITED",
        "JoinedTimestamp": "2020-11-20T09:04:20.346000-08:00"
    }
}

  • Amazon SDKs:

Viewing details of a policy

When you sign in to the organization's management account in the Amazon Organizations console, you can view details about your policies.

Minimum permissions

To view the details of a policy, you must have the following permissions:

  • organizations:DescribePolicy

  • organizations:ListPolicies

Amazon Web Services Management Console
To view the details of a policy

  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. Perform one of the following:

    • Navigate to the Policies page, and then choose the policy type for the policy that you want to examine.

    • Navigate to the Amazon Web Services accounts page, then navigate to an OU or account to which the policy is attached. Finally, choose the Policies tab to see the list of attached policies.

  3. Choose the name of the policy (not the radio button).

    On the Details page for the policy, you can view all of the information about the policy, including the JSON policy text, and the list of OUs and accounts that the policy is attached to.

Amazon CLI & Amazon SDKs
To view the details of a policy

You can use one of the following commands to view details of a policy:

  • Amazon CLI:

    The following example shows how to find the policy ID of the policy that you want to examine. You must specify a policy type, and the command returns all policies of only that type.

    $ aws organizations list-policies --filter BACKUP_POLICY
{
    "Policies": [
        {
            "Id": "p-i9j8k7l6m5",
            "Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/backup_policy/p-i9j8k7l6m5",
            "Name": "test-backup-policy",
            "Description": "test-policy-description",
            "Type": "BACKUP_POLICY",
            "AwsManaged": false
        }
    ]
}

    The response includes all of the details except the JSON policy document.

    The following example shows how to retrieve the details of only the specified policy, including the JSON policy document.

    $ aws organizations describe-policy --policy-id p-i9j8k7l6m5
{
    "Policies": [
        {
            "Id": "p-i9j8k7l6m5",
            "Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/backup_policy/p-i9j8k7l6m5",
            "Name": "test-backup-policy",
            "Description": "test-policy-description",
            "Type": "BACKUP_POLICY",
            "AwsManaged": false
        },
        "Content": "{\"plans\":{\"My-Backup-Plan\":{\"regions\":{\"@@assign\":[\"us-west-2\"]},\"rules\":{\"My-Backup-Rule\"
                   :{\"target_backup_vault_name\":{\"@@assign\":\"My-Primary-Backup-Vault\"}}},\"selections\":{\"tags\":{
                   \"My-Backup-Plan-Resource-Assignment\":{\"iam_role_arn\":{\"@@assign\":\"arn:aws-cn:iam::$account:role/
                   My-Backup-Role\"},\"tag_key\":{\"@@assign\":\"Stage\"},\"tag_value\":{\"@@assign\":[\"Production\"]}}}}}}}"
    ]
}

  • Amazon SDKs: