update_policy

Organizations.Client.update_policy(**kwargs)

Updates an existing policy with a new name, description, or content. If you don't supply any parameter, that value remains unchanged. You can't change a policy's type.

This operation can be called only from the organization's management account.

See also: AWS API Documentation

Request Syntax

response = client.update_policy(
    PolicyId='string',
    Name='string',
    Description='string',
    Content='string'
)
Parameters
  • PolicyId (string) --

    [REQUIRED]

    The unique identifier (ID) of the policy that you want to update.

    The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).

  • Name (string) --

    If provided, the new name for the policy.

    The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.

  • Description (string) -- If provided, the new description for the policy.
  • Content (string) -- If provided, the new content for the policy. The text must be correctly formatted JSON that complies with the syntax for the policy's type. For more information, see Service Control Policy Syntax in the Organizations User Guide.
Return type

dict

Returns

Response Syntax

{
    'Policy': {
        'PolicySummary': {
            'Id': 'string',
            'Arn': 'string',
            'Name': 'string',
            'Description': 'string',
            'Type': 'SERVICE_CONTROL_POLICY'|'TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY',
            'AwsManaged': True|False
        },
        'Content': 'string'
    }
}

Response Structure

  • (dict) --

    • Policy (dict) --

      A structure that contains details about the updated policy, showing the requested changes.

      • PolicySummary (dict) --

        A structure that contains additional details about the policy.

        • Id (string) --

          The unique identifier (ID) of the policy.

          The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).

        • Arn (string) --

          The Amazon Resource Name (ARN) of the policy.

          For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference .

        • Name (string) --

          The friendly name of the policy.

          The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.

        • Description (string) --

          The description of the policy.

        • Type (string) --

          The type of policy.

        • AwsManaged (boolean) --

          A boolean value that indicates whether the specified policy is an Amazon Web Services managed policy. If true, then you can attach the policy to roots, OUs, or accounts, but you cannot edit it.

      • Content (string) --

        The text content of the policy.

Exceptions

  • Organizations.Client.exceptions.AccessDeniedException
  • Organizations.Client.exceptions.AWSOrganizationsNotInUseException
  • Organizations.Client.exceptions.ConcurrentModificationException
  • Organizations.Client.exceptions.ConstraintViolationException
  • Organizations.Client.exceptions.DuplicatePolicyException
  • Organizations.Client.exceptions.InvalidInputException
  • Organizations.Client.exceptions.MalformedPolicyDocumentException
  • Organizations.Client.exceptions.PolicyNotFoundException
  • Organizations.Client.exceptions.ServiceException
  • Organizations.Client.exceptions.TooManyRequestsException
  • Organizations.Client.exceptions.UnsupportedAPIEndpointException
  • Organizations.Client.exceptions.PolicyChangesInProgressException

Examples

The following example shows how to rename a policy and give it a new description and new content. The output confirms the new name and description text:/n/n

response = client.update_policy(
    Description='This description replaces the original.',
    Name='Renamed-Policy',
    PolicyId='p-examplepolicyid111',
)

print(response)

Expected Output:

{
    'Policy': {
        'Content': '{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" } }',
        'PolicySummary': {
            'Arn': 'arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111',
            'AwsManaged': False,
            'Description': 'This description replaces the original.',
            'Id': 'p-examplepolicyid111',
            'Name': 'Renamed-Policy',
            'Type': 'SERVICE_CONTROL_POLICY',
        },
    },
    'ResponseMetadata': {
        '...': '...',
    },
}

The following example shows how to replace the JSON text of the SCP from the preceding example with a new JSON policy text string that allows S3 actions instead of EC2 actions:/n/n

response = client.update_policy(
    Content='{ \"Version\": \"2012-10-17\", \"Statement\": {\"Effect\": \"Allow\", \"Action\": \"s3:*\", \"Resource\": \"*\" } }',
    PolicyId='p-examplepolicyid111',
)

print(response)

Expected Output:

{
    'Policy': {
        'Content': '{ \"Version\": \"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Action\": \"s3:*\", \"Resource\": \"*\" } }',
        'PolicySummary': {
            'Arn': 'arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111',
            'AwsManaged': False,
            'Description': 'This description replaces the original.',
            'Id': 'p-examplepolicyid111',
            'Name': 'Renamed-Policy',
            'Type': 'SERVICE_CONTROL_POLICY',
        },
    },
    'ResponseMetadata': {
        '...': '...',
    },
}