:doc:`Organizations <../../organizations>` / Client / list_accounts_with_invalid_effective_policy

*******************************************
list_accounts_with_invalid_effective_policy
*******************************************



.. py:method:: Organizations.Client.list_accounts_with_invalid_effective_policy(**kwargs)

  

  Lists all the accounts in an organization that have invalid effective policies. An *invalid effective policy* is an `effective policy <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_effective.html>`__ that fails validation checks, resulting in the effective policy not being fully enforced on all the intended accounts within an organization.

   

  You can only call this operation from the management account or a member account that is a delegated administrator.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListAccountsWithInvalidEffectivePolicy>`_  


  **Request Syntax**
  ::

    response = client.list_accounts_with_invalid_effective_policy(
        PolicyType='TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY'|'CHATBOT_POLICY'|'DECLARATIVE_POLICY_EC2'|'SECURITYHUB_POLICY'|'INSPECTOR_POLICY'|'UPGRADE_ROLLOUT_POLICY'|'BEDROCK_POLICY'|'S3_POLICY'|'NETWORK_SECURITY_DIRECTOR_POLICY',
        NextToken='string',
        MaxResults=123
    )
    
  :type PolicyType: string
  :param PolicyType: **[REQUIRED]** 

    The type of policy that you want information about. You can specify one of the following values:

     

    
    * `DECLARATIVE_POLICY_EC2 <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html>`__
     
    * `BACKUP_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html>`__
     
    * `TAG_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html>`__
     
    * `CHATBOT_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_chatbot.html>`__
     
    * `AISERVICES_OPT_OUT_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html>`__
     
    * `SECURITYHUB_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_security_hub.html>`__
     
    * `UPGRADE_ROLLOUT_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_upgrade_rollout.html>`__
     
    * `INSPECTOR_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inspector.html>`__
     
    * `BEDROCK_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_bedrock.html>`__
     
    * `S3_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_s3.html>`__
     
    * `NETWORK_SECURITY_DIRECTOR_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_network_security_director.html>`__
    

    

  
  :type NextToken: string
  :param NextToken: 

    The parameter for receiving additional results if you receive a ``NextToken`` response in a previous request. A ``NextToken`` response indicates that more output is available. Set this parameter to the value of the previous call's ``NextToken`` response to indicate where the output should continue from.

    

  
  :type MaxResults: integer
  :param MaxResults: 

    The maximum number of items to return in the response. If more results exist than the specified ``MaxResults`` value, a token is included in the response so that you can retrieve the remaining results.

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'Accounts': [
              {
                  'Id': 'string',
                  'Arn': 'string',
                  'Email': 'string',
                  'Name': 'string',
                  'Status': 'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE',
                  'State': 'PENDING_ACTIVATION'|'ACTIVE'|'SUSPENDED'|'PENDING_CLOSURE'|'CLOSED',
                  'JoinedMethod': 'INVITED'|'CREATED',
                  'JoinedTimestamp': datetime(2015, 1, 1)
              },
          ],
          'PolicyType': 'TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY'|'CHATBOT_POLICY'|'DECLARATIVE_POLICY_EC2'|'SECURITYHUB_POLICY'|'INSPECTOR_POLICY'|'UPGRADE_ROLLOUT_POLICY'|'BEDROCK_POLICY'|'S3_POLICY'|'NETWORK_SECURITY_DIRECTOR_POLICY',
          'NextToken': 'string'
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **Accounts** *(list) --* 

        The accounts in the organization which have an invalid effective policy for the specified policy type.

        
        

        - *(dict) --* 

          Contains information about an Amazon Web Services account that is a member of an organization.

          
          

          - **Id** *(string) --* 

            The unique identifier (ID) of the account.

             

            The `regex pattern <http://wikipedia.org/wiki/regex>`__ for an account ID string requires exactly 12 digits.

            
          

          - **Arn** *(string) --* 

            The Amazon Resource Name (ARN) of the account.

             

            For more information about ARNs in Organizations, see `ARN Formats Supported by Organizations <https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#awsorganizations-resources-for-iam-policies>`__ in the *Amazon Web Services Service Authorization Reference*.

            
          

          - **Email** *(string) --* 

            The email address associated with the Amazon Web Services account.

             

            The `regex pattern <http://wikipedia.org/wiki/regex>`__ for this parameter is a string of characters that represents a standard internet email address.

            
          

          - **Name** *(string) --* 

            The friendly name of the account.

             

            The `regex pattern <http://wikipedia.org/wiki/regex>`__ that is used to validate this parameter is a string of any of the characters in the ASCII character range.

            
          

          - **Status** *(string) --* 

            The status of the account in the organization.

             

            .. warning::

               

              The ``Status`` parameter in the ``Account`` object will be retired on September 9, 2026. Although both the account ``State`` and account ``Status`` parameters are currently available in the Organizations APIs ( ``DescribeAccount``, ``ListAccounts``, ``ListAccountsForParent``), we recommend that you update your scripts or other code to use the ``State`` parameter instead of ``Status`` before September 9, 2026.

              

            
          

          - **State** *(string) --* 

            Each state represents a specific phase in the account lifecycle. Use this information to manage account access, automate workflows, or trigger actions based on account state changes.

             

            For more information about account states and their implications, see `Monitor the state of your Amazon Web Services accounts <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_account_state.html>`__ in the *Organizations User Guide*.

            
          

          - **JoinedMethod** *(string) --* 

            The method by which the account joined the organization.

            
          

          - **JoinedTimestamp** *(datetime) --* 

            The date the account became a part of the organization.

            
      
    
      

      - **PolicyType** *(string) --* 

        The specified policy type. One of the following values:

         

        
        * `DECLARATIVE_POLICY_EC2 <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html>`__
         
        * `BACKUP_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html>`__
         
        * `TAG_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html>`__
         
        * `CHATBOT_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_chatbot.html>`__
         
        * `AISERVICES_OPT_OUT_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html>`__
         
        * `SECURITYHUB_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_security_hub.html>`__
         
        * `UPGRADE_ROLLOUT_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_upgrade_rollout.html>`__
         
        * `INSPECTOR_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inspector.html>`__
         
        * `BEDROCK_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_bedrock.html>`__
         
        * `S3_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_s3.html>`__
         
        * `NETWORK_SECURITY_DIRECTOR_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_network_security_director.html>`__
        

        
      

      - **NextToken** *(string) --* 

        If present, indicates that more output is available than is included in the current response. Use this value in the ``NextToken`` request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the ``NextToken`` response element comes back as ``null``.

        
  
  **Exceptions**
  
  *   :py:class:`Organizations.Client.exceptions.AccessDeniedException`

  
  *   :py:class:`Organizations.Client.exceptions.AWSOrganizationsNotInUseException`

  
  *   :py:class:`Organizations.Client.exceptions.ConstraintViolationException`

  
  *   :py:class:`Organizations.Client.exceptions.EffectivePolicyNotFoundException`

  
  *   :py:class:`Organizations.Client.exceptions.ServiceException`

  
  *   :py:class:`Organizations.Client.exceptions.TooManyRequestsException`

  
  *   :py:class:`Organizations.Client.exceptions.InvalidInputException`

  
  *   :py:class:`Organizations.Client.exceptions.UnsupportedAPIEndpointException`

  