pythonpython-3.xamazon-web-servicesboto3aws-organizations

AWS Organisations list_accounts returns accounts from non-org management account


I am not sure this is by design.

I've found that the below command is fine to get list_accounts() from an AWS Organizations Root account or its client account.

import boto3
orgClient = boto3.client('organizations')

print(orgClient.list_accounts())

My understanding is, that list_accounts should be only working on the organization management account.

Why do I still get the same result from the client account as well?


Solution

  • As per Boto3 docs for list_accounts:

    This operation can be called only from the organization's management account or by a member account that is a delegated administrator for an Amazon Web Services service.

    Are you calling the operation from a delegated administrator account?