背景
今天收到了AWS的一条event提醒
标题是Organizations planned lifecycle event
内容如下
AWS Organizations is transitioning from the account status (Status field) to the new account state (State field) to provide more detailed account lifecycle information. The new State field offers enhanced granularity with values including PENDING_ACTIVATION, ACTIVE, SUSPENDED, PENDING_CLOSURE, and CLOSED, available through both the AWS Organizations console and APIs (DescribeAccount, ListAccounts, ListAccountsForParent, and ListDelegatedAdministrators).
Starting September 9, 2025, we have begun a one-year transition period where both Status and State fields will be available in the API responses. After September 9, 2026, the Status field will be permanently removed. If you use automated processes for account management, we recommend updating your systems to use the State field before the deprecation date. For more information, see Updates to account status information in AWS Organizations [1] or visit our documentation [2].
If you have any questions, concerns, or require assistance, please do not hesitate to contact AWS Support [3].
[1] https://aws.amazon.com/blogs/mt/updates-to-account-status-information-in-aws-organizations/
[2] https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_account_state.html
[3] https://console.aws.amazon.com/support
描述
是什么
这是 AWS Organizations 官方发布的变更通知,告诉你 AWS 将把 Status 字段弃用(Deprecated),改为使用新的、更细粒度的 State 字段来表示 AWS 账户的生命周期状态。
它属于 API 变更公告 / Deprecation Notice,影响所有使用 Organizations API 的自动化、脚本、监控、IAM 权限管理、账户生命周期管理系统。
要干嘛
- 新字段:State
AWS Organizations 引入了新的字段 State,比旧字段 Status 更细致。
新的 State 值包括:
PENDING_ACTIVATION
创建账户后、未激活前的状态
ACTIVE
正常使用
SUSPENDED
被暂停
PENDING_CLOSURE
请求关闭后,关闭流程中
CLOSED
账户已完全关闭
- 旧字段:Status 将被废弃
Status 只有:
ACTIVE
SUSPENDED
粒度太粗,所以要被淘汰。
影响及解决方案
这里我们需要看一下我们的项目中有没有地方用到了这个字段,如果有的话需要更改字段
所幸AWS把所有能返回这个字段的API都列出来了
- DescribeAccount
- ListAccounts
- ListAccountsForParent
- ListDelegatedAdministrators
我们只需要通过CloudTrail看一下有没有对应的event即可
因此我们需要去到CloudTrail -> Event history中查找,筛选条件为event name = 上面四个
如果没有查到结果,或者查到的Event source为sso.amazonaws.com,就不需要再看了,说明没有人为的调用
