aws-sdk-organizations 1.49.0 → 1.54.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1bb1c329c5291e69f556396db6806a924bc7be6b8ff1fdd30ac6f7d42e2996c1
-  data.tar.gz: a95e9058cc53ef2697ca62d11ab338dab128d9ad0811d1cd32b2a3c32e6046ed
+  metadata.gz: 12d5b32001c2e000c0e68f125e340547a8d1ed5aec990699d591ee15753adf5a
+  data.tar.gz: b870e7a4de0aec2c3322a6866fdcfa8c606fc20ba1cfc553f7a3ece322cdf147
 SHA512:
-  metadata.gz: 304117942c15126a7338b04f0f2f77370aad9dc4435b9ff05328cb54d28bf15361bc2e9241aae55535fa4fac2b4d6ae7eb43db151199753f9aed8e1d206b06ad
-  data.tar.gz: 29b94cf3826435459539d4859d1f46e108f9ecc6019deef588f803f477cd7b9bbbb283c82cae9c939073028bae1e75a24768ca5d0c691ff936b8ca4b16e6aaa4
+  metadata.gz: 3fa43a08728fe583f45a3dd6ad6ac859caf06e47f6bf1237a69aee01100812f5983d4dd26f133c8a16a7263033e32ba61c9d5c58558d2d8f60d20febf034190f
+  data.tar.gz: 37f0dc9aa70395aa4b9f515288f73127e12596a48efd6f7cff7597eeaf92393423fab6b118255610ea4b48ee1ad311695ecd9fdf249ba01b117833a09c0e4f25

data/lib/aws-sdk-organizations.rb

@@ -7,6 +7,7 @@
 #
 # WARNING ABOUT GENERATED CODE
 
+
 require 'aws-sdk-core'
 require 'aws-sigv4'
 
@@ -44,9 +45,9 @@ require_relative 'aws-sdk-organizations/customizations'
 #
 # See {Errors} for more information.
 #
-# @service
+# @!group service
 module Aws::Organizations
 
-  GEM_VERSION = '1.49.0'
+  GEM_VERSION = '1.54.0'
 
 end

data/lib/aws-sdk-organizations/client.rb

@@ -85,13 +85,28 @@ module Aws::Organizations
     #     * `Aws::Credentials` - Used for configuring static, non-refreshing
     #       credentials.
     #
+    #     * `Aws::SharedCredentials` - Used for loading static credentials from a
+    #       shared file, such as `~/.aws/config`.
+    #
+    #     * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
+    #
+    #     * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
+    #       assume a role after providing credentials via the web.
+    #
+    #     * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
+    #       access token generated from `aws login`.
+    #
+    #     * `Aws::ProcessCredentials` - Used for loading credentials from a
+    #       process that outputs to stdout.
+    #
     #     * `Aws::InstanceProfileCredentials` - Used for loading credentials
     #       from an EC2 IMDS on an EC2 instance.
     #
-    #     * `Aws::SharedCredentials` - Used for loading credentials from a
-    #       shared file, such as `~/.aws/config`.
+    #     * `Aws::ECSCredentials` - Used for loading credentials from
+    #       instances running in ECS.
     #
-    #     * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
+    #     * `Aws::CognitoIdentityCredentials` - Used for loading credentials
+    #       from the Cognito Identity service.
     #
     #     When `:credentials` are not configured directly, the following
     #     locations will be searched for credentials:
@@ -101,10 +116,10 @@ module Aws::Organizations
     #     * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
     #     * `~/.aws/credentials`
     #     * `~/.aws/config`
-    #     * EC2 IMDS instance profile - When used by default, the timeouts are
-    #       very aggressive. Construct and pass an instance of
-    #       `Aws::InstanceProfileCredentails` to enable retries and extended
-    #       timeouts.
+    #     * EC2/ECS IMDS instance profile - When used by default, the timeouts
+    #       are very aggressive. Construct and pass an instance of
+    #       `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
+    #       enable retries and extended timeouts.
     #
     #   @option options [required, String] :region
     #     The AWS region to connect to.  The configured `:region` is
@@ -341,7 +356,7 @@ module Aws::Organizations
     #   User Guide*.
     #
     # * **Enable all features final confirmation** handshake: only a
-    #   principal from the master account.
+    #   principal from the management account.
     #
     #   For more information about invitations, see [Inviting an AWS Account
     #   to Join Your Organization][2] in the *AWS Organizations User Guide.*
@@ -472,15 +487,15 @@ module Aws::Organizations
     #
     # * [TAG\_POLICY][4]
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    # [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    # [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    # [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    # [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    # [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #
     # @option params [required, String] :policy_id
     #   The unique identifier (ID) of the policy that you want to attach to
@@ -680,16 +695,15 @@ module Aws::Organizations
     # successfully access the account. To check the status of the request,
     # do one of the following:
     #
-    # * Use the `OperationId` response element from this operation to
-    #   provide as a parameter to the DescribeCreateAccountStatus operation.
+    # * Use the `Id` member of the `CreateAccountStatus` response element
+    #   from this operation to provide as a parameter to the
+    #   DescribeCreateAccountStatus operation.
     #
     # * Check the AWS CloudTrail log for the `CreateAccountResult` event.
     #   For information on using AWS CloudTrail with AWS Organizations, see
     #   [Monitoring the Activity in Your Organization][1] in the *AWS
     #   Organizations User Guide.*
     #
-    #
-    #
     # The user who calls the API to create an account must have the
     # `organizations:CreateAccount` permission. If you enabled all features
     # in the organization, AWS Organizations creates the required
@@ -697,14 +711,17 @@ module Aws::Organizations
     # information, see [AWS Organizations and Service-Linked Roles][2] in
     # the *AWS Organizations User Guide*.
     #
+    # If the request includes tags, then the requester must have the
+    # `organizations:TagResource` permission.
+    #
     # AWS Organizations preconfigures the new member account with a role
     # (named `OrganizationAccountAccessRole` by default) that grants users
-    # in the master account administrator permissions in the new member
-    # account. Principals in the master account can assume the role. AWS
+    # in the management account administrator permissions in the new member
+    # account. Principals in the management account can assume the role. AWS
     # Organizations clones the company name and address information for the
-    # new account from the organization's master account.
+    # new account from the organization's management account.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     # For more information about creating accounts, see [Creating an AWS
@@ -769,10 +786,10 @@ module Aws::Organizations
     #   (Optional)
     #
     #   The name of an IAM role that AWS Organizations automatically
-    #   preconfigures in the new member account. This role trusts the master
-    #   account, allowing users in the master account to assume the role, as
-    #   permitted by the master account administrator. The role has
-    #   administrator permissions in the new member account.
+    #   preconfigures in the new member account. This role trusts the
+    #   management account, allowing users in the management account to assume
+    #   the role, as permitted by the management account administrator. The
+    #   role has administrator permissions in the new member account.
     #
     #   If you don't specify this parameter, the role name defaults to
     #   `OrganizationAccountAccessRole`.
@@ -812,6 +829,23 @@ module Aws::Organizations
     #
     #   [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate
     #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the newly created account.
+    #   For each tag in the list, you must specify both a tag key and a value.
+    #   You can set the value to an empty string, but you can't set it to
+    #   `null`. For more information about tagging, see [Tagging AWS
+    #   Organizations resources][1] in the AWS Organizations User Guide.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed number
+    #   of tags for an account, then the entire request fails and the account
+    #   is not created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
+    #
     # @return [Types::CreateAccountResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateAccountResponse#create_account_status #create_account_status} => Types::CreateAccountStatus
@@ -844,6 +878,12 @@ module Aws::Organizations
     #     account_name: "AccountName", # required
     #     role_name: "RoleName",
     #     iam_user_access_to_billing: "ALLOW", # accepts ALLOW, DENY
+    #     tags: [
+    #       {
+    #         key: "TagKey", # required
+    #         value: "TagValue", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
@@ -873,16 +913,18 @@ module Aws::Organizations
     #   the [ *AWS GovCloud User Guide*.][1]
     #
     # * You already have an account in the AWS GovCloud (US) Region that is
-    #   associated with your master account in the commercial Region.
+    #   paired with a management account of an organization in the
+    #   commercial Region.
     #
-    # * You call this action from the master account of your organization in
-    #   the commercial Region.
+    # * You call this action from the management account of your
+    #   organization in the commercial Region.
     #
-    # * You have the `organizations:CreateGovCloudAccount` permission. AWS
-    #   Organizations creates the required service-linked role named
-    #   `AWSServiceRoleForOrganizations`. For more information, see [AWS
-    #   Organizations and Service-Linked Roles][2] in the *AWS Organizations
-    #   User Guide.*
+    # * You have the `organizations:CreateGovCloudAccount` permission.
+    #
+    # AWS Organizations automatically creates the required service-linked
+    # role named `AWSServiceRoleForOrganizations`. For more information, see
+    # [AWS Organizations and Service-Linked Roles][2] in the *AWS
+    # Organizations User Guide.*
     #
     # AWS automatically enables AWS CloudTrail for AWS GovCloud (US)
     # accounts, but you should also do the following:
@@ -894,11 +936,18 @@ module Aws::Organizations
     #   For more information, see [Verifying AWS CloudTrail Is Enabled][3]
     #   in the *AWS GovCloud User Guide*.
     #
-    # You call this action from the master account of your organization in
-    # the commercial Region to create a standalone AWS account in the AWS
-    # GovCloud (US) Region. After the account is created, the master account
-    # of an organization in the AWS GovCloud (US) Region can invite it to
-    # that organization. For more information on inviting standalone
+    # If the request includes tags, then the requester must have the
+    # `organizations:TagResource` permission. The tags are attached to the
+    # commercial account associated with the GovCloud account, rather than
+    # the GovCloud account itself. To add tags to the GovCloud account, call
+    # the TagResource operation in the GovCloud Region after the new
+    # GovCloud account exists.
+    #
+    # You call this action from the management account of your organization
+    # in the commercial Region to create a standalone AWS account in the AWS
+    # GovCloud (US) Region. After the account is created, the management
+    # account of an organization in the AWS GovCloud (US) Region can invite
+    # it to that organization. For more information on inviting standalone
     # accounts in the AWS GovCloud (US) to join an organization, see [AWS
     # Organizations][4] in the *AWS GovCloud User Guide.*
     #
@@ -927,14 +976,14 @@ module Aws::Organizations
     # accounts are associated with the same email address.
     #
     # A role is created in the new account in the commercial Region that
-    # allows the master account in the organization in the commercial Region
-    # to assume it. An AWS GovCloud (US) account is then created and
+    # allows the management account in the organization in the commercial
+    # Region to assume it. An AWS GovCloud (US) account is then created and
     # associated with the commercial account that you just created. A role
-    # is created in the new AWS GovCloud (US) account that can be assumed by
-    # the AWS GovCloud (US) account that is associated with the master
-    # account of the commercial organization. For more information and to
-    # view a diagram that explains how account access works, see [AWS
-    # Organizations][4] in the *AWS GovCloud User Guide.*
+    # is also created in the new AWS GovCloud (US) account that can be
+    # assumed by the AWS GovCloud (US) account that is associated with the
+    # management account of the commercial organization. For more
+    # information and to view a diagram that explains how account access
+    # works, see [AWS Organizations][4] in the *AWS GovCloud User Guide.*
     #
     # For more information about creating accounts, see [Creating an AWS
     # Account in Your Organization][6] in the *AWS Organizations User
@@ -1007,9 +1056,9 @@ module Aws::Organizations
     #
     #   The name of an IAM role that AWS Organizations automatically
     #   preconfigures in the new member accounts in both the AWS GovCloud (US)
-    #   Region and in the commercial Region. This role trusts the master
-    #   account, allowing users in the master account to assume the role, as
-    #   permitted by the master account administrator. The role has
+    #   Region and in the commercial Region. This role trusts the management
+    #   account, allowing users in the management account to assume the role,
+    #   as permitted by the management account administrator. The role has
     #   administrator permissions in the new member account.
     #
     #   If you don't specify this parameter, the role name defaults to
@@ -1047,6 +1096,28 @@ module Aws::Organizations
     #
     #   [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate
     #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the newly created account.
+    #   These tags are attached to the commercial account associated with the
+    #   GovCloud account, and not to the GovCloud account itself. To add tags
+    #   to the actual GovCloud account, call the TagResource operation in the
+    #   GovCloud region after the new GovCloud account exists.
+    #
+    #   For each tag in the list, you must specify both a tag key and a value.
+    #   You can set the value to an empty string, but you can't set it to
+    #   `null`. For more information about tagging, see [Tagging AWS
+    #   Organizations resources][1] in the AWS Organizations User Guide.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed number
+    #   of tags for an account, then the entire request fails and the account
+    #   is not created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
+    #
     # @return [Types::CreateGovCloudAccountResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateGovCloudAccountResponse#create_account_status #create_account_status} => Types::CreateAccountStatus
@@ -1058,6 +1129,12 @@ module Aws::Organizations
     #     account_name: "AccountName", # required
     #     role_name: "RoleName",
     #     iam_user_access_to_billing: "ALLOW", # accepts ALLOW, DENY
+    #     tags: [
+    #       {
+    #         key: "TagKey", # required
+    #         value: "TagValue", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
@@ -1081,11 +1158,11 @@ module Aws::Organizations
     end
 
     # Creates an AWS organization. The account whose user is calling the
-    # `CreateOrganization` operation automatically becomes the [master
+    # `CreateOrganization` operation automatically becomes the [management
     # account][1] of the new organization.
     #
     # This operation must be called using credentials from the account that
-    # is to become the new organization's master account. The principal
+    # is to become the new organization's management account. The principal
     # must also have the relevant IAM permissions.
     #
     # By default (or if you set the `FeatureSet` parameter to `ALL`), the
@@ -1098,14 +1175,14 @@ module Aws::Organizations
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/orgs_getting-started_concepts.html#account
+    # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#account
     #
     # @option params [String] :feature_set
     #   Specifies the feature set supported by the new organization. Each
     #   feature set supports different levels of functionality.
     #
     #   * `CONSOLIDATED_BILLING`\: All member accounts have their bills
-    #     consolidated to and paid by the master account. For more
+    #     consolidated to and paid by the management account. For more
     #     information, see [Consolidated billing][1] in the *AWS Organizations
     #     User Guide.*
     #
@@ -1113,10 +1190,10 @@ module Aws::Organizations
     #     organizations in the AWS GovCloud (US) Region.
     #
     #   * `ALL`\: In addition to all the features supported by the
-    #     consolidated billing feature set, the master account can also apply
-    #     any policy type to any member account in the organization. For more
-    #     information, see [All features][2] in the *AWS Organizations User
-    #     Guide.*
+    #     consolidated billing feature set, the management account can also
+    #     apply any policy type to any member account in the organization. For
+    #     more information, see [All features][2] in the *AWS Organizations
+    #     User Guide.*
     #
     #
     #
@@ -1215,7 +1292,10 @@ module Aws::Organizations
     # For more information about OUs, see [Managing Organizational Units][1]
     # in the *AWS Organizations User Guide.*
     #
-    # This operation can be called only from the organization's master
+    # If the request includes tags, then the requester must have the
+    # `organizations:TagResource` permission.
+    #
+    # This operation can be called only from the organization's management
     # account.
     #
     #
@@ -1244,6 +1324,23 @@ module Aws::Organizations
     # @option params [required, String] :name
     #   The friendly name to assign to the new OU.
     #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the newly created OU. For
+    #   each tag in the list, you must specify both a tag key and a value. You
+    #   can set the value to an empty string, but you can't set it to `null`.
+    #   For more information about tagging, see [Tagging AWS Organizations
+    #   resources][1] in the AWS Organizations User Guide.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed number
+    #   of tags for an OU, then the entire request fails and the OU is not
+    #   created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
+    #
     # @return [Types::CreateOrganizationalUnitResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateOrganizationalUnitResponse#organizational_unit #organizational_unit} => Types::OrganizationalUnit
@@ -1272,6 +1369,12 @@ module Aws::Organizations
     #   resp = client.create_organizational_unit({
     #     parent_id: "ParentId", # required
     #     name: "OrganizationalUnitName", # required
+    #     tags: [
+    #       {
+    #         key: "TagKey", # required
+    #         value: "TagValue", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
@@ -1295,7 +1398,10 @@ module Aws::Organizations
     # For more information about policies and their use, see [Managing
     # Organization Policies][1].
     #
-    # This operation can be called only from the organization's master
+    # If the request includes tags, then the requester must have the
+    # `organizations:TagResource` permission.
+    #
+    # This operation can be called only from the organization's management
     # account.
     #
     #
@@ -1334,10 +1440,27 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    #   [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    #   [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the newly created policy.
+    #   For each tag in the list, you must specify both a tag key and a value.
+    #   You can set the value to an empty string, but you can't set it to
+    #   `null`. For more information about tagging, see [Tagging AWS
+    #   Organizations resources][1] in the AWS Organizations User Guide.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed number
+    #   of tags for a policy, then the entire request fails and the policy is
+    #   not created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
     #
     # @return [Types::CreatePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1378,6 +1501,12 @@ module Aws::Organizations
     #     description: "PolicyDescription", # required
     #     name: "PolicyName", # required
     #     type: "SERVICE_CONTROL_POLICY", # required, accepts SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY
+    #     tags: [
+    #       {
+    #         key: "TagKey", # required
+    #         value: "TagValue", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
@@ -1513,8 +1642,8 @@ module Aws::Organizations
     end
 
     # Deletes the organization. You can delete an organization only by using
-    # credentials from the master account. The organization must be empty of
-    # member accounts.
+    # credentials from the management account. The organization must be
+    # empty of member accounts.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -1531,7 +1660,7 @@ module Aws::Organizations
     # must first remove all accounts and child OUs from the OU that you want
     # to delete.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     # @option params [required, String] :organizational_unit_id
@@ -1579,7 +1708,7 @@ module Aws::Organizations
     # perform this operation, you must first detach the policy from all
     # organizational units (OUs), roots, and accounts.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     # @option params [required, String] :policy_id
@@ -1636,7 +1765,7 @@ module Aws::Organizations
     # Services that you can use with AWS Organizations][1] in the *AWS
     # Organizations User Guide.*
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     #
@@ -1678,7 +1807,7 @@ module Aws::Organizations
     # Retrieves AWS Organizations-related information about the specified
     # account.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -1745,14 +1874,15 @@ module Aws::Organizations
     # Retrieves the current status of an asynchronous request to create an
     # account.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
     # @option params [required, String] :create_account_request_id
-    #   Specifies the `operationId` that uniquely identifies the request. You
-    #   can get the ID from the response to an earlier CreateAccount request,
-    #   or from the ListCreateAccountStatus operation.
+    #   Specifies the `Id` value that uniquely identifies the `CreateAccount`
+    #   request. You can get the value from the `CreateAccountStatus.Id`
+    #   response in an earlier CreateAccount request, or from the
+    #   ListCreateAccountStatus operation.
     #
     #   The [regex pattern][1] for a create account request ID string requires
     #   "car-" followed by from 8 to 32 lowercase letters or digits.
@@ -1822,7 +1952,7 @@ module Aws::Organizations
     # For more information about policy inheritance, see [How Policy
     # Inheritance Works][1] in the *AWS Organizations User Guide*.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -1842,14 +1972,14 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #
     # @option params [String] :target_id
-    #   When you're signed in as the master account, specify the ID of the
-    #   account that you want details about. Specifying an organization root
-    #   or organizational unit (OU) as the target is not supported.
+    #   When you're signed in as the management account, specify the ID of
+    #   the account that you want details about. Specifying an organization
+    #   root or organizational unit (OU) as the target is not supported.
     #
     # @return [Types::DescribeEffectivePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -2052,7 +2182,7 @@ module Aws::Organizations
 
     # Retrieves information about an organizational unit (OU).
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -2115,7 +2245,7 @@ module Aws::Organizations
 
     # Retrieves information about a policy.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -2203,7 +2333,7 @@ module Aws::Organizations
     # attached SCP), you're using the authorization strategy of a "[deny
     # list][2]".
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     #
@@ -2302,7 +2432,7 @@ module Aws::Organizations
     # Organizations, see [Integrating AWS Organizations with Other AWS
     # Services][2] in the *AWS Organizations User Guide.*
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     #
@@ -2346,7 +2476,7 @@ module Aws::Organizations
     # status of policy types for a specified root, and then use this
     # operation.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     # To view the status of available policy types in the organization, use
@@ -2381,10 +2511,10 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    #   [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    #   [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #
     # @return [Types::DisablePolicyTypeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -2456,7 +2586,7 @@ module Aws::Organizations
     # Organizations, see [Integrating AWS Organizations with Other AWS
     # Services][2] in the *AWS Organizations User Guide.*
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account and only if the organization has [enabled all features][3].
     #
     #
@@ -2511,14 +2641,14 @@ module Aws::Organizations
     # the feature set change by accepting the handshake that contains
     # `"Action": "ENABLE_ALL_FEATURES"`. This completes the change.
     #
-    # After you enable all features in your organization, the master account
-    # in the organization can apply policies on all member accounts. These
-    # policies can restrict what users and even administrators in those
-    # accounts can do. The master account can apply policies that prevent
-    # accounts from leaving the organization. Ensure that your account
-    # administrators are aware of this.
+    # After you enable all features in your organization, the management
+    # account in the organization can apply policies on all member accounts.
+    # These policies can restrict what users and even administrators in
+    # those accounts can do. The management account can apply policies that
+    # prevent accounts from leaving the organization. Ensure that your
+    # account administrators are aware of this.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     #
@@ -2599,7 +2729,7 @@ module Aws::Organizations
     # AWS recommends that you first use ListRoots to see the status of
     # policy types for a specified root, and then use this operation.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     # You can enable a policy type in a root only if that policy type is
@@ -2631,10 +2761,10 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    #   [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    #   [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #
     # @return [Types::EnablePolicyTypeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -2697,12 +2827,12 @@ module Aws::Organizations
     # invitation is implemented as a Handshake whose details are in the
     # response.
     #
-    # * You can invite AWS accounts only from the same seller as the master
-    #   account. For example, if your organization's master account was
-    #   created by Amazon Internet Services Pvt. Ltd (AISPL), an AWS seller
-    #   in India, you can invite only other AISPL accounts to your
-    #   organization. You can't combine accounts from AISPL and AWS or from
-    #   any other AWS seller. For more information, see [Consolidated
+    # * You can invite AWS accounts only from the same seller as the
+    #   management account. For example, if your organization's management
+    #   account was created by Amazon Internet Services Pvt. Ltd (AISPL), an
+    #   AWS seller in India, you can invite only other AISPL accounts to
+    #   your organization. You can't combine accounts from AISPL and AWS or
+    #   from any other AWS seller. For more information, see [Consolidated
     #   Billing in India][1].
     #
     # * If you receive an exception that indicates that you exceeded your
@@ -2711,7 +2841,10 @@ module Aws::Organizations
     #   then try again. If the error persists after an hour, contact [AWS
     #   Support][2].
     #
-    # This operation can be called only from the organization's master
+    # If the request includes tags, then the requester must have the
+    # `organizations:TagResource` permission.
+    #
+    # This operation can be called only from the organization's management
     # account.
     #
     #
@@ -2741,6 +2874,33 @@ module Aws::Organizations
     #   Additional information that you want to include in the generated email
     #   to the recipient account owner.
     #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the account when it becomes
+    #   a member of the organization. For each tag in the list, you must
+    #   specify both a tag key and a value. You can set the value to an empty
+    #   string, but you can't set it to `null`. For more information about
+    #   tagging, see [Tagging AWS Organizations resources][1] in the AWS
+    #   Organizations User Guide.
+    #
+    #   Any tags in the request are checked for compliance with any applicable
+    #   tag policies when the request is made. The request is rejected if the
+    #   tags in the request don't match the requirements of the policy at
+    #   that time. Tag policy compliance is <i> <b>not</b> </i> checked again
+    #   when the invitation is accepted and the tags are actually attached to
+    #   the account. That means that if the tag policy changes between the
+    #   invitation and the acceptance, then that tags could potentially be
+    #   non-compliant.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed number
+    #   of tags for an account, then the entire request fails and invitations
+    #   are not sent.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
+    #
     # @return [Types::InviteAccountToOrganizationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::InviteAccountToOrganizationResponse#handshake #handshake} => Types::Handshake
@@ -2813,6 +2973,12 @@ module Aws::Organizations
     #       type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION, EMAIL
     #     },
     #     notes: "HandshakeNotes",
+    #     tags: [
+    #       {
+    #         key: "TagKey", # required
+    #         value: "TagValue", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
@@ -2842,14 +3008,14 @@ module Aws::Organizations
 
     # Removes a member account from its parent organization. This version of
     # the operation is performed by the account that wants to leave. To
-    # remove a member account as a user in the master account, use
+    # remove a member account as a user in the management account, use
     # RemoveAccountFromOrganization instead.
     #
     # This operation can be called only from a member account in the
     # organization.
     #
-    # * The master account in an organization with all features enabled can
-    #   set service control policies (SCPs) that can restrict what
+    # * The management account in an organization with all features enabled
+    #   can set service control policies (SCPs) that can restrict what
     #   administrators of member accounts can do. This includes preventing
     #   them from successfully calling `LeaveOrganization` and leaving the
     #   organization.
@@ -2880,6 +3046,10 @@ module Aws::Organizations
     #   Access to the Billing and Cost Management Console][2] in the *AWS
     #   Billing and Cost Management User Guide.*
     #
+    # * After the account leaves the organization, all tags that were
+    #   attached to the account object in the organization are deleted. AWS
+    #   accounts outside of an organization do not support tags.
+    #
     #
     #
     # [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#leave-without-all-info
@@ -2914,7 +3084,7 @@ module Aws::Organizations
     # Organizations, see [Integrating AWS Organizations with Other AWS
     # Services][1] in the *AWS Organizations User Guide.*
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -2983,7 +3153,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -3106,7 +3276,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -3215,7 +3385,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -3327,7 +3497,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -3444,7 +3614,7 @@ module Aws::Organizations
     # Lists the AWS accounts that are designated as delegated administrators
     # in this organization.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -3514,7 +3684,7 @@ module Aws::Organizations
     # List the AWS services for which the specified account is a delegated
     # administrator.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -3736,7 +3906,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -3922,7 +4092,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -4034,7 +4204,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -4140,7 +4310,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -4158,10 +4328,10 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    #   [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    #   [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #
     # @option params [String] :next_token
     #   The parameter for receiving additional results if you receive a
@@ -4268,7 +4438,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -4307,10 +4477,10 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    #   [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    #   [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #
     # @option params [String] :next_token
     #   The parameter for receiving additional results if you receive a
@@ -4403,7 +4573,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -4494,16 +4664,37 @@ module Aws::Organizations
       req.send_request(options)
     end
 
-    # Lists tags for the specified resource.
+    # Lists tags that are attached to the specified resource.
     #
-    # Currently, you can list tags on an account in AWS Organizations.
+    # You can attach tags to the following resources in AWS Organizations.
     #
-    # This operation can be called only from the organization's master
+    # * AWS account
+    #
+    # * Organization root
+    #
+    # * Organizational unit (OU)
+    #
+    # * Policy (any type)
+    #
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
     # @option params [required, String] :resource_id
-    #   The ID of the resource that you want to retrieve tags for.
+    #   The ID of the resource with the tags to list.
+    #
+    #   You can specify any of the following taggable resources.
+    #
+    #   * AWS account – specify the account ID number.
+    #
+    #   * Organizational unit – specify the OU ID that begins with `ou-` and
+    #     looks similar to: `ou-1a2b-34uvwxyz `
+    #
+    #   * Root – specify the root ID that begins with `r-` and looks similar
+    #     to: `r-1a2b `
+    #
+    #   * Policy – specify the policy ID that begins with `p-` andlooks
+    #     similar to: `p-12abcdefg3 `
     #
     # @option params [String] :next_token
     #   The parameter for receiving additional results if you receive a
@@ -4553,7 +4744,7 @@ module Aws::Organizations
     #
     #  </note>
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account or by a member account that is a delegated administrator for
     # an AWS service.
     #
@@ -4658,7 +4849,7 @@ module Aws::Organizations
     # Moves an account from its current source parent root or organizational
     # unit (OU) to the specified destination parent root or OU.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     # @option params [required, String] :account_id
@@ -4750,7 +4941,7 @@ module Aws::Organizations
     # Services that you can use with AWS Organizations][1] in the *AWS
     # Organizations User Guide.*
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     #
@@ -4787,28 +4978,33 @@ module Aws::Organizations
     #
     # The removed account becomes a standalone account that isn't a member
     # of any organization. It's no longer subject to any policies and is
-    # responsible for its own bill payments. The organization's master
+    # responsible for its own bill payments. The organization's management
     # account is no longer charged for any expenses accrued by the member
     # account after it's removed from the organization.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account. Member accounts can remove themselves with LeaveOrganization
     # instead.
     #
-    # You can remove an account from your organization only if the account
-    # is configured with the information required to operate as a standalone
-    # account. When you create an account in an organization using the AWS
-    # Organizations console, API, or CLI commands, the information required
-    # of standalone accounts is *not* automatically collected. For an
-    # account that you want to make standalone, you must choose a support
-    # plan, provide and verify the required contact information, and provide
-    # a current payment method. AWS uses the payment method to charge for
-    # any billable (not free tier) AWS activity that occurs while the
-    # account isn't attached to an organization. To remove an account that
-    # doesn't yet have this information, you must sign in as the member
-    # account and follow the steps at [ To leave an organization when all
-    # required account information has not yet been provided][1] in the *AWS
-    # Organizations User Guide.*
+    # * You can remove an account from your organization only if the account
+    #   is configured with the information required to operate as a
+    #   standalone account. When you create an account in an organization
+    #   using the AWS Organizations console, API, or CLI commands, the
+    #   information required of standalone accounts is *not* automatically
+    #   collected. For an account that you want to make standalone, you must
+    #   choose a support plan, provide and verify the required contact
+    #   information, and provide a current payment method. AWS uses the
+    #   payment method to charge for any billable (not free tier) AWS
+    #   activity that occurs while the account isn't attached to an
+    #   organization. To remove an account that doesn't yet have this
+    #   information, you must sign in as the member account and follow the
+    #   steps at [ To leave an organization when all required account
+    #   information has not yet been provided][1] in the *AWS Organizations
+    #   User Guide.*
+    #
+    # * After the account leaves the organization, all tags that were
+    #   attached to the account object in the organization are deleted. AWS
+    #   accounts outside of an organization do not support tags.
     #
     #
     #
@@ -4853,18 +5049,48 @@ module Aws::Organizations
 
     # Adds one or more tags to the specified resource.
     #
-    # Currently, you can tag and untag accounts in AWS Organizations.
+    # Currently, you can attach tags to the following resources in AWS
+    # Organizations.
     #
-    # This operation can be called only from the organization's master
+    # * AWS account
+    #
+    # * Organization root
+    #
+    # * Organizational unit (OU)
+    #
+    # * Policy (any type)
+    #
+    # This operation can be called only from the organization's management
     # account.
     #
     # @option params [required, String] :resource_id
     #   The ID of the resource to add a tag to.
     #
     # @option params [required, Array<Types::Tag>] :tags
-    #   The tag to add to the specified resource. You must specify both a tag
-    #   key and value. You can set the value of a tag to an empty string, but
-    #   you can't set it to null.
+    #   A list of tags to add to the specified resource.
+    #
+    #   You can specify any of the following taggable resources.
+    #
+    #   * AWS account – specify the account ID number.
+    #
+    #   * Organizational unit – specify the OU ID that begins with `ou-` and
+    #     looks similar to: `ou-1a2b-34uvwxyz `
+    #
+    #   * Root – specify the root ID that begins with `r-` and looks similar
+    #     to: `r-1a2b `
+    #
+    #   * Policy – specify the policy ID that begins with `p-` andlooks
+    #     similar to: `p-12abcdefg3 `
+    #
+    #   For each tag in the list, you must specify both a tag key and a value.
+    #   You can set the value to an empty string, but you can't set it to
+    #   `null`.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed number
+    #   of tags for an account user, then the entire request fails and the
+    #   account is not created.
+    #
+    #    </note>
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -4889,18 +5115,39 @@ module Aws::Organizations
       req.send_request(options)
     end
 
-    # Removes a tag from the specified resource.
+    # Removes any tags with the specified keys from the specified resource.
+    #
+    # You can attach tags to the following resources in AWS Organizations.
+    #
+    # * AWS account
     #
-    # Currently, you can tag and untag accounts in AWS Organizations.
+    # * Organization root
     #
-    # This operation can be called only from the organization's master
+    # * Organizational unit (OU)
+    #
+    # * Policy (any type)
+    #
+    # This operation can be called only from the organization's management
     # account.
     #
     # @option params [required, String] :resource_id
-    #   The ID of the resource to remove the tag from.
+    #   The ID of the resource to remove a tag from.
+    #
+    #   You can specify any of the following taggable resources.
+    #
+    #   * AWS account – specify the account ID number.
+    #
+    #   * Organizational unit – specify the OU ID that begins with `ou-` and
+    #     looks similar to: `ou-1a2b-34uvwxyz `
+    #
+    #   * Root – specify the root ID that begins with `r-` and looks similar
+    #     to: `r-1a2b `
+    #
+    #   * Policy – specify the policy ID that begins with `p-` andlooks
+    #     similar to: `p-12abcdefg3 `
     #
     # @option params [required, Array<String>] :tag_keys
-    #   The tag to remove from the specified resource.
+    #   The list of keys for tags to remove from the specified resource.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -4924,7 +5171,7 @@ module Aws::Organizations
     # change. The child OUs and accounts remain in place, and any attached
     # policies of the OU remain attached.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     # @option params [required, String] :organizational_unit_id
@@ -4999,7 +5246,7 @@ module Aws::Organizations
     # If you don't supply any parameter, that value remains unchanged. You
     # can't change a policy's type.
     #
-    # This operation can be called only from the organization's master
+    # This operation can be called only from the organization's management
     # account.
     #
     # @option params [required, String] :policy_id
@@ -5133,7 +5380,7 @@ module Aws::Organizations
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-organizations'
-      context[:gem_version] = '1.49.0'
+      context[:gem_version] = '1.54.0'
       Seahorse::Client::Request.new(handlers, context)
     end