AWS Cloud Operations Blog
Simplified multi-account governance with AWS Organizations all features
AWS Organizations simplifies multi-account governance for customers with tools to centrally manage their AWS accounts and offers two feature modes all features and consolidated billing. With all features enabled, the default and preferred approach, customers can centrally manage other AWS services that are integrated with AWS Organizations and apply organization-wide controls with the management policies.
In this blog post, we will cover the all features mode along with guidance on migrating from consolidating billing to all features to simplify the governance of multi-account environments.
Overview
AWS Organizations provides customers the capability to centrally manage and govern their cloud environment and is available in two feature modes:
1. All features: Customers can set central policies and configuration requirements for the entire organization, create custom permissions or capabilities within the organization, manage and organize their accounts under a single bill, and delegate responsibilities to other accounts on behalf of the organization. Customers can leverage the AWS Organizations integration with other AWS services to define central configurations, security mechanisms, audit requirements, and resource sharing across all member accounts in their organization. When customers create a new organization, it is created in all features by default, as all features is the preferred way to work with Organizations. Read AWS services integrated with AWS Organizations for more information. All features mode provides all the capabilities of consolidated billing along with the administrative capabilities.
2. Consolidated billing: Customers can generate a single, consolidated bill across all accounts in an organization. AWS Organizations launched with consolidated billing feature mode in 2017.
Customers may be using their organization in consolidated billing if they: (1) created an organization when consolidated billing launched, and haven’t yet migrated to all features; (2) chose not to employ the governance controls all features offers in their environment; (3) are unsure if migration to all features is feasible when they have accounts created through the organization as well as accounts invited to join the organization; (4) unsure if they need to accept an invitation to all features as the root user for all the member accounts in their organization.
Multi-account governance with all features
No guardrails or policies automatically applied
Organizations in all features provide customers the functionality to set up governance controls based on their needs. There are no guardrails or policies automatically applied after this migration, and the administrator will be able to define the guardrails and apply policies to different roles for the guardrails to be effective.
No changes to the consolidated bill
Turning on all features doesn’t change the behavior of consolidated billing, so customers will continue to get a consolidated bill with no changes. Customers who migrate to all features cannot revert this action. As customers adopt multi-account services and features, they are still only charged for the services based on their usage within accounts in their organization. There are no additional charges to enable the multi-account functionality. Customers are charged only for AWS resources that users and roles their member accounts use, such as the standard fees for Amazon EC2 instances. For information about the pricing of other AWS services, see AWS Pricing.
Enabling all features with added and invited member accounts
To migrate to all features, the member accounts in an organization may need to take additional steps. The organization sends a request to every invited account in the organization asking for approval to enable all features, since invited accounts may have been created independently or by different owners. Accounts that customers create in their organization will not receive an approval request.
Invited member accounts have 90 days to sign in as the root user and approve the request. If the request expires, all requests related to this migration are canceled. If an invited member account declines the request for migration to all features, customers must either remove the account from their organization or resend the request. The migration will not move forward until all invited accounts approve the migration, or until they are removed from the organization. If the process to enable all features is cancelled before the account accepts the invitation, that invitation is canceled.
Let’s look at an example to understand this. Say, an organization Org1 has 4 member accounts. Account1 and Account2 were created in the organization, and Account3 and Account4 are invited accounts. When you kick off the migration to all features, Account3 & Account4 will receive a notification to approve or decline the migration. This migration will successfully complete only if both invited accounts, Account3 & Account4 approve this request.
Adding new accounts during the all features migration
If customers have migrated to all features or migration is in-progress, they are free to continue adding new accounts and inviting other accounts to their organization. When customers invite other accounts outside the organization, the account owners receive an invitation with information about whether the organization is consolidated billing or all features enabled. This email is for accounts to choose to join the organization and doesn’t relate to an organization migrating to all features.
Procedures
The two approaches for migration to all features are standard migration, available to all AWS Organizations customers, and assisted migration, available to Enterprise Support plan customers.
Standard Migration Process
Customers can initiate the standard migration to enable all features through the management account. To kick-off the standard migration, follow the steps below:
- Navigate to the AWS Organizations console (select the new console version) and select the Organizations Settings page.
- Select Enable all features and then select the Standard migration option.
- Read the How it works section and click Begin process to enable all features.
- Follow the steps Enabling all features in an organization to enable all features for your organization.
- To learn how an invited member accounts needs to approve the migration to all features, read Approving the request to enable all features.
- The Enable all features page shows the current request status for each account in the organization as ACCEPTED, OPEN, or DECLINED.
- If you don’t have invited member accounts or all the invited member accounts have accepted the migration to all features, you can finalize the process and enable all features. Read Finalizing the process to enable all features.
Assisted Migration Process
Enterprise customers may find it difficult to complete the standard process due to the large number of accounts they manage. These customers often have difficulty accessing the accounts in order to accept the invitation because they may experience challenges obtaining approval to migrate from all invited accounts in large organizations.
Assisted migration simplifies this process by enabling customers with an Enterprise Support plan to request that AWS migrate their organization to all features on their behalf. This process requires that the customers sign a click through agreement contract affirming that they own all accounts, followed by a 14-day waiting period. This waiting period provides accounts time to leave the organization if they wish before the upcoming organization change takes effect. To kick-off assisted migration, follow the steps below:
- Navigate to the AWS Organizations console and select the Settings page.
- Choose Enable all features and then select the Assisted migration option.
- Read the terms and conditions of the agreement, accept and click Begin process to enable all features to start the migration. Note: If you are currently enabling all features using the standard migration process, it will be canceled, and the assisted migration process will kick-off.
Similarly, once you start the assisted migration process, it cannot be rolled back. You’ll need to wait 90 days until the process expires if you want to go through the standard process instead. - Customers using the assisted migration process don’t have to worry about accessing their invited accounts as the root user to accept the migration to all features.
- Customers can reach out to their TAM for exact details and progress of this process along with the timelines.
Conclusion
In conclusion, all features allows customers to centrally manage their member accounts under the organization and leverage the integration of other AWS services to centrally manage configuration, security, audit, and resource sharing. The AWS Organizations product page lists additional benefits.
Customers following our recommendations with all features enabled can manage their cloud environment with increased effectiveness. For example, you can read a story from ENGIE a customer that specializes in global energy infrastructure and solutions. ENGIE rapidly migrated assets and accounts using AWS Organizations all features mode.
We hope this blog post highlights the importance of migrating to all features and helps customers easily migrate from consolidated billing to all features mode. Here’s the step-by-step guidance to enable all features in an organization, AWS Organizations console link, and best practices for getting started.