AWS Security Blog
AWS Organizations now available in the AWS GovCloud (US) Regions for central governance and management of AWS accounts
October 2, 2024: This post was republished to update the terminology for management accounts.
AWS Organizations is now available in the AWS GovCloud (US) Regions, enabling you to centrally govern and manage your AWS GovCloud (US) accounts. AWS Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. Using AWS Organizations, you can:
- Define organization-wide permission guardrails to establish controls that all IAM principals (users and roles) adhere to across your accounts using service control policies (SCPs)
- Group your accounts into categories using organizational units (OUs)
- Programmatically create new accounts in your organization
- Manage multi-account capabilities for integrated AWS services
For more information about AWS Organizations, see our User Guide.
In this blog post, I will walk you through some frequently asked questions related to Organizations in AWS GovCloud (US).
Prerequisites
Knowledge of the AWS GovCloud (US) Regions is helpful to understand the concepts introduced in this blog post. For more information about AWS GovCloud (US), see the AWS GovCloud (US) Documentation. For information about the differences between AWS GovCloud (US) Regions and standard AWS Regions, please see AWS GovCloud (US-West) Region Compared to Standard AWS Regions.
One fundamental concept is how AWS GovCloud (US) accounts work. Each AWS GovCloud (US) account has a mapped commercial account associated with it in a 1:1 relationship (displayed in the diagrams later on in this blog post by blue dotted lines). The commercial account is used by the AWS GovCloud (US) account for billing and support-related use cases, as well as associating various account information for the AWS GovCloud (US) account (for example, an email address). This association between the AWS GovCloud (US) account and its mapped commercial account can’t be modified.
The AWS GovCloud (US) Regions have special requirements, so you’ll need to have access to the AWS GovCloud (US) Regions to use AWS Organizations in AWS GovCloud (US).
Set up your AWS GovCloud (US) organization
AWS GovCloud (US) organizations are completely separate from commercial organizations and are managed independently of one another. The two most common models used to structure your AWS GovCloud (US) organization in relation to an existing commercial organization are a single company model or a reseller/partner model.
For single companies, you’ll want to use the AWS GovCloud (US) account mapped to your commercial organization management account to create your AWS GovCloud (US) organization. This maintains the relationship between the two organizations’ management accounts for easier management. This is visualized in Figure 1.
- The AWS GovCloud (US) account mapped to the management account of the commercial organization is used to create an AWS GovCloud (US) organization.
- The other AWS GovCloud (US) accounts mapped to the member accounts of the commercial organization are invited into the new AWS GovCloud (US) organization.
For resellers or partners who might be servicing multiple customers in AWS GovCloud (US) from a single commercial organization, you can create an AWS GovCloud (US) organization for each customer. In Figure 2, I assume that the commercial organization is being managed by the reseller who is servicing two customers, A and B.
- Customer A chooses one of their AWS GovCloud (US) accounts to become the management account of their AWS GovCloud (US) organization and uses it to create the organization.
- Customer A invites their other AWS GovCloud (US) accounts into their new AWS GovCloud (US) organization.
- Customer B does the same as Customer A.
- The reseller manages all of the mapped commercial accounts for billing and support purposes in the reseller’s commercial organization.
Creating your organization in AWS GovCloud (US) follows the same process as in other regions either by using the API/CLI or logging in to the AWS GovCloud (US) Organizations console and choosing Create organization. For more information on creating an organization, please see Creating an Organization.
Frequently asked questions about how AWS Organizations works in the AWS GovCloud (US) Regions
Can I use my AWS GovCloud (US) organization to manage accounts in commercial Regions?
No, organizations in AWS GovCloud (US) do not enable you to manage accounts in commercial regions. You can use your organization in the AWS GovCloud (US) Regions to help you manage your AWS GovCloud (US) accounts. Your organization in AWS GovCloud (US) has no relation to your existing organization in commercial Regions and is independently managed.
Can I view the relationship between an AWS GovCloud (US) account and its mapped commercial account?
No. Because of the isolated nature of the AWS GovCloud (US) Regions, you will not be able to view any information (such as the account ID or email address) about the mapped commercial accounts associated with your AWS GovCloud (US) accounts managed in your AWS GovCloud (US) organization. You can view and manage information about your AWS GovCloud (US) accounts using your AWS GovCloud (US) organization, and your commercial accounts using your commercial organization.
How does consolidated billing work for AWS GovCloud (US) organizations?
AWS GovCloud (US) accounts are billed to the mapped commercial account associated with them and paid for in the commercial regions. Therefore, AWS GovCloud (US) organizations (and the management account of AWS GovCloud (US) organizations) are not responsible for the billing of account activity incurred by AWS GovCloud (US) accounts in the organization. If you manage all of your mapped commercial accounts associated with your AWS GovCloud (US) accounts in a single commercial organization—as you would if you follow the common configuration of a single company described earlier—you will receive one bill for all of your commercial and AWS GovCloud (US) account usage.
How do I programmatically create a new AWS GovCloud (US) account using Organizations?
New AWS GovCloud (US) accounts can be programmatically created using a new Organizations API, CreateGovCloudAccount, which can be called by the management account of a commercial organization, provided that it already has an associated AWS GovCloud (US) account. If your management account doesn’t have an associated AWS GovCloud (US) account, you’ll need to create one before using this API.
The CreateGovCloudAccount API creates both a standalone AWS GovCloud (US) account as well as its corresponding mapped commercial account, which will automatically be added to your commercial organization. The new AWS GovCloud (US) account is independent and will need to be invited into an AWS GovCloud (US) organization.
How do I access a new AWS GovCloud (US) account programmatically created using the CreateGovCloudAccount API?
- Use the commercial organization’s management account to call the CreateGovCloudAccount API, which creates a new account in the commercial organization. A role is created in this new commercial account that allows your commercial organization management account to assume it, the exact same way account creation works in commercial organizations today.
- An AWS GovCloud (US) account is then automatically created and mapped to the commercial account that was just created. A role is created in the new AWS GovCloud (US) account that can be assumed by the AWS GovCloud (US) account mapped to the management account of the commercial organization.
- Sign in to the AWS GovCloud (US) account mapped to your commercial organization’s management account and assume the role into the newly created AWS GovCloud (US) account.
Here’s a diagram to help you understand the process.
- You call the CreateGovCloudAccount API from the management account of your commercial organization, which creates a new account in your commercial organization and a mapped standalone AWS GovCloud (US) account.
- Your AWS GovCloud (US) account mapped to your management account of your commercial organization has permissions to assume the OrganizationAccountAccessRole IAM role in the newly created AWS GovCloud (US) account.
- Once you have access to the new AWS GovCloud (US) account, you can set up your own IAM users/roles and invite the account into your AWS GovCloud (US) organization.
Can I manage both commercial accounts and AWS GovCloud (US) accounts using the same organization?
No. You can use your existing commercial organization to manage your commercial accounts and create a new AWS GovCloud (US) organization to manage your AWS GovCloud (US) accounts.
Summary
AWS Organizations now extends its governance and management capabilities to customers in the AWS GovCloud (US) Regions. Customers are now able add their AWS GovCloud (US) accounts in an AWS GovCloud (US) organization for central governance of access, compliance, and security. To get started, sign in to the AWS Organizations console from an AWS GovCloud (US) Region.
If you have comments about this post, submit them in the “Comments” section below. If you have additional questions, please open a new thread on the AWS Organizations forum.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.