How do I move accounts between organizations in AWS Organizations?
Last updated: 2020-10-22
I plan to migrate AWS Organizations member accounts from one Organization to another Organization. What should I consider before starting the migration process?
When planning your migration, keep the following prerequisites in mind:
- You have the permissions you need to move both the payer and member accounts in the Organization.
- You backed up any reports from the member accounts that you need to keep. The member accounts can't access these reports after leaving the Organization.
- You have a plan to address any charges that are incurred while the accounts are migrating.
- You have a plan to update the tax information for any accounts that are changing Organizations.
- You understand the technical process of migrating accounts.
Account access considerations
- You must have root or AWS Identity and Access Management (IAM) access to both the member and payer accounts. For more information on adding these permissions, see Managing access permissions for your organization.
- You might need to add more information to a member account before you can move it. For example, you might need to add a new payment method to the member account, or update the contact information for the account. When you remove the account from the Organization, you are prompted to add this information. For more information, see Removing a member account from your organization.
- When you remove a member account from an Organization, the member account's access to AWS services that are integrated with the Organization are lost. In some cases, resources in the member account might be deleted. For example, when an account leaves the Organization, the AWS CloudFormation stacks created using StackSets are removed from the management of StackSets. You can choose to either delete or retain the resources managed by the stack. For a list of AWS services that can be integrated with Organizations, see AWS services that you can use with AWS Organizations.
- If you use the aws:PrincipalOrgID condition key in your resource-based policies to restrict access only to the principals from AWS accounts in your Organization, then you need to change these policies before moving the member account to another Organization.
- Before migrating, decide what set of features you want for your Organization. By default, Organizations support consolidated billing features. To access additional features such as service control policies (SCPs), enable all features.
Billing history and billing reports for all accounts stay with the payer account in an Organization. Before you move the account to a new Organization, download any billing or report history for any member accounts that you want to keep. This might include Cost and Usage Reports, Detailed Billing Reports, or reports generated by Cost Explorer.
When a member account leaves an Organization, all charges incurred by the account are charged directly to the standalone account. Even if the account move takes only a minute to process, it is likely that some charges are incurred by the member account.
If you need help updating the payment method for the member account, contact AWS Support.
Be sure that you have a plan to address these charges incurred by the member account. For example, if you are asked to add a credit card to the member account to cover the charges, plan an internal process to reimburse the linked account for using its own payment method during the migration.
When the member account is added to the new Organization, charges are billed to the new payer account.
If you currently benefit from a volume discount, you might temporarily pay the normal rate for that service. This is because you have changed billing entities, and your new consolidated billing family might not have reached the higher usage tier necessary to activate the volume discount. Be sure to plan for this temporary change in pricing.
You might need to update the tax settings on member accounts after you move them to the new Organization.
To view and edit the tax registration numbers for all member accounts in the Organization, you must sign in as the payer account.
Planning the migration process
- If you have only a few accounts to migrate, you can use the Organizations console.
- If you are migrating many accounts, you might use the AWS Organizations API or AWS Command Line Interface (AWS CLI) to move the accounts instead.
In either case, plan the following for each member account:
- Remove the member account from the old Organization.
- Send an invite to the member account from the new Organization.
- Accept the invite to the new Organization from the member account.
If you want the payer account of the old Organization to also join the new Organization, do the following:
- Remove the member accounts from the Organization using the preceding process.
- Delete the old Organization.
- Repeat the preceding process to invite the old payer account to the new Organization as a member account.