Get Started with AWS Organizations

Try AWS Organizations

AWS Organizations is available to all AWS customers at no additional charge.

Q: What is AWS Organizations?

AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts and then apply policies to those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.

Q: Which administrative actions does AWS Organizations enable?

AWS Organizations enables the following administrative actions:

  • Create an AWS account and add it to your organization, or add an existing AWS account to your organization.
  • Organize your AWS accounts into groups called organizational units (OUs).
  • Organize your OUs into a hierarchy that reflects your company’s structure.
  • Centrally manage and attach policies to the entire organization, OUs, or individual AWS accounts.

Q: Which controls does AWS Organizations enable in this release?

In this release, you can define and enforce the AWS service actions, such as Amazon EC2 RunInstances, that are available for use in different AWS accounts within an organization.

Q: Do I need to migrate from my Consolidated Billing family to AWS Organizations?

No, AWS has migrated Consolidated Billing families to AWS Organizations automatically, with only consolidated billing features enabled.

Q: How do I get started?

To get started, you must first decide which of your AWS accounts will become the master account. If you have a Consolidated Billing family, we already converted your Consolidated Billing payer AWS account to be the master account. If you do not have a Consolidated Billing family, you can either create a new AWS account or select an existing one.

Steps for customers using Consolidated Billing

  1. Navigate to the Consolidated Billing console. AWS redirects you to the new AWS Organizations console.
  2. AWS converted your Consolidated Billing family automatically, so you can start taking advantage of the new organizational capabilities.
Steps for customers not using Consolidate Billing
 
You need to create a new organization by following these simple steps:
 
  1. Sign in as an administrator to the AWS Management Console using the AWS account you want to use to manage your organization.
  2. Go to the AWS Organizations console.
  3. Choose Create Organization.
  4. Select what features you want to enable for your organization. Either consolidated billing only features or all features
  5. Add AWS accounts to your organization by using one of the following two methods:
    1. Invite existing AWS accounts to join your organization by using their AWS account ID or associated email address.
    2. Create new AWS accounts.
  6. Model your organizational hierarchy by grouping your AWS accounts in OUs.
  7. If you choose to enable all features for your organization, then you can author and assign controls to these OUs.

You can also use the AWS CLI (for command-line access) or SDKs (for programmatic access) to perform the same steps to create a new organization.

Note: You can initiate the creation of a new organization only from an AWS account that is not already a member of another organization.
 
For more information, see Getting started with AWS Organizations.

Q: What is an organization?

An organization is a collection of AWS accounts that you can organize into a hierarchy and manage centrally.

Q: What is an AWS account?

An AWS account is a container for your AWS resources. You create and manage your AWS resources in an AWS account, and the AWS account provides administrative capabilities for access and billing.

Q: What is a master account?

A master account is the AWS account you use to create your organization. From the master account, you can create other accounts in your organization, invite and manage invitations for other accounts to join your organization, and remove accounts from your organization. You can also attach policies to entities such as administrative roots, organizational units (OUs), or accounts within your organization. The master account has the role of a payer account and is responsible for paying all charges accrued by the accounts in its organization. You cannot change which account in your organization is the master account.

Q: What is a member account?

A member account is an AWS account, other than the master account, that is part of an organization. If you are an administrator of an organization, you can create member accounts in the organization and invite existing accounts to join the organization. You also can apply policies to member accounts. A member account can belong to only one organization at a time.

Q: What is an administrative root?

An administrative root is the starting point for organizing your AWS accounts. The administrative root is the top-most container in your organization’s hierarchy. Under this root, you can create OUs to logically group your accounts and organize these OUs into a hierarchy that best matches your business needs.

Q: What is an organizational unit (OU)?

An organizational unit (OU) is a group of AWS accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy. For example, you can group all accounts that belong to the same department into a departmental OU. Similarly, you can group all accounts running production services into a production OU. OUs are useful when you need to apply the same controls to a subset of accounts in your organization. Nesting OUs enables smaller units of management. For example, in a departmental OU, you can group accounts that belong to individual teams in team-level OUs. These OUs inherit the policies from the parent OU in addition to any controls assigned directly to the team-level OU.

Q: What is a policy?

An policy is a “document” with one or more statements that define the controls that you want to apply to a group of AWS accounts. In this release, AWS Organizations supports a specific type of policy called a Service Control Policy (SCP). An SCP defines the AWS service actions, such as Amazon EC2 RunInstances, that are available for use in different accounts within an organization.


Q: Can I define and manage my organization regionally?

No. All organization entities are globally accessible, similar to how AWS Identity and Access Management (IAM) works today. You do not need to specify a region when you create and manage your organization. Users in your AWS accounts can use AWS services in any geographic region in which that service is available.

Q: Can I change which AWS account is the master account?

No. You cannot change which AWS account is the master account. Therefore, you should select your master account carefully.

Q: How do I add an AWS account to my organization?

Use one of the following two methods to add an AWS account to your organization:

Method 1: Invite an existing account to join your organization

  1. Sign in as an administrator of the master account and navigate to the AWS Organizations console.
  2. Choose the Accounts tab.
  3. Choose Add account and then choose Invite account.
  4. Provide the email address of the account that you want to invite or the AWS account ID of the account.

Note: You can invite more than one AWS account by providing a comma-separated list of email addresses or AWS account IDs.

The specified AWS account receives an email inviting it to join your organization. An administrator in the invited AWS account must accept or reject the request using the AWS Organizations console, AWS CLI, or Organizations API. If the administrator accepts your invitation, the account becomes visible in the list of member accounts in your organization. Any applicable policies, such as SCPs, will be enforced automatically in the newly added account. For example, if your organization has an SCP attached to the root of your organization it will directly be enforced on the newly created accounts.

Method 2: Create an AWS account in your organization

  1. Sign in as an administrator of your master account and navigate to the AWS Organizations console.
  2. Choose the Accounts tab.
  3. Choose Add account and then choose Create account.
  4. Provide a name for the account and the email address for the account.

You can also create an account by using the AWS SDK or AWS CLI. For both methods, after you add the new account, you can move it to an organizational unit (OU). The new account automatically inherits the policies attached to the OU.

Q: Can an AWS account be a member of more than one organization?

No. An AWS account can be a member of only one organization at a time.

Q: How can I access an AWS account that was created in my organization?

As part of AWS account creation, AWS Organizations creates an IAM role with full administrative permissions in the new account. IAM users and IAM roles with appropriate permissions in the master account can assume this IAM role to gain access to the newly created account.

Q: Can I set up multi-factor authentication (MFA) on the AWS account that I create in my organization programmatically?

No. This currently is not supported.

Q: Can I move an AWS account that I have created using AWS Organizations to another organization?

No. This currently is not supported.

Q:  Can I remove an AWS account that I created using Organizations and make it a standalone account?

Yes. However, when you create an account in an organization using the AWS Organizations console, API, or CLI commands, all the information required of standalone accounts is not automatically collected. For each account that you want to make standalone, you first must accept the AWS Customer Agreement, choose a support plan, provide and verify the required contact information, and provide a current payment method. AWS uses the payment method to charge for any billable (not AWS Free Tier) AWS activity that occurs while the account is not attached to an organization. For more information, see To leave an organization when all required account information has not yet been provided (console).

Q: How many AWS accounts can I manage in my organization?

This can vary. If you need additional accounts, go to the AWS Support Center and open a support case to request an increase.

Q: How can I remove an AWS member account from an organization?

You can remove a member account by using one of the following two methods. You might have to provide additional information to remove an account that you created using Organizations. If the attempt to remove an account fails, go to the AWS Support Center and ask for help with removing an account.

Method 1: Remove an invited member account by signing in to the master account

  1. Sign in as an administrator of the master account and navigate to the AWS Organizations console.
  2. In the left pane, choose Accounts.
  3. Choose the account that you want to remove and then choose Remove account.
  4. If the account does not have a valid payment method, you must provide one.

Method 2: Remove an invited member account by signing in to the member account

  1. Sign in as an administrator of the member account that you want to remove from the organization.
  2. Navigate to the AWS Organizations console.
  3. Choose Leave organization.
  4. If the account does not have a payment method, you must provide one.

Q: How can I create an organizational unit (OU)?

To create an OU, follow these steps:

  1. Sign in as an administrator of the master account and navigate to the AWS Organizations console.
  2. Choose the Organize accounts tab.
  3. Navigate in the hierarchy to where you want to create the OU. You can create it directly under the root, or you can create it within another OU.
  4. Choose to Create organizational unit and provide a name for your OU. The name must be unique within your organization.

Note: You can rename the OU later.

You now can add AWS accounts to your OU. You can also use the AWS CLI and AWS APIs to create and manage an OU.

Q: How can I add a member AWS account to an OU?

Follow these steps to add member accounts to an OU:

  1. In the AWS Organizations console, choose the Organize accounts tab.
  2. Choose the AWS account, and then choose Move account.
  3. In the dialog box, select the OU to which you want to move the AWS account.

Alternatively, you can use the AWS CLI and AWS APIs to add AWS accounts to an OU.

Q: Can an AWS account be a member of multiple OUs?

No. An AWS account can be a member of only one OU at a time.

Q: Can an OU be a member of multiple OUs?

No. An OU can be a member of only one OU at a time.

Q: How many levels can I have in my OU hierarchy?

You can nest your OUs five levels deep. Including root and AWS accounts created in the lowest OUs, your hierarchy can be five levels deep.


Q: How can I control who can manage my organization?

You control who can manage your organization and its resources in the same way that you manage access to your other AWS resources: you attach IAM policies to IAM users, groups, or roles in the master account. With IAM policies, you can control the following:

  • Creating an organization, organization unit (OU), or AWS account.
  • Adding, moving, and removing AWS accounts to and from your organization and OUs.
  • Creating policies and attaching them to the root of your organization, OUs, and individual accounts.

Q: Why is there an IAM role defined in every account that I create using AWS Organizations?

This role enables users in the master account to access a new member account. A new member account initially doesn’t have any users or passwords and can be accessed only by using this role. After you use the role to access the member account and create at least one IAM user with administrator permissions in it, you can safely delete the role if you want. For more information about IAM roles and users, see Accessing a Member Account That Has a Master Account Access Role.

Q: Can I grant permission to manage my organization to IAM users in any AWS member account in my organization?

Yes. If you want to grant IAM users in a member account permission to manage your entire organization or parts of your organization, you can use IAM roles. You create a role with the appropriate permissions in the master account and allow users or roles in the member account to assume the new role. This is the same cross-account method that you use to grant an IAM user in one account access to a resource (for example, an Amazon DynamoDB table) in another account.

Q: Can an IAM user in a member account sign in to my organization?

No. IAM users can sign in only to their associated member account in your organization.

Q: Can an IAM user sign in to an OU in my organization?

No. IAM users can sign in only to their associated AWS account in your organization.

Q: Can I control who in my AWS account can accept an invitation to join an organization?

Yes. Using IAM permissions, you can grant or deny users in your account the ability to accept or decline invitations to join an organization. The following policy grants access to view and manage invitations in an AWS account:

{

    "Version":"2012-10-17",

    "Statement":[

        {

            "Effect":"Allow",

            "Action":[

                "organizations:AcceptHandshake",

                "organizations:DeclineHandshake",

                "organizations:DescribeHandshake",

                "organizations:ListHandshakesForAccount"

            ],

            "Resource":" *"

        }

    ]

}


Q: At what levels of my organization can I apply a policy?

You can attach a policy to the root of your organization (applies to all accounts in your organization), to individual organizational units (OUs), which applies to all accounts in the OU including nested OUs, or to individual accounts.

Q: How can I attach a policy?

You can attach a policy in one of two ways:

  • In the AWS Organizations console, navigate to where you want to assign the policy (the root, an OU, or an account), and then choose Attach Policy.
  • In the Organizations console, choose the Policies tab and do one of the following:
    • Choose an existing policy, choose Attach Policy from the Actions drop-down list, and then choose the root, OU, or account to which you want to attach the policy.
    • Choose Create Policy, and then as part of the policy creation workflow, choose the root, OU, or account to which you want to attach the new policy.

For more information, see Managing Policies.

Q: Are policies inherited through hierarchical connections in my organization?

Yes. For example, let’s assume that you have arranged your AWS accounts into OUs according to your application development stages: DEV, TEST, and PROD. Policy P1 is attached to the organization’s root, policy P2 is attached to the DEV OU, and policy P3 is attached to AWS account A1 in the DEV OU. With this setup, P1+P2+P3 all apply to account A1.

For more information, see About Service Control Policies.

Q: What types of policies does AWS Organizations support?

Currently, AWS Organizations supports Service Control Policies (SCPs). You can use SCPs to define and enforce the actions that IAM users, groups, and roles can perform in the accounts to which the SCP is applied.

Q: What is a Service Control Policy (SCP)?

Service Control Policies (SCPs) allow you to control which AWS service actions are accessible to principals (account root, IAM users, and IAM roles) in the accounts of your organization. An SCP is required but is not the only control that determines which principals in an account can access resources to grant principals in an account access to resources. The effective permission on a principal in an account that has an SCP attached is the intersection of what is allowed explicitly in the SCP and what is allowed explicitly in the permissions attached to the principal. For example, if an SCP applied to an account states that the only actions allowed are Amazon EC2 actions, and the permissions on a principal in the same AWS account allow both EC2 actions and Amazon S3 actions, the principal is able to access only the EC2 actions.

Principals in a member account (including the root user for the member account) cannot remove or change SCPs that are applied to that account.

Q: What does an SCP look like?

SCPs follow the same rules and grammar as IAM policies, except you can not specify conditions and the resource section must be equal to “*”. You can use an SCP to deny or allow access to AWS service actions.

Whitelist example

The following SCP grants access to all EC2 and S3 service actions in the AWS account. All principals (account root, IAM user, and IAM role) in an account with this SCP applied will not be able to access any other actions, no matter which IAM policies are directly assigned to them. Those IAM policies must explicitly grant EC2 or S3 service actions for the principals to access them.

{

    "Version":"2012-10-17",

    "Statement":[

        {

            "Effect":"Allow",

            "Action":["EC2:*","S3:*"],

            "Resource":"*"

        }

    ]

}

Blacklist example

The following SCP allows access to all AWS service actions except the S3 action, PutObject. All principals (account root, IAM user, and IAM role) with appropriate permissions assigned directly to them in an account with this SCP applied can access any action except the S3 PutObject action.

{

    "Version":"2012-10-17",

    "Statement":[

        {

            "Effect":"Allow",

            "Action": "*:*",

            "Resource":"*"

        },

        {

            "Effect":"Deny",

            "Action":"S3:PutObject",

            "Resource":"*"

        }

    ]

}

For more examples, see Strategies for Using SCPs.

Q: If I attach an empty SCP to an AWS account, does that mean that I allow all AWS service actions in that AWS account?

No. SCPs behave the same way as IAM policies: an empty IAM policy is equivalent to a default DENY. Attaching an empty SCP to an account is equivalent to attaching a policy that explicitly denies all actions.

Q: Can I specify resources and principals in an SCP?

No. In the current release, you can specify only AWS services and actions in an SCP. You can specify resources and principals by using IAM permission policies within the AWS account. For more details, see Service Control Policy Syntax.

Q: What are the effective permissions if I apply an SCP to my organization and my principals also have IAM policies?

The effective permissions granted to a principal (account root, IAM user, and IAM role) in an AWS account with an SCP applied are the intersection between those allowed by the SCP and the permissions granted to the principal by IAM permission policies. For example, if an IAM user has "Allow": "ec2:* " and "Allow": "sqs:* ", and the SCP attached to the account has "Allow": "ec2:* " and "Allow": "s3:* ", the resultant permission for the IAM user is "Allow": "ec2:* " The principal cannot perform any Amazon SQS (not allowed by the SCP) or S3 actions (not granted by the IAM policy).

Q: Can I simulate the effect of an SCP on an AWS account?

Yes, the IAM policy simulator can include the effects of SCPs. You can use the policy simulator in a member account in your organization to understand the effect on individual principals in that account. An administrator in a member account with the appropriate AWS Organizations permissions can see if an SCP is affecting the access for the principals (account root, IAM user, and IAM role) in your member account.

For more information, see Service Control Policies.

Q: Can I create and manage an organization without enforcing an SCP?

Yes. You decide which policies that you want to enforce. For example, you could create an organization that takes advantage only of the consolidated billing functionality. This allows you to have a single-payer account for all accounts in your organization and automatically receive default tiered-pricing benefits.


Q: What does AWS Organizations cost?

AWS Organizations is offered at no additional charge.

Q: Who pays for usage incurred by users under an AWS member account in my organization?

The owner of the master account is responsible for paying for all usage, data, and resources used by the accounts in the organization.

Q: How does AWS Organizations compare with Consolidated Billing?

The features of Consolidated Billing are now part of AWS Organizations. Organizations enables you to consolidate payment for multiple AWS accounts within your company by designating a single-payer account. For more information, see Consolidated Billing and AWS Organizations.

Q: Will my bill reflect the organizational unit structure that I created in my organization?

No. For now, your bill will not reflect the structure that you have defined in your organization. You can use cost allocation tags in individual AWS accounts to categorize and track your AWS costs, and this allocation will be visible in the consolidated bill for your organization.