Amazon Organizations terminology and concepts - Amazon Organizations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon Organizations terminology and concepts

To help you get started with Amazon Organizations, this topic explains some of the key concepts.

The following diagram shows a basic organization that consists of five accounts that are organized into four organizational units (OUs) under the root. The organization also has several policies that are attached to some of the OUs or directly to accounts. For a description of each of these items, refer to the definitions in this topic.


            Diagram of basic organization
Organization

An entity that you create to consolidate your Amazon accounts so that you can administer them as a single unit. You can use the Amazon Organizations console to centrally view and manage all of your accounts within your organization. An organization has one management account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units nested under the root. Each account can be directly in the root, or placed in one of the OUs in the hierarchy. An organization has the functionality that is determined by the feature set that you enable.

Root

The parent container for all the accounts for your organization. If you apply a policy to the root, it applies to all organizational units (OUs) and accounts in the organization.

Note

Currently, you can have only one root. Amazon Organizations automatically creates it for you when you create an organization.

Organizational unit (OU)

A container for accounts within a root. An OU also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. When you attach a policy to one of the nodes in the hierarchy, it flows down and affects all the branches (OUs) and leaves (accounts) beneath it. An OU can have exactly one parent, and currently each account can be a member of exactly one OU.

Account

An account in Organizations is a standard Amazon Web Services account that contains your Amazon resources and the identities that can access those resources.

Tip

An Amazon account is not the same thing as a "user account". An Amazon user is an identity that you create using Amazon Identity and Access Management (IAM) and takes the form of either an IAM user with long-term credentials, or an IAM role with short-term credentials. A single Amazon account can, and typically does contain many users and roles.

There are two types of accounts in an organization: a single account that is designated as the management account, and one or more member accounts.

  • The management account is the account that you use to create the organization. From the organization's management account, you can do the following:

    • Create accounts in the organization

    • Invite other existing accounts to the organization

    • Remove accounts from the organization

    • Manage invitations

    • Enable integration with supported Amazon services to provide service functionality across all of the accounts in the organization.

    The management account has the responsibilities of a payer account and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's management account.

  • Member accounts make up all of the rest of the accounts in an organization. An account can be a member of only one organization at a time. You can attach a policy to an account to apply controls to only that one account.

Invitation

The process of asking another account to join your organization. An invitation can be issued only by the organization's management account. The invitation is extended to either the account ID or the email address that is associated with the invited account. After the invited account accepts an invitation, it becomes a member account in the organization. Invitations also can be sent to all current member accounts when the organization needs all members to approve the change from supporting only consolidated billing features to supporting all features in the organization. Invitations work by accounts exchanging handshakes. You might not see handshakes when you work in the Amazon Organizations console. But if you use the Amazon CLI or Amazon Organizations API, you must work directly with handshakes.

Handshake

A multi-step process of exchanging information between two parties. One of its primary uses in Amazon Organizations is to serve as the underlying implementation for invitations. Handshake messages are passed between and responded to by the handshake initiator and the recipient. The messages are passed in a way that helps ensure that both parties know what the current status is. Handshakes also are used when changing the organization from supporting only consolidated billing features to supporting all features that Amazon Organizations offers. You generally need to directly interact with handshakes only if you work with the Amazon Organizations API or command line tools such as the Amazon CLI.

Available feature sets
  • All features – The default feature set that is available to Amazon Organizations. It includes all the functionality of consolidated billing, plus advanced features that give you more control over accounts in your organization. You can also enable integration with support Amazon services to let those service provide functionality across all of the accounts in your organization.

    You can create an organization with all features already enabled, or you can enable all features in an organization that originally supported only the consolidated billing features. To enable all features, all invited member accounts must approve the change by accepting the invitation that is sent when the management account starts the process.

  • Consolidated billing – This feature set provides shared billing functionality, but does not include the more advanced features of Amazon Organizations. For example, you can't enable other Amazon services to integrate with your organization to work across all of its accounts, . To use the advanced Amazon Organizations features, you must enable all features in your organization.