Managing Amazon Web Services accounts in your organization
An organization is a collection of Amazon Web Services accounts that you manage together. You can perform the following tasks to manage the accounts that are part of your organization:
-
View details of the accounts in your organization. You can see the account's unique ID number, its Amazon Resource Name (ARN), and the policies that are attached to it.
-
Export a list of all Amazon Web Services accounts in your organization. You can download a .csv file that contains account details for every account within your organization.
-
Invite existing Amazon Web Services accounts to join your organization. Create invitations, manage invitations that you have created, and accept or decline invitations.
-
Create an Amazon Web Services account as part of your organization. Create and access an Amazon Web Services account that is automatically part of your organization.
-
Update alternate contacts in your organization. Update alternate contacts for your Amazon Web Services accounts in your organization.
-
Remove an Amazon Web Services account from your organization. As an administrator in the management account, remove member accounts that you no longer want to manage from your organization. As an administrator of a member account, remove your account from its organization. If the management account has attached a policy to your member account, you could be blocked from removing your account.
-
Delete (or close) an Amazon Web Services account. When you no longer need an Amazon Web Services account, you can close the account to prevent any usage or accrual of charges.
Impact of being in an organization
Impact on an Amazon Web Services account that joins an organization?
When you invite an Amazon Web Services account to join an organization, and the owner of the account accepts the invitation, Amazon Organizations automatically makes the following changes to the new member account:
-
Amazon Organizations creates a service-linked role called
AWSServiceRoleForOrganizations
. The account must have this role if your organization supports all features. You can delete the role if the organization supports only the consolidated billing feature set. If you delete the role and later you enable all features in your organization, Amazon Organizations recreates the role for the account. -
You might have a variety of policies attached to the organization root or the OU that contains the account. If so, those policies immediately apply to all users and roles in the invited account.
-
You can enable service trust for another Amazon service for your organization. When you do, that trusted service can create service-linked roles or perform actions in any member account in the organization, including an invited account.
Note
For invited member accounts, Amazon Organizations doesn't automatically create the IAM role OrganizationAccountAccessRole. This role grants users in the management account administrative access to the member account. If you want to enable that level of administrative control to an invited account, you can manually add the role. For more information, see Creating the OrganizationAccountAccessRole in an invited member account.
You can invite an account to join an organization that has only the consolidated billing features enabled. If you later want to enable all features for the organization, invited accounts must approve the change.
Impact on an Amazon Web Services account that you create in an organization?
When you create an Amazon Web Services account in your organization, Amazon Organizations automatically makes the following changes to the new member account:
-
Amazon Organizations creates a service-linked role called
AWSServiceRoleForOrganizations
. The account must have this role if your organization supports all features. You can delete the role if the organization supports only the consolidated billing feature set. If you delete the role and later you enable all features in your organization, Amazon Organizations recreates the role for the account. -
Amazon Organizations creates the IAM role OrganizationAccountAccessRole. This role grants the management account access to the new member account. Although this role can be deleted, we recommend that you don't delete it so that it is available as a recovery option.
-
If you have any policies attached to the root of the OU tree, those policies immediately apply to all users and roles in the created account. New accounts are added to the root OU by default.
-
If you have enabled service trust for another Amazon service for your organization, that trusted service can create service-linked roles or perform actions in any member account in the organization, including your created account.