Managing Amazon Web Services accounts in your organization

• View details of the accounts in your organization. You can see the account's unique ID number, its Amazon Resource Name (ARN), and the policies that are attached to it.

• Export a list of all Amazon Web Services accounts in your organization. You can download a .csv file that contains account details for every account within your organization.

• Invite existing Amazon Web Services accounts to join your organization. Create invitations, manage invitations that you have created, and accept or decline invitations.

• Create an Amazon Web Services account as part of your organization. Create and access an Amazon Web Services account that is automatically part of your organization.

• Update alternate contacts in your organization. Update alternate contacts for your Amazon Web Services accounts in your organization.

• Remove an Amazon Web Services account from your organization. As an administrator in the management account, remove member accounts that you no longer want to manage from your organization. As an administrator of a member account, remove your account from its organization. If the management account has attached a policy to your member account, you could be blocked from removing your account.

• Delete (or close) an Amazon Web Services account. When you no longer need an Amazon Web Services account, you can close the account to prevent any usage or accrual of charges.

• What is the impact on an Amazon Web Services account that joins an organization?

• What is the impact on an Amazon Web Services account that you create in an organization?

• Amazon Organizations creates a service-linked role called AWSServiceRoleForOrganizations. The account must have this role if your organization supports all features. You can delete the role if the organization supports only the consolidated billing feature set. If you delete the role and later you enable all features in your organization, Amazon Organizations recreates the role for the account.

• You might have a variety of policies attached to the organization root or the OU that contains the account. If so, those policies immediately apply to all users and roles in the invited account.

• You can enable service trust for another Amazon service for your organization. When you do, that trusted service can create service-linked roles or perform actions in any member account in the organization, including an invited account.

When you create an Amazon Web Services account in your organization, Amazon Organizations automatically makes the following changes to the new member account:

• Amazon Organizations creates a service-linked role called AWSServiceRoleForOrganizations. The account must have this role if your organization supports all features. You can delete the role if the organization supports only the consolidated billing feature set. If you delete the role and later you enable all features in your organization, Amazon Organizations recreates the role for the account.

• Amazon Organizations creates the IAM role OrganizationAccountAccessRole. This role grants the management account access to the new member account. Although this role can be deleted, we recommend that you don't delete it so that it is available as a recovery option.

• If you have any policies attached to the root of the OU tree, those policies immediately apply to all users and roles in the created account. New accounts are added to the root OU by default.

• If you have enabled service trust for another Amazon service for your organization, that trusted service can create service-linked roles or perform actions in any member account in the organization, including your created account.