Accessing member accounts in your organization - Amazon Organizations
Accessing a member account as the root userCreating the OrganizationAccountAccessRole in an invited member accountAccessing a member account that has a management account access role
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Accessing member accounts in your organization

When you create an account in your organization, Amazon Organizations automatically creates an IAM role that is by default named OrganizationAccountAccessRole. You can specify a different name when you create it, however we recommend that you name it consistently across all of your accounts. We refer to the role in this guide by the default name. Amazon Organizations doesn't create any other users or roles. To access the accounts in your organization, you must use one of the following methods:

  • Amazon Web Services accounts that you create outside of Amazon Organizations include an administrator user that has full access to the account. You can sign in using those credentials.

  • If you create an account by using the tools provided as part of Amazon Organizations, you can access the account by using the preconfigured role named OrganizationAccountAccessRole that exists in all new accounts that you create this way. For more information, see Accessing a member account that has a management account access role.

  • If you invite an existing account to join your organization and the account accepts the invitation, you can then choose to create an IAM role that allows the management account to access the invited member account. This role is intended to be identical to the role automatically added to an account that is created with Amazon Organizations. To create this role, see Creating the OrganizationAccountAccessRole in an invited member account. After you create the role, you can access it using the steps in Accessing a member account that has a management account access role.

  • Use Amazon IAM Identity Center and enable trusted access for IAM Identity Center with Amazon Organizations. This allows users to sign in to the Amazon access portal with their corporate credentials and access resources in their assigned management account or member accounts.

    For more information, see Multi-account permissions in the Amazon IAM Identity Center User Guide. For information about setting up trusted access for IAM Identity Center, see Amazon IAM Identity Center and Amazon Organizations.

Minimum permissions

To access an Amazon Web Services account from any other account in your organization, you must have the following permission:

  • sts:AssumeRole – The Resource element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account

Accessing a member account as the root user

When you create a new account, Amazon Organizations initially assigns a password to the root user that is a minimum of 64 characters long. All characters are randomly generated with no guarantees on the appearance of certain character sets. You can't retrieve this initial password. To access the account as the root user for the first time, you must go through the process for password recovery. For more information, see I forgot my root user password for my Amazon Web Services account in the Amazon Sign-In User Guide.

Notes

Creating the OrganizationAccountAccessRole in an invited member account

By default, if you create a member account as part of your organization, Amazon automatically creates a role in the account that grants administrator permissions to IAM users in the management account who can assume the role. By default, that role is named OrganizationAccountAccessRole. For more information, see Accessing a member account that has a management account access role.

However, member accounts that you invite to join your organization do not automatically get an administrator role created. You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of remembering.

Amazon Web Services Management Console
To create an Amazon Organizations administrator role in a member account

  1. Sign in to the IAM console at https://console.amazonaws.cn/iam/. You must sign in as an IAM user or assume an IAM role in the member account that has permissions to create IAM roles and policies. You can use the administrator user that was created for you when you created the member account.

  2. In the IAM console, navigate to Roles and then choose Create role.

  3. Choose Amazon Web Services account, and then select Another Amazon Web Services account.

  4. Enter the 12-digit account ID number of the management account that you want to grant administrator access to. Under Options, please note the following:

    • For this role, because the accounts are internal to your company, you should not choose Require external ID. For more information about the external ID option, see When should I use an external ID? in the IAM User Guide.

    • If you have MFA enabled and configured, you can optionally choose to require authentication using an MFA device. For more information about MFA, see Using multi-factor authentication (MFA) in Amazon in the IAM User Guide.

  5. Choose Next.

  6. On the Add permissions page, choose the Amazon managed policy named AdministratorAccess and then choose Next.

  7. On the Name, review, and create page, specify a role name and an optional description. We recommend that you use OrganizationAccountAccessRole, for consistency with the default name assigned to the role in new accounts. To commit your changes, choose Create role.

  8. Your new role appears on the list of available roles. Choose the new role's name to view its details, paying special note to the link URL that is provided. Give this URL to users in the member account who need to access the role. Also, note the Role ARN because you need it in step 15.

  9. Sign in to the IAM console at https://console.amazonaws.cn/iam/. This time, sign in as a user in the management account who has permissions to create policies and assign the policies to users or groups.

  10. Navigate to Policies and then choose Create policy.

  11. For Service, choose STS.

  12. For Actions, start typing AssumeRole in the Filter box and then select the check box next to it when it appears.

  13. Under Resources, ensure that Specific is selected and then choose Add ARNs.

  14. Enter the Amazon member account ID number and then enter the name of the role that you previously created in steps 1–8. Choose Add ARNs.

  15. If you're granting permission to assume the role in multiple member accounts, repeats steps 14 and 15 for each account.

  16. Choose Next.

  17. On the Review and create page, enter a name for the new policy and then choose Create policy to save your changes.

  18. Choose User groups in the navigation pane and then choose the name of the group (not the check box) that you want to use to delegate administration of the member account.

  19. Choose the Permissions tab.

  20. Choose Add permissions, choose Attach policies, and then select the policy that you created in steps 11–18.

The users who are members of the selected group now can use the URLs that you captured in step 9 to access each member account's role. They can access these member accounts the same way as they would if accessing an account that you create in the organization. For more information about using the role to administer a member account, see Accessing a member account that has a management account access role.

Accessing a member account that has a management account access role

When you create a member account using the Amazon Organizations console, Amazon Organizations automatically creates an IAM role named OrganizationAccountAccessRole in the account. This role has full administrative permissions in the member account. The scope of access for this role includes all principals in the management account, such that the role is configured to grant that access to the organization's management account. You can create an identical role for an invited member account by following the steps in Creating the OrganizationAccountAccessRole in an invited member account. To use this role to access the member account, you must sign in as a user from the management account that has permissions to assume the role. To configure these permissions, perform the following procedure. We recommend that you grant permissions to groups instead of users for ease of maintenance.

Amazon Web Services Management Console
To grant permissions to members of an IAM group in the management account to access the role

  1. Sign in to the IAM console at https://console.amazonaws.cn/iam/ as a user with administrator permissions in the management account. This is required to delegate permissions to the IAM group whose users will access the role in the member account.

  2. Start by creating the managed policy that you need later in Step 11.

    In the navigation pane, choose Policies and then choose Create policy.

  3. On the Visual editor tab, choose Choose a service, type STS in the search box to filter the list, and then choose the STS option.

  4. In the Actions section, type assume in the search box to filter the list, and then choose the AssumeRole option.

  5. In the Resources section, choose Specific, choose Add ARNs, and then type the member account number and the name of the role that you created in the previous section (we recommended naming it OrganizationAccountAccessRole).

  6. Choose Add ARNs when the dialog box displays the correct ARN.

  7. (Optional) If you want to require multi-factor authentication (MFA), or restrict access to the role from a specified IP address range, then expand the Request conditions section, and select the options you want to enforce.

  8. Choose Next.

  9. On the Review and create page, enter a name for the new policy. For example : GrantAccessToOrganizationAccountAccessRole. You can also add an optional description.

  10. Choose Create policy to save your new managed policy.

  11. Now that you have the policy available, you can attach it to a group.

    In the navigation pane, choose User groups and then choose the name of the group (not the check box) whose members you want to be able to assume the role in the member account. If necessary, you can create a new group.

  12. Choose the Permissions tab, choose Add permissions, and then choose Attach policies.

  13. (Optional) In the Search box, you can start typing the name of your policy to filter the list until you can see the name of the policy you just created in Step 2 through Step 10. You can also filter out all of the Amazon managed policies by choosing All types and then choosing Customer managed.

  14. Check the box next to your policy, and then choose Attach policies.

IAM users that are members of the group now have permissions to switch to the new role in the Amazon Organizations console by using the following procedure.

Amazon Web Services Management Console
To switch to the role for the member account

When using the role, the user has administrator permissions in the new member account. Instruct your IAM users who are members of the group to do the following to switch to the new role.

  1. From the upper-right corner of the Amazon Organizations console, choose the link that contains your current sign-in name and then choose Switch Role.

  2. Enter the administrator-provided account ID number and role name.

  3. For Display Name, enter the text that you want to show on the navigation bar in the upper-right corner in place of your user name while you are using the role. You can optionally choose a color.

  4. Choose Switch Role. Now all actions that you perform are done with the permissions granted to the role that you switched to. You no longer have the permissions associated with your original IAM user until you switch back.

  5. When you finish performing actions that require the permissions of the role, you can switch back to your normal IAM user. Choose the role name in the upper-right corner (whatever you specified as the Display Name) and then choose Back to UserName.

Additional resources