Creating a member account in your organization
This page describes how to create Amazon Web Services accounts within your organization in Amazon Organizations. To learn
about getting started with Amazon and creating a single Amazon Web Services account, see the Getting Started Resource Center
An organization is a collection of Amazon Web Services accounts that you centrally manage. You can perform the following procedures to manage the accounts that are part of your organization:
Important
-
When you create a member account in your organization, Amazon Organizations automatically creates an Amazon Identity and Access Management (IAM) role
OrganizationAccountAccessRole
in the member account that enables users and roles in the management account to exercise full administrative control over the member account. This role is subject to any service control policies (SCPs) that apply to the member account.Amazon Organizations also automatically adds a managed policy with the
OrganizationAccountAccessRole
role to the member account. This allows centralized control, so that any additional accounts attached to the same managed policy will be updated automatically whenever the policy gets updated. Previously, new accounts created within an organization got an inline policy added that only applied to that single account. To learn more about inline and managed policies, see Managed policies and inline policies in the IAM User Guide.Amazon Organizations also automatically creates a service-linked role named
AWSServiceRoleForOrganizations
that enables integration with select Amazon services. You must configure the other services to allow the integration. For more information, see Amazon Organizations and service-linked roles. -
If this organization is managed with Amazon Control Tower, then create your accounts by using the Amazon Control Tower account factory in the Amazon Control Tower console or APIs. If you create an account in Organizations, then that account isn't enrolled with Amazon Control Tower. For more information, see Referring to Resources Outside of Amazon Control Tower in the Amazon Control Tower User Guide.
Note
Amazon Web Services accounts that you create as part of an organization are not automatically
subscribed to Amazon marketing emails. To opt-in your accounts to receive marketing
emails, see https://pages.awscloud.com/communication-preferences
Creating an Amazon Web Services account that is part of your organization
After you sign in to the organization's management account, you can create member accounts that are automatically part of your organization. When you create an account using the following procedure, Amazon Organizations automatically copies the following Primary contact information from the management account to the new member account:
-
Phone number
-
Company name
-
Website URL
-
Address
It also copies the communication language and Marketplace information (vendor of the account in some Amazon Web Services Regions) from the management account.
Note
Amazon does not automatically collect all the information required for a member account to operate as a standalone account. If you ever need to remove a member account from an organization and make it a standalone account, you must provide that information for the account before you can remove it. For more information, see Leave an organization from your member account.
Minimum permissions
To create a member account in your organization, you must have the following permissions:
-
organizations:CreateAccount
-
organizations:DescribeOrganization
– required only when using the Organizations console -
iam:CreateServiceLinkedRole
(granted to principalorganizations.amazonaws.com
to enable creating the required service-linked role in the member accounts).