Creating a member account in your organization - Amazon Organizations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a member account in your organization

This page describes how to create Amazon Web Services accounts within your organization in Amazon Organizations. To learn about getting started with Amazon and creating a single Amazon Web Services account, see the Getting Started Resource Center.

An organization is a collection of Amazon Web Services accounts that you centrally manage. You can perform the following procedures to manage the accounts that are part of your organization:

Important
  • When you create a member account in your organization, Amazon Organizations automatically creates an Amazon Identity and Access Management (IAM) role OrganizationAccountAccessRole in the member account that enables users and roles in the management account to exercise full administrative control over the member account. This role is subject to any service control policies (SCPs) that apply to the member account.

    Amazon Organizations also automatically adds a managed policy with the OrganizationAccountAccessRole role to the member account. This allows centralized control, so that any additional accounts attached to the same managed policy will be updated automatically whenever the policy gets updated. Previously, new accounts created within an organization got an inline policy added that only applied to that single account. To learn more about inline and managed policies, see Managed policies and inline policies in the IAM User Guide.

    Amazon Organizations also automatically creates a service-linked role named AWSServiceRoleForOrganizations that enables integration with select Amazon services. You must configure the other services to allow the integration. For more information, see Amazon Organizations and service-linked roles.

  • If this organization is managed with Amazon Control Tower, then create your accounts by using the Amazon Control Tower account factory in the Amazon Control Tower console or APIs. If you create an account in Organizations, then that account isn't enrolled with Amazon Control Tower. For more information, see Referring to Resources Outside of Amazon Control Tower in the Amazon Control Tower User Guide.

Note

Amazon Web Services accounts that you create as part of an organization are not automatically subscribed to Amazon marketing emails. To opt-in your accounts to receive marketing emails, see https://pages.awscloud.com/communication-preferences.

Creating an Amazon Web Services account that is part of your organization

After you sign in to the organization's management account, you can create member accounts that are automatically part of your organization. When you create an account using the following procedure, Amazon Organizations automatically copies the following Primary contact information from the management account to the new member account:

  • Phone number

  • Company name

  • Website URL

  • Address

It also copies the communication language and Marketplace information (vendor of the account in some Amazon Web Services Regions) from the management account.

Note

Amazon does not automatically collect all the information required for a member account to operate as a standalone account. If you ever need to remove a member account from an organization and make it a standalone account, you must provide that information for the account before you can remove it. For more information, see Leave an organization from your member account.

Minimum permissions

To create a member account in your organization, you must have the following permissions:

  • organizations:CreateAccount

  • organizations:DescribeOrganization – required only when using the Organizations console

  • iam:CreateServiceLinkedRole (granted to principal organizations.amazonaws.com to enable creating the required service-linked role in the member accounts).

Amazon Web Services Management Console
To create an Amazon Web Services account that is automatically part of your organization
  1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Amazon Web Services accounts page, choose Add an Amazon Web Services account.

  3. On the Add an Amazon Web Services account page, choose Create an Amazon Web Services account (it is chosen by default).

  4. On the Create an Amazon Web Services account page, for Amazon Web Services account name enter the name that you want to assign to the account. This name helps you distinguish the account from all other accounts in the organization and is separate from the IAM alias or the email name of the owner.

    Important

    Make sure to verify that the Amazon Web Services account name is correct. Once the account has been successfully created, the account name cannot be modified.

  5. For Email address of the account's owner, enter the email address of the account's owner. This email address cannot already be associated with another Amazon Web Services account because it becomes the user name credential for the root user of the account.

  6. (Optional) Specify the name to assign to the IAM role that is automatically created in the new account. This role grants the organization's management account permission to access the newly created member account. If you don't specify a name, Amazon Organizations gives the role a default name of OrganizationAccountAccessRole. We recommend that you use the default name across all of your accounts for consistency.

    Important

    Remember this role name. You need it later to grant access to the new account for users and roles in the management account.

  7. (Optional) In the Tags section, add one or more tags to the new account by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't null. You can attach up to 50 tags to an account.

  8. Choose Create Amazon Web Services account.

    The Amazon Web Services accounts page appears, with your new account added to the list.

  9. Now that the account exists and has an IAM role that grants administrator access to users in the management account, you can access the account by following the steps in Accessing member accounts in your organization.

Note

When you create an account, Amazon Organizations initially assigns a long (64 characters), complex, randomly generated password to the root user. You can't retrieve this initial password. To access the account as the root user for the first time, you must go through the process for password recovery. For more information, see Accessing a member account as the root user.

Amazon CLI & Amazon SDKs
To create an Amazon Web Services account that automatically is part of your organization

You can use one of the following commands to create an account:

  • Amazon CLI: create-account

    $ aws organizations create-account \ --email susan@example.com \ --account-name "Production Account" { "CreateAccountStatus": { "State": "IN_PROGRESS", "Id": "car-examplecreateaccountrequestid111" } }

    You can then check the status of the account creation with the following command.

    $ aws organizations describe-create-account-status \ --create-account-request-id car-examplecreateaccountrequestid111 { "CreateAccountStatus": { "State": "SUCCEEDED", "AccountId": "555555555555", "AccountName": "Production account", "RequestedTimestamp": 1470684478.687, "CompletedTimestamp": 1470684532.472, "Id": "car-examplecreateaccountrequestid111" } }
  • Amazon SDKs: CreateAccount