Menu
AWS Organizations
User Guide

Inviting an AWS Account to Join Your Organization

You can invite existing AWS accounts to join your organization. When you start this process, AWS Organizations sends an invitation to the account owner, who then decides whether to accept or decline the invitation. You can use the AWS Organizations console to initiate and manage invitations that you send to other accounts. You can send an invitation to another account only from the master account of your organization.

If you are the administrator of an AWS account, you also can accept or decline an invitation from an organization. If you accept, your account becomes a member of that organization. Your account can join only one organization, so if you receive multiple invitations to join, you can accept only one.

When an invited account joins your organization, you do not automatically have full administrator control over the account, unlike created accounts. If you want the master account to have full administrative control over an invited member account, you must create the OrganizationAccountAccessRole IAM role in the member account and grant permission to the master account to assume the role. To configure this, after the invited account becomes a member, follow the steps in Creating the OrganizationAccountAccessRole in an Invited Member Account.

Note

When you create an account in your organization instead of inviting an existing account to join your organization, Organizations automatically creates an IAM role (named OrganizationAccountAccessRole by default) that you can use to grant users in the master account administrator access to the created account.

Organizations does automatically create a service-linked role in invited member accounts to support integration between Organizations and other AWS services. For more information, see AWS Organizations and Service-Linked Roles.

You can send up to 20 invitations per day per organization. Each invitation must be responded to within 15 days or it expires.

An invitation that is sent to an account counts against the limit of accounts in your organization. The count is returned if the invited account declines, the master account cancels the invitation, or the invitation expires.

To create an account that automatically is part of your organization, see Creating an AWS Account in Your Organization.

Important

Because of legal and billing constraints, you can invite AWS accounts only from the same AWS seller as the master account. You can't mix accounts from AWS, Amazon Internet Services Pvt. Ltd (AISPL - an AWS seller in India), or Amazon Connect Technology Services (Beijing) Co. (ACTS - an AWS seller in China) in the same organization. Accounts from each AWS seller can be added only to an organization with accounts from the same AWS seller.

Sending Invitations to AWS Accounts

When signed in to your organization's master account, you can invite other accounts to join your organization. To do this, complete the following steps.

Minimum permissions

To invite an AWS account to join your organization, you must have the following permissions:

  • organizations:DescribeOrganization (console only)

  • organizations:InviteAccountToOrganization

To invite another account to join your organization (console)

  1. Sign in to the Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's master account.

  2. On the Accounts tab, choose Add account.

  3. Choose Invite account.

  4. Type either the email address or the account ID number of the AWS account that you want to invite to your organization. If you want to invite multiple accounts, separate them by commas.

  5. (Optional) In Notes, type any message that you want included in the email invitation to the other account owners.

  6. Choose Invite.

    Important

    If you get an exception that indicates that you exceeded your account limits for the organization or that you can't add an account because your organization is still initializing, contact AWS Customer Support.

  7. The console redirects you to the Invitations tab. View all open and accepted invitations on this page. The invitation that you just created appears at the top of the list with its status set to OPEN.

    AWS Organizations sends an invitation to the email address of the owner of the account that you invited to the organization. This email includes a link to the AWS Organizations console where the account owner can view the details and choose to accept or decline the invitation. Alternatively, the owner of the invited account can bypass the email, go directly to the AWS Organizations console, view the invitation, and accept or decline it.

    The invitation to this account immediately counts against the limit to the number of accounts you can have in your organization; Organizations does not wait until the account accepts the invitation. If the invited account declines, the master account cancels the invitation, or the invitation expires, then the count against your limit is returned again.

To invite another account to join your organization (AWS CLI, AWS API)

You can use the following command or operation to invite another account to join your organization:

Managing Pending Invitations for Your Organization

When signed in to your master account, you can view all the linked AWS accounts in your organization and cancel any pending (open) invitations. To do this, complete the following steps.

Minimum permissions

To manage pending invitations for your organization, you must have the following permissions:

  • organizations:DescribeOrganization (console only)

  • organizations:ListHandshakesForOrganization

  • organizations:CancelHandshake

To view or cancel invitations that are sent from your organization to other accounts (console)

  1. Sign in to the Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's master account.

  2. Choose the Invitations tab. All invitations that are sent from your organization and their current status are listed here.

    Note

    Accepted, canceled, and declined invitations continue to appear in the list for 30 days. After that, they are deleted and no longer appear in the list.

  3. For any open invitations that you want to cancel, under the Actions column, choose Cancel.

    The status of the invitation changes from Open to Canceled.

    AWS sends an email to the account owner stating that you canceled the invitation. The account can no longer join the organization unless you send a new invitation.

To view or cancel invitations sent from your organization to other accounts (AWS CLI, AWS API)

You can use the following commands or operations to view or cancel invitations:

Accepting or Declining an Invitation from an Organization

Your AWS account might receive an invitation to join an organization. You can accept or decline the invitation. To do this, complete the following steps.

Minimum permissions

To accept or decline an invitation to join an AWS organization, you must have the following permissions:

  • organizations:ListHandshakesForAccount – required to see the list of invitations in the Organizations console.

  • organizations:AcceptHandshake

  • organizations:DeclineHandshake

  • iam:CreateServiceLinkedRole – required only when accepting the invitation requires the creation of a service-linked role to support integration with other AWS services. For more information, see AWS Organizations and Service-Linked Roles.

To accept or decline an invitation (console)

  1. An invitation to join an organization is sent to the email address of the account owner. If you are an account owner and you receive an invitation email, click the link in the email invitation or go to https://console.aws.amazon.com/organizations/ in your browser, and then choose Respond to invitations.

  2. If prompted, sign in to the invited account as an IAM user, assume an IAM role, or sign in as the account's root user (not recommended).

  3. On the Invitations page in the console, you can see your open invitations to join organizations. Choose Accept or Decline, as appropriate.

    • If you choose Accept in the preceding step, in the Confirm joining the organization confirmation window, choose Confirm.

      The console redirects you to the Organization overview page with details about the organization that your account is now a member of. You can view the organization's ID and the owner's email address.

      Note

      Accepted invitations continue to appear in the list for 30 days. After that, they are deleted and no longer appear in the list.

      Organizations automatically creates a service-linked role in the new member account to support integration between Organizations and other AWS services. For more information, see AWS Organizations and Service-Linked Roles.

      AWS sends an email to the owner of the organization's master account stating that you accepted the invitation. It also sends an email to the member account owner stating that the account is now a member of the organization.

    • If you choose Decline in the preceding step, your account remains on the Invitations page that lists any other pending invitations.

      AWS sends an email to the organization's master account owner stating that you declined the invitation.

      Note

      Declined invitations continue to appear in the list for 30 days. After that, they are deleted and no longer appear in the list.

To accept or decline an invitation (AWS CLI, AWS API)

You can use the following commands or operations to accept or decline an invitation: