AWS GovCloud (US) User Guide
AWS GovCloud (US) User Guide

AWS Organizations

AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business.

The following list details the differences for using this service in the AWS GovCloud (US) Region compared to other AWS Regions:

  • You must use AWS Organizations with all features enabled. The consolidated billing feature set is not available in this Region.

  • You must meet the U.S. regulatory requirements as described in Signing Up for AWS GovCloud.

  • Creating accounts from within AWS Organizations operates differently in the AWS GovCloud Region compared to commercial AWS Regions:

    • You start creating GovCloud accounts by calling the CreateGovCloudAccount action from the master account of the organization in the commercial Region. Calling account creation APIs from the AWS GovCloud Region is not supported.

    • When you call the CreateGovCloudAccount API action, you create two accounts: a standalone account in the AWS GovCloud Region, and an associated account in the commercial Region for billing and support purposes. The account in the commercial Region is automatically a member of the organization whose credentials made the request. Both accounts are associated with the same email address.

    • After creating the standalone account in the AWS GovCloud Region, you can invite it to an organization in the AWS GovCloud Region only.

    • Accounts created in other AWS Regions cannot be members of an organization in the AWS GovCloud Region.

  • Organizations that you create in the AWS GovCloud Region are independent from organizations created in commercial AWS Regions.

  • The CreateGovCloudAccount API action is not available from the AWS GovCloud Region.

  • To sign in to the AWS Organizations console in the AWS GovCloud Region, you must be signed in from a GovCloud account.

  • To learn what AWS services are currently available for trusted access with AWS Organizations, check the list in the AWS Organizations console from the AWS GovCloud Region.

For more information about AWS Organizations, see the AWS Organizations documentation.

Creating Your Account

When you create accounts in the AWS GovCloud Region from AWS Organizations, an associated account in the commercial Region is automatically created for billing and support purposes. The account in the commercial Region and the account in the AWS GovCloud Region are linked. The account in the commercial Region is automatically a member of the organization whose credentials made the request, but the account in the AWS GovCloud Region is a standalone account until you invite it to an organization in that same Region.

Before creating accounts in the AWS GovCloud Region from AWS Organizations, make sure that you meet specific U.S. regulatory requirements as described in Signing Up for AWS GovCloud.

To create an account in the AWS GovCloud Region from AWS Organizations

  1. From the master account of your organization in the commercial Region, sign in to the Organizations console at https://console.aws.amazon.com/organizations

  2. Call the the CreateGovCloudAccount API action.

Accounts and roles are created as follows

  • An account is created in the commercial Region and it is automatically a member of the organization whose credentials made the request.

  • A role is created in the new account in the commercial Region that the master account in this same Region can assume.

  • The account in the AWS GovCloud Region is created and it links to the associated account that was created at the same time in the commercial Region.

  • The account in the AWS GovCloud Region is a standalone account and is not yet a member of an organization.

  • A role is created in the AWS GovCloud account that the GovCloud account that is linked to the master account in the commercial Region can assume.

Inviting Accounts to an Organization

After creating a standalone account in the AWS GovCloud Region, you can invite it to organizations in the AWS GovCloud Region. You cannot invite accounts in the AWS GovCloud Region to organizations in other AWS Regions.

The following diagram explains account access works so that you can invite standalone accounts in the AWS GovCloud Region to an organization in the same Region.

To invite an account in the AWS GovCloud Region to an Organization

  1. From the GovCloud account that’s associated with the master account of your organization in the commercial Region, assume the role of the GovCloud account you just created in the AWS GovCloud Region.

    In the above example, start from GovCloud Account 1 and assume the role that was created in GovCloud Account 2.

  2. Follow the procedure described in Sending Invitations to AWS Accounts in the AWS Organizations User Guide to invite the account in the AWS GovCloud Region to the organization.

To access the new account in the AWS GovCloud Region

  1. Sign in to the GovCloud account that is mapped to your commercial organization's master account.

  2. Assume the role into the newly-created GovCloud master account.

The role is automatically created when you create the account. By default, the role is named OrganizationAccountAccessRole but you can change it using the RoleName parameter when you call the CreateGovCloudAccount action.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in the AWS GovCloud (US) Region. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in the AWS GovCloud (US) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted

Not applicable