Moving accounts to an OU or between the root and OUs - AWS Organizations

Moving accounts to an OU or between the root and OUs

When you sign in to your organization's management account, you can move accounts in your organization from the root to an OU, from one OU to another, or back to the root from an OU. Placing an account inside an OU makes it subject to any policies that are attached to the parent OU and any OUs in the parent chain up to the root. If an account isn't in an OU, it's subject to only the policies that are attached directly to the root and any policies that are attached directly to the account. To move accounts, complete the following steps.

Minimum permissions

To move accounts to a new location in the OU hierarchy, you must have the following permissions:

  • organizations:DescribeOrganization – required only when using the Organizations console

  • organizations:MoveAccount

AWS Management Console
To move accounts to an OU
  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the AWS accounts page, find the account or accounts that you want to move. You can navigate the OU hierarchy or enable View AWS accounts only to see a flat list of accounts without the OU structure. If you have a lot of accounts, you might have to choose Load more accounts in 'ou-name' at the bottom of the list to find all of those you want to move.

  3. Choose the check box next to the name of each account that you want to move.

  4. On the Actions menu, under AWS account, choose Move .

  5. In the Move AWS account dialog box, navigate to and then choose the OU or root that you want to move the account to, and then choose Move AWS account.

AWS CLI & AWS SDKs
To move an account to an OU

You can use one of the following commands to move an account:

  • AWS CLI: move-account

    The following example moves an AWS account from the root to an OU. Note that you must specify the IDs of both the source and destination containers.

    $ aws organizations move-account \ --account-id 111122223333 \ --source-parent-id r-a1b2 \ --destination-parent-id ou-a1b2-f6g7h111

    This command produces no output when successful.

  • AWS SDKs: MoveAccount