AWS Organizations
User Guide

Managing the AWS Accounts in Your Organization

An organization is a collection of AWS accounts that you centrally manage. You can perform the following tasks to manage the accounts that are part of your organization:

Impact on an AWS Account That You Invite to Join an Organization

When you invite an AWS account to join an organization and the owner of the account accepts the invitation, AWS Organizations automatically makes the following changes to the new member account:

  • AWS Organizations creates a service-linked role called AWSServiceRoleForOrganizations. The account must have this role if your organization supports all features. You can delete the role if the organization supports only the consolidated billing feature set. If you delete the role and later you enable all features in your organization, AWS Organizations recreates the role for the account.

  • If you have any service control policies (SCPs) attached to the root of the OU tree, those SCPs immediately apply to all users and roles in the invited account. AWS Organizations adds new accounts to the root OU by default.

  • If you have enabled service trust for another AWS service for your organization, that trusted service can create service-linked roles or perform actions in any member account in the organization, including an invited account.

For invited member accounts, AWS Organizations doesn't automatically create the IAM role OrganizationAccountAccessRole. This role grants the master account administrative control of the member account. If you want to enable that level of administrative control, you can manually add the role to the invited account. For more information, see Creating the OrganizationAccountAccessRole in an Invited Member Account.

If you invite an account to join an organization that has only the consolidated billing features enabled and you later want to enable all features for the organization, invited accounts must approve the change.

Impact on an AWS Account That You Create in an Organization

When you create an AWS account in your organization, AWS Organizations automatically makes the following changes to the new member account:

  • AWS Organizations creates a service-linked role called AWSServiceRoleForOrganizations. The account must have this role if your organization supports all features. You can delete the role if the organization supports only the consolidated billing feature set. If you delete the role and later you enable all features in your organization, AWS Organizations recreates the role for the account.

  • AWS Organizations creates the IAM role OrganizationAccountAccessRole. This role grants the master account access to the new member account. This role can be deleted.

  • If you have any SCPs attached to the root of the OU tree, those SCPs immediately apply to all users and roles in the created account. New accounts are added to the root OU by default.

  • If you have enabled service trust for another AWS service for your organization, that trusted service can create service-linked roles or perform actions in any member account in the organization, including your created account.