Managing the AWS accounts in your organization - AWS Organizations

Managing the AWS accounts in your organization

An organization is a collection of AWS accounts that you manage together. You can perform the following tasks to manage the accounts that are part of your organization:

Impact of being in an organization

Impact on an AWS account that joins an organization?

When you invite an AWS account to join an organization, and the owner of the account accepts the invitation, AWS Organizations automatically makes the following changes to the new member account:

  • AWS Organizations creates a service-linked role called AWSServiceRoleForOrganizations. The account must have this role if your organization supports all features. You can delete the role if the organization supports only the consolidated billing feature set. If you delete the role and later you enable all features in your organization, AWS Organizations recreates the role for the account.

  • You might have a variety of policies attached to the organization root or the OU that contains the account. If so, those policies immediately apply to all users and roles in the invited account.

  • You can enable service trust for another AWS service for your organization. When you do, that trusted service can create service-linked roles or perform actions in any member account in the organization, including an invited account.

Note

For invited member accounts, AWS Organizations doesn't automatically create the IAM role OrganizationAccountAccessRole. This role grants users in the management account administrative access to the member account. If you want to enable that level of administrative control to an invited account, you can manually add the role. For more information, see Creating the OrganizationAccountAccessRole in an invited member account.

You can invite an account to join an organization that has only the consolidated billing features enabled. If you later want to enable all features for the organization, invited accounts must approve the change.

Impact on an AWS account that you create in an organization?

When you create an AWS account in your organization, AWS Organizations automatically makes the following changes to the new member account:

  • AWS Organizations creates a service-linked role called AWSServiceRoleForOrganizations. The account must have this role if your organization supports all features. You can delete the role if the organization supports only the consolidated billing feature set. If you delete the role and later you enable all features in your organization, AWS Organizations recreates the role for the account.

  • AWS Organizations creates the IAM role OrganizationAccountAccessRole. This role grants the management account access to the new member account. Although this role can be deleted, we recommend that you don't delete it so that it is available as a recovery option.

  • If you have any policies attached to the root of the OU tree, those policies immediately apply to all users and roles in the created account. New accounts are added to the root OU by default.

  • If you have enabled service trust for another AWS service for your organization, that trusted service can create service-linked roles or perform actions in any member account in the organization, including your created account.