Accessing member accounts in your organization
When you create an account in your organization, in
addition to the root user, AWS Organizations automatically creates an IAM role that is by
default named OrganizationAccountAccessRole
. You can specify a different name
when you create it, however we recommend that you name it consistently across all of your
accounts. We refer to the role in this guide by the default name. AWS Organizations doesn't create
any other users or roles. To access the accounts in your organization, you must use one of
the following methods:
-
When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the IAM User Guide. For additional root user security recommendations, see Root user best practices for your AWS account.
-
If you create an account by using the tools provided as part of AWS Organizations, you can access the account by using the preconfigured role named
OrganizationAccountAccessRole
that exists in all new accounts that you create this way. For more information, see Accessing a member account that has a management account access role. -
If you invite an existing account to join your organization and the account accepts the invitation, you can then choose to create an IAM role that allows the management account to access the invited member account. This role is intended to be identical to the role automatically added to an account that is created with AWS Organizations. To create this role, see Creating the OrganizationAccountAccessRole in an invited member account. After you create the role, you can access it using the steps in Accessing a member account that has a management account access role.
-
Use AWS IAM Identity Center and enable trusted access for IAM Identity Center with AWS Organizations. This allows users to sign in to the AWS access portal with their corporate credentials and access resources in their assigned management account or member accounts.
For more information, see Multi-account permissions in the AWS IAM Identity Center User Guide. For information about setting up trusted access for IAM Identity Center, see AWS IAM Identity Center and AWS Organizations.
Minimum permissions
To access an AWS account from any other account in your organization, you must have the following permission:
-
sts:AssumeRole
– TheResource
element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account
Accessing a member account as the root user
When you create a new account, AWS Organizations initially assigns a password to the root user that is a minimum of 64 characters long. All characters are randomly generated with no guarantees on the appearance of certain character sets. You can't retrieve this initial password. To access the account as the root user for the first time, you must go through the process for password recovery.
Notes
-
As a best practice, we recommend that you don't use the root user to access your account except to create other users and roles with more limited permissions. Then sign in as one of those users or roles.
-
We also recommend that you enable multi-factor authentication (MFA) on the root user. Reset the password, and assign an MFA device to the root user.
-
If you created a member account in an organization with an incorrect email address, you can’t sign in to the account as the root user. Contact AWS Billing and Support
for assistance.
Creating the OrganizationAccountAccessRole in an invited member account
By default, if you create a member account as part of your organization, AWS
automatically creates a role in the account that grants administrator permissions to
IAM users in the management account who can assume the role. By default, that role is
named OrganizationAccountAccessRole
. For more information, see Accessing a member
account that has a management account access role.
However, member accounts that you invite to join
your organization do
not automatically get an administrator role created. You have
to do this manually, as shown in the following procedure. This essentially duplicates
the role automatically set up for created accounts. We recommend that you use the same
name, OrganizationAccountAccessRole
, for your manually created roles for
consistency and ease of remembering.
The users who are members of the selected group now can use the URLs that you captured in step 9 to access each member account's role. They can access these member accounts the same way as they would if accessing an account that you create in the organization. For more information about using the role to administer a member account, see Accessing a member account that has a management account access role.
Accessing a member account that has a management account access role
When you create a member account using the AWS Organizations console, AWS Organizations automatically creates an IAM role named
OrganizationAccountAccessRole
in the account. This role has full
administrative permissions in the member account. The scope of access for this role
includes all principals in the management account, such that the role is configured to
grant that access to the organization's management account. You can create an identical
role for an invited member account by following the steps in Creating the
OrganizationAccountAccessRole in an invited member account. To use this role
to access the member account, you must sign in as a user from the management account
that has permissions to assume the role. To configure these permissions, perform the
following procedure. We recommend that you grant permissions to groups instead of users
for ease of maintenance.
IAM users that are members of the group now have permissions to switch to the new role in the AWS Organizations console by using the following procedure.
Additional resources
-
For more information about granting permissions to switch roles, see Granting a User Permissions to Switch Roles in the IAM User Guide.
-
For more information about using a role that you have been granted permissions to assume, see Switching to a Role (AWS Management Console) in the IAM User Guide.
-
For a tutorial about using roles for cross-account access, see Tutorial: Delegate Access Across AWS accounts Using IAM Roles in the IAM User Guide.
-
For information about closing AWS accounts, see Closing a member account in your organization.