Accessing member accounts in an organization with AWS Organizations

When you create an account in your organization, in addition to the root user, AWS Organizations automatically creates an IAM role that is by default named OrganizationAccountAccessRole. You can specify a different name when you create it, however we recommend that you name it consistently across all of your accounts. AWS Organizations doesn't create any other users or roles.

To access the accounts in your organization, you must use one of the following methods:

Using the root user (Not recommended for everyday tasks)

When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the IAM User Guide. For additional root user security recommendations, see Root user best practices for your AWS account.

Using the IAM role OrganizationAccountAccessRole

If you create an account by using the tools provided as part of AWS Organizations, you can access the account by using the preconfigured role named OrganizationAccountAccessRole that exists in all new accounts that you create this way. For more information, see Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations.

If you invite an existing account to join your organization and the account accepts the invitation, you can then choose to create an IAM role that allows the management account to access the invited member account. This role is intended to be identical to the role automatically added to an account that is created with AWS Organizations. To create this role, see Creating OrganizationAccountAccessRole for an invited account with AWS Organizations. After you create the role, you can access it using the steps in Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations.

Using trusted access for IAM Identity Center

Use AWS IAM Identity Center and enable trusted access for IAM Identity Center with AWS Organizations. This allows users to sign in to the AWS access portal with their corporate credentials and access resources in their assigned management account or member accounts.

For more information, see Multi-account permissions in the AWS IAM Identity Center User Guide. For information about setting up trusted access for IAM Identity Center, see AWS IAM Identity Center and AWS Organizations.

Minimum permissions

To access an AWS account from any other account in your organization, you must have the following permission:

sts:AssumeRole – The Resource element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating a member account

Using the root user