Creating an AWS account in your organization - AWS Organizations

Creating an AWS account in your organization

Note

AWS Organizations is introducing a new version of the Organizations management console. You can switch between the old console and the new console by choosing the link in the notice boxes at the top of the console. We encourage you to try the new version and let us know what you think. We want your feedback and read each submission.

This page describes how to create accounts within your organization in AWS Organizations. To learn about getting started with AWS and creating a single AWS account, see the Getting Started Resource Center.

An organization is a collection of AWS accounts that you centrally manage. You can perform the following procedures to manage the accounts that are part of your organization:

Important
  • When you create a member account in your organization, AWS Organizations automatically creates an AWS Identity and Access Management (IAM) role in the member account. This role enables IAM users in the management account who assume the role to exercise full administrative control over the member account. This role is subject to any service control policies (SCPs) that apply to the member account.

    AWS Organizations also automatically creates a service-linked role named AWSServiceRoleForOrganizations that enables integration with select AWS services. You must configure the other services to allow the integration. For more information, see AWS Organizations and service-linked roles.

  • If this organization is managed with AWS Control Tower, then create your accounts by using the AWS Control Tower account factory in the AWS Control Tower console or APIs. If you create an account in Organizations, then that account isn't enrolled with AWS Control Tower. For more information, see Referring to Resources Outside of AWS Control Tower in the AWS Control Tower User Guide.

Creating an AWS account that is part of your organization

When you sign in to the organization's management account, you can create member accounts that are automatically part of your organization. To do this, complete the following steps.

When you create an account using the following procedure, Organizations automatically copies the following information from the management account to the new member account:

  • Account name

  • Phone number

  • Company name

  • Customer URL

  • Company contact email

  • Communication language

  • Marketplace (vendor of the account in some AWS Regions)

AWS does not automatically collect all the information required for an account to operate as a standalone account. If you ever need to remove the account from the organization and make it a standalone account, you must provide that information for the account before you can remove it. For more information, see Leaving an organization as a member account.

Minimum permissions

To create a member account in your organization, you must have the following permissions:

  • organizations:CreateAccount

  • organizations:DescribeOrganization – required only when using the Organizations console

  • iam:CreateServiceLinkedRole (granted to principal organizations.amazonaws.com to enable creating the required service-linked role in the member accounts).

Old console

To create an AWS account that is automatically part of your organization

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the Accounts tab, choose Add account.

  3. On the Add account page choose Create account.

  4. On the Create account page, for Account name, enter the name that you want to assign to the account. This name helps you distinguish the account from all other accounts in the organization and is separate from the IAM alias or the email name of the owner.

  5. For Email address associated with the account, enter the email address of the account's owner. This email address cannot already be associated with another AWS account because it becomes the user name credential for the root user of the account.

  6. (Optional) Specify the name to assign to the IAM role that is automatically created in the new account. This role grants the organization's management account permission to access the newly created member account. If you don't specify a name, AWS Organizations gives the role a default name of OrganizationAccountAccessRole. We recommend that you use the default name across all of your accounts for consistency.

    Important

    Remember this role name. You need it later to grant access to the new account for IAM users in the management account.

  7. (Optional) In the Tags section, add one or more tags to the new account by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't null. You can attach up to 50 tags to an account.

  8. Choose Create.

    The Accounts tab appears, with your new account added to the list.

  9. Now that the account exists and has an IAM role that grants administrator access to users in the management account, you can access the account by following the steps in Accessing and administering the member accounts in your organization.

    When you create an account, AWS Organizations initially assigns a long (64 characters), complex, randomly generated password to the root user. You can't retrieve this initial password. To access the account as the root user for the first time, you must go through the process for password recovery. For more information, see Accessing a member account as the root user.

New console

To create an AWS account that is automatically part of your organization

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. On the AWS accounts page, choose Add an AWS account.

  3. On the Add an AWS account page, choose Create an AWS account (it is chosen by default).

  4. On the Create an AWS account page, for AWS account name enter the name that you want to assign to the account. This name helps you distinguish the account from all other accounts in the organization and is separate from the IAM alias or the email name of the owner.

  5. For Email address of the account's owner, enter the email address of the account's owner. This email address cannot already be associated with another AWS account because it becomes the user name credential for the root user of the account.

  6. (Optional) Specify the name to assign to the IAM role that is automatically created in the new account. This role grants the organization's management account permission to access the newly created member account. If you don't specify a name, AWS Organizations gives the role a default name of OrganizationAccountAccessRole. We recommend that you use the default name across all of your accounts for consistency.

    Important

    Remember this role name. You need it later to grant access to the new account for IAM users in the management account.

  7. (Optional) In the Add tags section, add one or more tags to the new account by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't null. You can attach up to 50 tags to an account.

  8. Choose Create AWS account.

    The AWS accounts page appears, with your new account added to the list.

  9. Now that the account exists and has an IAM role that grants administrator access to users in the management account, you can access the account by following the steps in Accessing and administering the member accounts in your organization.

    When you create an account, AWS Organizations initially assigns a long (64 characters), complex, randomly generated password to the root user. You can't retrieve this initial password. To access the account as the root user for the first time, you must go through the process for password recovery. For more information, see Accessing a member account as the root user.

AWS CLI & AWS SDKs

To create an AWS account that automatically is part of your organization

You can use one of the following commands to create an account:

  • AWS CLI: aws organizations create-account

    $ aws organizations create-account \ --email susan@example.com \ --account-name "Production Account" { "CreateAccountStatus": { "State": "IN_PROGRESS", "Id": "car-examplecreateaccountrequestid111" } }

    You can then check the status of the account creation with the following command.

    $ aws organizations describe-create-account-status \ --create-account-request-id car-examplecreateaccountrequestid111 { "CreateAccountStatus": { "State": "SUCCEEDED", "AccountId": "555555555555", "AccountName": "Production account", "RequestedTimestamp": 1470684478.687, "CompletedTimestamp": 1470684532.472, "Id": "car-examplecreateaccountrequestid111" } }
  • AWS SDKs: CreateAccount