Creating an organization - AWS Organizations

Creating an organization

You can create an organization that starts with your AWS account as the management account. When you create an organization, you can choose whether the organization supports all features (recommended) or only consolidated billing features.

After creating an organization, you can add accounts to your organization in these ways from the management account:

Create an organization

You can create an organization by using either the AWS Management Console or by using a command from the AWS CLI or one of the SDK APIs.

Minimum permissions

To create an organization with your current AWS account, you must have the following permissions:

  • organizations:CreateOrganization

  • iam:CreateServiceLinkedRole

    You can restrict this permission to only the service principal organizations.amazonaws.com.

AWS Management Console

To create an organization

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. By default, the organization is created with all features enabled. However, you can choose either the following steps:

    • To create an organization with all features enabled, on the introduction page, choose Create an organization.

    • To create an organization with Consolidated Billing features only, on the introduction page and under Create an organization, choose consolidated billing features, and then in the confirmation dialog box, choose Create an organization.

    If you accidentally choose the wrong option, you can immediately go to the Settings page, and then choose Delete organization and start over.

  3. The organization is created and the AWS accounts page appears. The only account present is your management account, and it's currently stored in the root organizational unit (OU).

    If required, Organizations automatically sends a verification email to the address that is associated with your management account. There might be a delay before you receive the verification email. Verify your email address within 24 hours. For more information, see Email address verification. You can create accounts to grow your organization without verifying your management account's email address. However, to invite existing accounts, you must first complete email verification.

    Note

    If this account previously verified its email address, then it doesn't happen again when you use the account to create an organization.

AWS CLI & AWS SDKs

To create an organization

You can use one of the following commands to create an organization:

  • AWS CLI: create-organization

    The following example creates an organization and makes the currently signed-in AWS account the management account for the organization.

    $ aws organizations create-organization { "Organization": { "Id": "o-aa111bb222", "Arn": "arn:aws:organizations::123456789012:organization/o-aa111bb222", "FeatureSet": "ALL", "MasterAccountArn": "arn:aws:organizations::123456789012:account/o-aa111bb222/123456789012", "MasterAccountId": "123456789012", "MasterAccountEmail": "admin@example.com", "AvailablePolicyTypes": [ ...DEPRECATED - DO NOT USE ... ] } }
    Important

    The AvailablePolicyTypes field is deprecated and doesn't contain accurate information about the policies enabled in your organization. To see the accurate and complete list of policy types that are actually enabled for the organization, use the ListRoots command, as described in the AWS CLI portion of the following section.

  • AWS SDKs: CreateOrganization

Now you can add additional accounts to your organization as follows:

Email address verification

After you create an organization and before you can invite accounts to join, you must verify that you own the email address provided for the management account in the organization.

When you create an organization, if the management account has not been previously verified, AWS automatically sends a verification email to the specified email address. There might be a delay before you receive the verification email.

Within 24 hours, follow the instructions in the email to verify your email address.

If you don't verify your email address within 24 hours, you can resend the verification request so that you can invite other AWS accounts to your organization. If you don't receive the verification email, check that your email address is correct and, if necessary, modify it.

AWS Management Console

To resend the verification request

  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. Navigate to the Settings page and then choose Send verification request. The option is only present if the management account is not verified.

  3. Verify your email address within 24 hours.

    After verifying your email address, you can invite other AWS accounts to your organization. For more information, see Inviting an AWS account to join your organization.

If you change the email address of the management account, the account's status reverts to "email unverified," and you must complete the verification process for your new email address.