Managing organizational units (OUs)

You can use organizational units (OUs) to group accounts together to administer as a single unit. This greatly simplifies the management of your accounts. For example, you can attach a policy-based control to an OU, and all accounts within the OU automatically inherit the policy. You can create multiple OUs within a single organization, and you can create OUs within other OUs. Each OU can contain multiple accounts, and you can move accounts from one OU to another. However, OU names must be unique within a parent OU or root.

Note

Currently, you can have only a single root, which AWS Organizations creates for you when you first set up your organization. The name of the default root is "root."

To structure the accounts in your organization, you can perform the following tasks:

• Viewing details of an OU

• Creating an OU

• Renaming an OU

• Edit tags attached to an OU

• Moving an account to an OU or between the root and OUs

Navigating the root and OU hierarchy

To navigate to different OUs or to the root when moving accounts or attaching policies, you can use the tree view.

To enable and use the tree view of the organization

1. Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.

2. Choose the Organize accounts tab.

3. If the tree view pane isn't visible on the left side of the page, choose the TREE VIEW switch icon .

4. The tree initially appears showing the root, with only the first level of child OUs displayed. To expand the tree to show deeper levels, choose the + icon next to any parent entity. To reduce clutter and collapse a branch of the tree, choose the — icon next to an expanded parent entity.

5. Choose the OU or root that you want to navigate to. The node in the tree view that is displayed in bold text is the one that you are currently viewing in the center pane.

Notes

• Rename, Delete, and Move operations in the center pane: When you view the contents of a root or OU in the console, you can interact with the child entities of that root or OU. For example, if you select the check box for a child OU or account, you can choose the Rename, Delete, or Move links above that section to perform those operations on the selected entity. The operations apply only to the child entities that you select. They don't apply to the containing root or OU. To perform the same operations for the containing OU, you must navigate to the OU's parent OU or root, and then select the check box for the child OU that you want to manage.

• Details pane: The details pane on the right side of the console shows information about the root or OU that you are viewing. If you select a check box for a child entity, the details pane switches to show information about the selected entity. To see the details of the containing root or OU again, you must clear the check box. Alternatively, you can navigate to the parent root or OU, and then select the check box for the OU whose information you want to see.

To navigate without using the tree view

1. Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.

2. Choose the Organize accounts tab.

3. Navigate down a branch by choosing the name of the OU (not the check box) that you want to view in the center pane.

4. Navigate up the branch by choosing the back button (<) on the title bar of the center pane.

Creating an OU

When signed in to your organization's management account (formerly known as the "master account"), you can create an OU in your organization's root. OUs can be nested up to five levels deep. To create an OU, complete the following steps.

Important

If this organization is managed with AWS Control Tower, then create your OUs with the AWS Control Tower console or APIs. If you create the OU in Organizations, then that OU isn't registered with AWS Control Tower. For more information, see Referring to Resources Outside of AWS Control Tower in the AWS Control Tower User Guide.

Minimum permissions

To create an OU within a root in your organization, you must have the following permissions:

• organizations:DescribeOrganization (console only)

• organizations:CreateOrganizationalUnit

AWS Management Console

To create an OU

1. Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.

   The console displays the contents of the root. The first time you visit a root, the console displays all of your AWS accounts in that top-level view. If you previously created OUs and moved accounts into them, the console shows only the top-level OUs and any accounts that you have not yet moved into an OU.

2. (Optional) If you want to create an OU inside an existing OU, navigate to the child OU by choosing the name (not the check box) of the child OU, or by choosing the OU in the tree view.

3. When you're in the correct location in the hierarchy, choose Create organizational unit (OU).

4. In the Create organizational unit dialog box, enter the name of the OU that you want to create, and then choose +New organizational unit.

5. Enter the name of the new OU.

6. (Optional) Add one or more tags by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't null. You can attach up to 50 tags to an OU.

Your new OU appears inside the parent. You now can move accounts to this OU or attach policies to it.

AWS CLI, AWS API

To create an OU

You can use one of the following commands to create an OU:

• AWS CLI: aws organizations create-organizational-unit

• AWS API: CreateOrganizationalUnit

Renaming an OU

When signed in to your organization's management account, you can rename an OU. To do this, complete the following steps.

Minimum permissions

To rename an OU within a root in your AWS organization, you must have the following permissions:

• organizations:DescribeOrganization (console only)

• organizations:UpdateOrganizationalUnit

AWS Management Console

To rename an OU

1. Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.

2. On the Organize accounts tab, navigate to the parent of the OU that you want to rename. Select the check box for the child OU that you want to rename.

3. Choose Rename above the list of OUs.

4. In the Rename organizational unit dialog box, enter a new name, and then choose Rename organizational unit.

AWS CLI, AWS API

To rename an OU

You can use one of the following commands to rename an OU:

• AWS CLI: aws organizations update-organizational-unit

• AWS API: UpdateOrganizationalUnit

Editing tags attached to an OU

When signed in to your organization's master account, you can add or remove the tags attached to an OU. To do this, complete the following steps.

Minimum permissions

To edit the tags attached to an OU within a root in your AWS organization, you must have the following permissions:

• organizations:DescribeOrganization (console only – to navigate to the OU)

• organizations:DescribeOrganizationalUnit (console only – to navigate to the OU)

• organizations:TagResource

• organizations:UntagResource

AWS Management Console

To edit the tags attached to an OU

1. Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.

2. On the Organize accounts tab, navigate to and choose the OU whose tags you want to edit.

3. In the OU's details pane, choose EDIT TAGS.

4. You can perform any of these actions on this page:

   • Edit the value for any tag by entering a new value over the old one. You can't modify the key. To change a key, you must delete the tag with the old key and add a tag with the new key.

   • Remove an existing tag by choosing Remove.

   • Add a new tag key and value pair. Choose Add tag, then enter the new key name and optional value in the provided boxes. If you leave the Value box empty, the value is an empty string; it isn't null.

5. Choose Save changes after you've made all the additions, removals, and edits you want to make.

AWS CLI, AWS API

To edit the tags attached to an OU

You can use one of the following commands to rename an OU:

• AWS CLI: aws organizations tag-resource and aws organizations untag-resource

• AWS API: TagResource and UntagResource

Moving an account to an OU or between the root and OUs

When signed in to your organization's management account, you can move accounts in your organization from the root to an OU, from one OU to another, or back to the root from an OU. Placing an account inside an OU makes it subject to any policies that are attached to the parent OU and any other OUs in the parent chain up to the root. If an account isn't in an OU, it's subject to only the policies that are attached to the root and any that are attached directly to the account. To move an account, complete the following steps.

Minimum permissions

To move an account to a new location in the OU hierarchy, you must have the following permissions:

• organizations:DescribeOrganization (console only)

• organizations:MoveAccount

AWS Management Console

To move an account to an OU

1. Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.

2. Choose the Organize accounts tab and then navigate to the OU that contains the account that you want to move. When you find the account, select its check box. Select multiple check boxes if you want to move multiple accounts.

3. Choose Move above the list of accounts.

4. In the Move accounts dialog box, choose the OU or the root that you want to move the accounts to and then choose Select.

AWS CLI, AWS API

To move an account to an OU

You can use one of the following commands to move an account:

• AWS CLI: aws organizations move-account

• AWS API: MoveAccount

Deleting an OU

When signed in to your organization's management account, you can delete OUs that you no longer need. First, you must move all accounts out of the OU and any child OUs, and then you can delete the child OUs.

Minimum permissions

To delete an OU, you must have the following permissions:

• organizations:DescribeOrganization (console only)

• organizations:DeleteOrganizationalUnit

AWS Management Console

To delete an OU

1. Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.

2. On the Organize accounts tab, navigate to the parent container of the OU that you want to delete. Select the OU's check box. You can select check boxes for multiple OUs if you want to delete more than one.

3. Choose Delete above the list of OUs.

   AWS Organizations deletes the OU and removes it from the list.

AWS CLI, AWS API

To delete an OU

You can use one of the following commands to delete an OU:

• AWS CLI: aws organizations delete-organizational-unit

• AWS API: DeleteOrganizationalUnit