AWS Organizations
User Guide

Troubleshooting General Issues

Use the information here to help you diagnose and fix access-denied or other common issues that you might encounter when working with AWS Organizations.

I get an "access denied" message when I make a request to AWS Organizations

  • Verify that you have permissions to call the action and resource that you have requested. An administrator must grant permissions by attaching an IAM policy to your IAM user or to a group that you're a member of. If the policy statements that grant those permissions include any conditions, such as time-of-day or IP address restrictions, you also must meet those requirements when you send the request. For information about viewing or modifying policies for an IAM user, group, or role, see Working with Policies in the IAM User Guide.

  • If you are signing API requests manually (without using the AWS SDKs), verify that you have correctly signed the request.

I get an "access denied" message when I make a request with temporary security credentials

I get an "access denied" message when I try to leave an organization as a member account or remove a member account as the master account

  • You can remove a member account only after you enable IAM user access to billing in the member account. For more information, see Activating Access to the Billing and Cost Management Console in the AWS Billing and Cost Management User Guide.

  • You can remove an account from your organization only if the account has the information required for it to operate as a standalone account. When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, that information isn't automatically collected. For an account that you want to make standalone, you must accept the AWS Customer Agreement, choose a support plan, provide and verify the required contact information, and provide a current payment method. AWS uses the payment method to charge for any billable (not AWS Free Tier) AWS activity that occurs while the account isn't attached to an organization. For more information, see Leaving an Organization as a Member Account.

I get a "limit exceeded" message when I try to add an account to my organization

There is a limit to the number of accounts that you can have in an organization. Deleted or closed accounts continue to count against this limit.

An invitation to join counts against the limit of accounts in your organization. The count is returned if the invited account declines, the master account cancels the invitation, or the invitation expires.

I get a "this operation requires a wait period" message while adding or removing accounts

Some actions require a wait period. For example, you can't immediately remove newly created accounts. Try the action again later. If you experience issues with account limits while adding and removing accounts, contact AWS Support to request a limit increase.

I get an "organization is still initializing" message when I try to add an account to my organization

If you receive this error and it's been over an hour since you created the organization, contact AWS Support.

I used an incorrect email address when I created a member account

If you created a member account in an organization with an incorrect email address, you can’t sign in to the account as the root user. In this case, try accessing or creating a master account access role for the account. For more information, see Accessing a Member Account That Has a Master Account Access Role. If you can't access or create the role, see the Contact Us page, and choose the item regarding billing to contact AWS Support.

Changes that I make aren't always immediately visible

As a service that is accessed through computers in data centers around the world, AWS Organizations uses a distributed computing model called eventual consistency. Any change that you make in AWS Organizations takes time to become visible from all possible endpoints. Some of the delay results from the time it takes to send the data from server to server or from replication zone to replication zone. AWS Organizations also uses caching to improve performance, but in some cases this can add time. The change might not be visible until the previously cached data times out.

Design your global applications to account for these potential delays and ensure that they work as expected, even when a change made in one location isn't instantly visible at another.

For more information about how some other AWS services are affected by this, consult the following resources: