Troubleshooting general issues - AWS Organizations

Troubleshooting general issues

Use the information here to help you diagnose and fix access-denied or other common issues that you might encounter when working with AWS Organizations.

I get an "access denied" message when I make a request to AWS Organizations

  • Verify that you have permissions to call the action and resource that you have requested. An administrator must grant permissions by attaching an IAM policy to your IAM user or to a group that you're a member of. If the policy statements that grant those permissions include any conditions, such as time-of-day or IP address restrictions, you also must meet those requirements when you send the request. For information about viewing or modifying policies for an IAM user, group, or role, see Working with Policies in the IAM User Guide.

  • If you are signing API requests manually (without using the AWS SDKs), verify that you have correctly signed the request.

I get an "access denied" message when I make a request with temporary security credentials

I get an "access denied" message when I try to leave an organization as a member account or remove a member account as the management account

  • You can remove a member account only after you enable IAM user access to billing in the member account. For more information, see Activating Access to the Billing and Cost Management Console in the AWS Billing and Cost Management User Guide.

  • You can remove an account from your organization only if the account has the information required for it to operate as a standalone account. When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, that information isn't automatically collected. For an account that you want to make standalone, you must accept the AWS Customer Agreement, choose a support plan, provide and verify the required contact information, and provide a current payment method. AWS uses the payment method to charge for any billable (not AWS Free Tier) AWS activity that occurs while the account isn't attached to an organization. For more information, see Leaving an organization as a member account.

I get a "quota exceeded" message when I try to add an account to my organization

There is a maximum number of accounts that you can have in an organization. Deleted or closed accounts continue to count against this quota.

An invitation to join counts against the maximum number of accounts in your organization. The count is returned if the invited account declines, the management account cancels the invitation, or the invitation expires.

I get a "this operation requires a wait period" message while adding or removing accounts

Some actions require a wait period. For example, you can't immediately remove newly created accounts. Try the action again in a few days. If you experience issues with account quotas while adding and removing accounts, see Maximum and minimum values for information about how to request a quota increase.

I get an "organization is still initializing" message when I try to add an account to my organization

If you receive this error and it's been over an hour since you created the organization, contact AWS Support.

I get an "Invitations are disabled" message when I try to invite an account to my organization.

This happens when you enable all features in your organization. This operation can take some time and requires that all member accounts respond. Until the operation is completed, you can't invite new accounts to join the organization.

Changes that I make aren't always immediately visible

As a service that is accessed through computers in data centers around the world, AWS Organizations uses a distributed computing model called eventual consistency. Any change that you make in AWS Organizations takes time to become visible from all possible endpoints. Some of the delay results from the time it takes to send the data from server to server or from replication zone to replication zone. AWS Organizations also uses caching to improve performance, but in some cases this can add time. The change might not be visible until the previously cached data times out.

Design your global applications to account for these potential delays and ensure that they work as expected, even when a change made in one location isn't instantly visible at another.

For more information about how some other AWS services are affected by this, consult the following resources: