How to Use AWS Organizations: Setup and Management Guide
Use
AWS Organizations to centrally manage multiple AWS accounts by creating an organization, adding accounts or inviting existing ones, and applying service control policies (SCPs) for governance. This helps simplify billing and enforce rules across accounts.Syntax
The main steps to use AWS Organizations are:
- Create an organization: This is the root container for your accounts.
- Add accounts: You can create new accounts or invite existing ones.
- Organize accounts: Group accounts into organizational units (OUs) for easier management.
- Apply policies: Use service control policies (SCPs) to control permissions across accounts.
bash
aws organizations create-organization aws organizations create-account --email "email@example.com" --account-name "NewAccount" aws organizations invite-account-to-organization --target Id=123456789012,Type=ACCOUNT aws organizations create-organizational-unit --parent-id <root-id> --name "OU-Name" aws organizations attach-policy --policy-id <policy-id> --target-id <target-id>
Example
This example shows how to create an organization, add a new account, create an organizational unit, and attach a policy using AWS CLI.
bash
aws organizations create-organization --feature-set ALL aws organizations create-account --email "newuser@example.com" --account-name "DevAccount" aws organizations create-organizational-unit --parent-id r-examplerootid111 --name "Development" aws organizations attach-policy --policy-id p-examplepolicyid123 --target-id ou-examplerootid111-exampleouid222
Output
{
"Organization": {
"Id": "o-exampleorgid",
"Arn": "arn:aws:organizations::123456789012:organization/o-exampleorgid",
"FeatureSet": "ALL",
"MasterAccountArn": "arn:aws:organizations::123456789012:account/o-exampleorgid/123456789012",
"MasterAccountId": "123456789012",
"MasterAccountEmail": "master@example.com"
}
}
{
"CreateAccountStatus": {
"Id": "car-exampleid",
"AccountName": "DevAccount",
"State": "IN_PROGRESS"
}
}
{
"OrganizationalUnit": {
"Id": "ou-examplerootid111-exampleouid222",
"Arn": "arn:aws:organizations::123456789012:ou/o-exampleorgid/ou-examplerootid111-exampleouid222",
"Name": "Development"
}
}
{}
Common Pitfalls
Common mistakes when using AWS Organizations include:
- Trying to add an account that is already part of another organization without removing it first.
- Not waiting for account creation to complete before using the new account.
- Applying policies to the wrong organizational unit or account, causing unexpected permission issues.
- Using root credentials instead of IAM roles or users for management tasks.
bash
aws organizations invite-account-to-organization --target Id=123456789012,Type=ACCOUNT # Error: Account is already a member of another organization # Correct approach: # Remove the account from its current organization before inviting it.
Quick Reference
Key AWS Organizations commands:
plaintext
Command | Description ---------------------------------|------------------------------ create-organization | Create a new AWS Organization create-account | Create a new AWS account invite-account-to-organization | Invite existing account create-organizational-unit | Create an OU to group accounts attach-policy | Attach SCP to OU or account list-accounts | List accounts in the organization list-policies | List policies available
Key Takeaways
AWS Organizations lets you manage multiple AWS accounts centrally with policies and consolidated billing.
Create an organization first, then add or invite accounts to it.
Use organizational units (OUs) to group accounts for easier policy management.
Apply service control policies (SCPs) to control permissions across accounts.
Avoid common mistakes like adding accounts already in other organizations or misapplying policies.