Skip to main content

AWS-Organization

Create AWS Organization

  1. Search for AWS Organizations in the AWS Console

Add/Create Account

  1. Click Create Organization image.png

  2. Click on Add Account Note: If you are using a gmail address, you can use your mainemail+development@gmail.com to create an email for your development account. image.png

  3. This may take a bit for the account to create image.png

Logging in to New Account

  1. This account, along with any account you create has a root user associated with it. You didn't specify this when you created the account like you did the last time, but it exists.
  2. Lg into the console as your IAMAdmin user, click on your account name at the top and click Switch Roles image.png image.png
  3. Click Switch Role
  4. Enter in your account number of the new account, OrganizationAccountAccessRole, and then Development or whatever you called the second account. FIX PICTURE HERE image.png
  5. Click Switch Role.
  6. You will notice that you're now signed in to the development account, but using the IAMAdmin user from the management account. image.png
  7. What this means is that you have assumed the role as one account in another account.

Making sense of the accounts

  1. Search for IAM while logged in as the assumed role image.png
  2. Notice that there are 0 users and 4 roles (maybe more or less depending). Also notice that you have a security alert stating that the root user doesn't have MFA enabled.
  3. So...what's the root user for this account? How do we log in as root? How do we enable MFA on that account?
  4. Take note at the very top of the IAM console that you have a new sign-in URL
  5. Click Customize and change this to the same thing you had on the other account + development. so, your link for this one may look like https://youraccount-development.signin.aws.amazon.com/console
  6. Sign out of all of your accounts and then open the link that you created.
  7. Click the Sign in using root user email link. image.png
  8. Enter in your email address (the +development@gmail.com one) and then select Forgot Password
  9. Fill out the Captchas and have them email you a password reset link.
  10. Click the link in the email and enter in your new password image.png
  11. You should get another email stating that your password has been changed
  12. Put this in your password manager

Set up MFA

  1. Sign in using the +development@gmail.com and the password you set up
  2. Continue to set up MFA as you've done with the other accounts.
  3. Create an IAMAdmin user for this account, set the AdministratorAccess Policy and then set up MFA on that one as well.
  4. Save all of this in your password manager.
  5. At this point, you should have 2 accounts, two root users and two IAMAdmin users with AdminstratorAccess policies and all should be set up with MFA.