Skip to main content

1. AWS Organizations

Take one account and create an organization (this makes it the management or master account) Then, invite other accounts into the management account - this makes them become member accounts instead of standard accounts.

  • Organizational Root
  • Not the root user
  • Organizational Unit that is the root.
  • These can contain multiple Organizational Units (OU's)

Consolidated billing

Individual accounts don't get billed individually any longer - they are billed from the management account.
image.png

  • Consolidation of reservation and volume discounts - multiple accounts using a service adds up and then can meet discount tiers over all, even if one account may not meet the discount tier.

Creating new accounts

Can create them directly from the organization without inviting (still needs unique email addresses

Role switching

Login to one account and then role switch to "assume a role" in another account.

AWS Organizations Demo

Take the general account and the production account and create an organization around it and create a development account.

  1. Log into the account that you will end up creating the management account in - the general account
  2. Search for the AWS Organizations console a. You may be prompted to verify your email, do that now.
  3. Click on Create Organization and you will create a organization with the managment account marked.
  4. Open a new browser session and log into your production account. Make sure you have sessions to the management AND production account
  5. Gather the account ID from the dropdown of your production account and copy it.
  6. Back in the management account, click Add Account and then click on Invite an existing AWS account. a. You might be prompted again to verify the email address of this account, do this now.
  7. Enter in the account number that you copied OR the email address of that account. a. you can include a custom invitation email here, but if you own the other account, now is not a good time to talk to yourself.
  8. Click on Send Invitation. a. there is a limit of accounts that an organization might have, a support ticket should clear that up.
  9. Back in the production account, you should see 1 invitation in the AWS Organizations console. Click that and Accept Invitation to join that account as a member to your AWS Organization.

I have a cluster of accounts from my AWS Certified Associate account.

image.png

AWS Organizations Part 2

Switching Accounts

  1. Log into the production account and navigate to the IAM console.
  2. Click on Roles
  3. Click Create Role
  4. Click Another AWS Account
  5. Enter in the Account ID of the Management account.
  6. Click Next: Permissions
  7. Add the Administrator Access Role and call it OrganizationAccountAccessRole (used by Amazon)
  8. Click Create Role
  9. Look at the role and then look at the trust relationships and notice that it trusts the management account.
  10. Copy the Account ID of the production account
  11. On the management account, click the account dropdown and select Switch Roles and then Switch Role
  12. Paste the account number in and then for the Role, type in the name of the role (OrganizationAccountAccessRole) and then Give it a display name and a color if you want.
  13. Click Switch Role.
  14. You will find yourself in the production account.
  15. In the upper right, you'll see the color and the name of the account. image.png
  16. Under the Role History in the account dropdown, you'll see a quick link to switch the roles.

Create Development Account

This time, we will take a shortcut and show you the other way to create an account.

  1. Create from the management account
  2. Set up a new account with a new email address
  3. You won't need to accept this invitation
  4. MAKE sure you can access the email, otherwise you won't be able to access the root account.

Summary

At this point, you should have 3 accounts and an organization and the ability to role switch between these accounts with an administrator role.