AWS Organization provides a way to centrally manage multiple AWS accounts.
- When an account creates an organization, it becomes the management account.
- can invite other standard AWS accounts to become member accounts
- can directly create account in organization
- organization structure
- root container/organization root: contains all accounts
- organization units: can contain OU, member account, or management account
- root container/organization root: contains all accounts
- benefits
- easier, centralized management
- management account pays for entire organization
- volume usage cost-saving
- AWS Service Control Policy: set what member AWS accounts can do
- After invite, an IAM role can be used to access the member account
- in member account, go to IAM → role → create role
- set trusted identity to AWS account (use management account ID)
- select administrator access
- use the name OrganizationAccountAccessRole since it’s the standard name used when a new account is created directly in an organization
- To assume role in the management account, use the member account ID and the role name OrganizationAccountAccessRole in the profile dropdown.
- It’s good practice to keep all identities in one account (management account or designated member account)
- Avoid using management account for production — it cannot be restricted by AWS Service Control Policy