Exercise: Getting Started with AWS Organizations

Natasha Ong
This is some text inside of a div block.
β€’
4 min read

Contents

Example H2
Example H3
Example H4
h5
Example H5
h6
Example H6

Exercise Overview:

AWS Organizations is a service for consolidating multiple AWS accounts into a central organisation that you create and manage. Organizations includes account management and consolidated billing features to help you better meet your business' budget, security, and compliance needs.

A heads up on the spelling convention in this exercise: we will use American English for the term 'organizations' to be consistent with all the buttons and text that you'll see in the AWS console.

Objectives:

By the end of this exercise, you should be able to:

  • Set up organizations
  • Manage an organization
  • View consolidated billing with an organization
  • Delete an organization.

Task 0: Access the AWS Management Console

  1. Sign in to your IAM user and access your AWS Management Console.
  2. Select your preferred region for doing this exercise. We recommend picking the region that's closest to you.

Task 1: Create an AWS Organizations

In this task, you will create an AWS organization through the AWS Management Console.

  1. Navigate to the AWS Organizations home page. In the search bar, enter AWS Organizations. Choose AWS Organizations from the list of results.
  2. Choose Create an organization.
  3. The accounts listed are a part of your organization. You should be able to see your own account as the root!

Task 2: Inviting an existing AWS account to your organization

1. In the left navigation panel, choose Invitations.

When the management account (i.e. the main account that you're currently using) invites existing AWS accounts to join the organization, AWS Organizations emails the owners of each invited account.

2. To invite an existing AWS account to join your organization, select Invite an existing AWS account and provide an AWS account's email address and message. Then, choose Send invitation. Here's what the page should look like:

Tip: try this task with a fellow NextWork AWS student - see what happens when you invite them to your organization! Think about...

  • What email do they receive?
  • What do you see when they accept the invitation?
  • What is the relationship between your accounts now?
  • What happens if they try to invite you to their organization?
  • Be sure to remove their account in your organization at the end of the exercise.

Task 3: Manage policies in your organization

Policies in AWS Organizations help you help you set organization-wide or account-wide rules. Β For example, you can enforce a policy that all accounts within the organization must enable multi-factor authentication (MFA).

1. To view supported policy types, in the left navigation pane, choose Policies.

In this task, you will enable Service control policies for the organization.

A service control policy (SCP) specifies the maximum permissions that can be used by users and roles in your organization's accounts. An SCP doesn't grant permissions. You still need to use IAM permission policies or resource policies to grant permissions.

For example, and IAM permission policy would say "User A can read S3 buckets but cannot write or delete them." A SCP would say "nobody in a member organization can have more than read-only access to S3."

2. Choose Service control policies, and choose Enable service control policies.

3. Choose create policy, and have a browse around the different policies you could implement. You even get tips on what each policy would grant your member organizations.

Bonus: you can also grant specific SCPs for specific accounts - where would you go to do this? Here's a sneak peek of the page you want to be in:

Task 4: Explore consolidated billing with an organization

Every month, AWS charges your management account for all the member accounts in a consolidated bill. This happens automatically so you don't need to set it up, but let's check out where you can see consolidated billing in an account.

1. Head to the AWS Billing console.

  • You can also use the Billing Dashboard to identify your most expensive service/AWS Region and see trends in your spending over the past few months. You can use the dashboard to see different breakdowns of your AWS usage.

Ooo, did you run into this page?

  • It's because your IAM user did not get set up for Billing access when we created it at the start of the course!
  • Optional: log into AWS with you root user, and attempt the bonus section in our previous exercise about setting up your IAM user. This bonus exercise is all about how to set up billing access for your IAM user! It's pretty good practise for setting up IAM permission policies too. πŸ˜‰

Task 5: Delete an organization

Before deleting an organization, first you need to remove all member accounts (member accounts = all other accounts that are not your management account).

  1. Head back to AWS Organizations.
  2. Check the box next to the member account you want to remove. Next, choose Actions, and then choose Remove from organization.
  3. To complete the process, choose Remove account. Repeat this process for each member's account.
  4. To delete the entire organization, choose Settings in the left hand navigation panel. In Settings, you can see organization details, delegate administrators, and delete the organization. To delete an organization, choose Delete organization.

Once you delete the organization, your management account becomes a standalone AWS account. As a standalone account, it's now only responsible for paying its own charges and is no longer responsible for the charges incurred by any other account.

You then have three options:

  1. You can continue to use it as a standalone account.
  2. You can use it to create a different organization.
  3. You can accept an invitation and become a member account of another organization.

‍

Congratulations! You have successfully:

  • Created an organization
  • Managed an Organization
  • Viewed consolidated billing with an Organization
  • Deleted an AWS Organization within the AWS Management console.

‍

Bonus: Creating a new account

You might be wondering what would happen if we created a new member account from scratch, instead of inviting an existing AWS account into the organization.

It requires a lot more work than inviting an existing account, we recommend reading through these steps first before deciding whether this is something you want to do!

  1. In the left hand navigation panel, select Add an AWS account.
  2. Choose Create an AWS account.
  3. For the AWS account name, enter the name you want to assign to the account.This name helps you distinguish the account from all other accounts in the organization. It is separate from the IAM alias or the email name of the owner.
  4. For the Email address of the account's owner, enter the email address of the account's owner. This email address cannot be used with another AWS account, because it becomes the username for the root user of the new account. If you'd like to invite an existing AWS account, you can skip straight to Task 2.
    ‍
  5. Here are some optional steps you can do:
    a) Customise the name of the IAM role that is created automatically in the new account.
    b) Add one or more tags to the new account in the Tags section. Choose Add tag, and enter a key and an optional value.

6. Choose Create AWS account to finish the process. Creating an account is quite a lengthy process - feel free to move on to the next task while you wait!

If you get this message, the AWS account that you're trying to create has failed. Click the 1 request link to check the reason - usually, it's because the email address you've entered is already linked with an existing AWS account.

7. Look for your new account's inbox - you should get an email like this.

8. Now head back to the AWS console and try to delete the new account you've made. You'll see this error pop up - this means we need to set up the member account's billing information to complete the deletion process.

9. To solve this issue, open a new window to log into the AWS console with your new member account's email as the root user. Select Forgot your password? If you get stuck here, check out this guide on accessing a member account.

10. Once you reset your password and access your AWS console as your new member account, head to AWS Organizations. Select the option to Leave this organization.

11. Once you've confirmed this, you'll be given a link to complete the sign up process (i.e. enter credit card details).

12. Once you've set up your new account's details, you can head back to your main management account and try deleting it again.

13. To be safe, consider closing the new member account if you don't think you'll ever use it!

‍