AWS Organizations is a service for consolidating multiple AWS accounts into a central organisation that you create and manage. Organizations includes account management and consolidated billing features to help you better meet your business' budget, security, and compliance needs.
A heads up on the spelling convention in this exercise: we will use American English for the term 'organizations' to be consistent with all the buttons and text that you'll see in the AWS console.
By the end of this exercise, you should be able to:
In this task, you will create an AWS organization through the AWS Management Console.
1. In the left navigation panel, choose Invitations.
When the management account (i.e. the main account that you're currently using) invites existing AWS accounts to join the organization, AWS Organizations emails the owners of each invited account.
2. To invite an existing AWS account to join your organization, select Invite an existing AWS account and provide an AWS account's email address and message. Then, choose Send invitation. Here's what the page should look like:
Tip: try this task with a fellow NextWork AWS student - see what happens when you invite them to your organization! Think about...
Policies in AWS Organizations help you help you set organization-wide or account-wide rules. For example, you can enforce a policy that all accounts within the organization must enable multi-factor authentication (MFA).
1. To view supported policy types, in the left navigation pane, choose Policies.
In this task, you will enable Service control policies for the organization.
A service control policy (SCP) specifies the maximum permissions that can be used by users and roles in your organization's accounts. An SCP doesn't grant permissions. You still need to use IAM permission policies or resource policies to grant permissions.
For example, and IAM permission policy would say "User A can read S3 buckets but cannot write or delete them." A SCP would say "nobody in a member organization can have more than read-only access to S3."
2. Choose Service control policies, and choose Enable service control policies.
3. Choose create policy, and have a browse around the different policies you could implement. You even get tips on what each policy would grant your member organizations.
Bonus: you can also grant specific SCPs for specific accounts - where would you go to do this? Here's a sneak peek of the page you want to be in:
Every month, AWS charges your management account for all the member accounts in a consolidated bill. This happens automatically so you don't need to set it up, but let's check out where you can see consolidated billing in an account.
1. Head to the AWS Billing console.
Ooo, did you run into this page?
Before deleting an organization, first you need to remove all member accounts (member accounts = all other accounts that are not your management account).
Once you delete the organization, your management account becomes a standalone AWS account. As a standalone account, it's now only responsible for paying its own charges and is no longer responsible for the charges incurred by any other account.
You then have three options:
Congratulations! You have successfully:
You might be wondering what would happen if we created a new member account from scratch, instead of inviting an existing AWS account into the organization.
It requires a lot more work than inviting an existing account, we recommend reading through these steps first before deciding whether this is something you want to do!
6. Choose Create AWS account to finish the process. Creating an account is quite a lengthy process - feel free to move on to the next task while you wait!
If you get this message, the AWS account that you're trying to create has failed. Click the 1 request link to check the reason - usually, it's because the email address you've entered is already linked with an existing AWS account.
7. Look for your new account's inbox - you should get an email like this.
8. Now head back to the AWS console and try to delete the new account you've made. You'll see this error pop up - this means we need to set up the member account's billing information to complete the deletion process.
9. To solve this issue, open a new window to log into the AWS console with your new member account's email as the root user. Select Forgot your password? If you get stuck here, check out this guide on accessing a member account.
10. Once you reset your password and access your AWS console as your new member account, head to AWS Organizations. Select the option to Leave this organization.
11. Once you've confirmed this, you'll be given a link to complete the sign up process (i.e. enter credit card details).
12. Once you've set up your new account's details, you can head back to your main management account and try deleting it again.
13. To be safe, consider closing the new member account if you don't think you'll ever use it!