Revisit Amazon Web Services re:Invent 2024’s biggest moments and watch keynotes and innovation talks on demand
General
Q: What is an organization?
An organization is a collection of Amazon Web Services accounts that you can organize into a hierarchy and manage centrally.
Q: What is an Amazon Web Services account?
An Amazon Web Services account is a container for your Amazon Web Services resources. You create and manage your Amazon Web Services resources in an Amazon Web Services account, and the Amazon Web Services account provides administrative capabilities for access and billing.
Q: What is a master account?
A master account is the Amazon Web Services account you use to create your organization. From the master account, you can create other accounts in your organization, invite and manage invitations for other accounts to join your organization, and remove accounts from your organization. You can also attach policies to entities such as administrative roots, organizational units (OUs), or accounts within your organization. The master account has the role of a payer account and is responsible for paying all charges accrued by the accounts in its organization. You cannot change which account in your organization is the master account.
Q: What is a member account?
A member account is an Amazon Web Services account, other than the master account, that is part of an organization. If you are an administrator of an organization, you can create member accounts in the organization and invite existing accounts to join the organization. You also can apply policies to member accounts. A member account can belong to only one organization at a time.
Q: What is an administrative root?
An administrative root is the starting point for organizing your Amazon Web Services accounts. The administrative root is the top-most container in your organization’s hierarchy. Under this root, you can create OUs to logically group your accounts and organize these OUs into a hierarchy that best matches your business needs.
Q: What is an organizational unit (OU)?
An organizational unit (OU) is a group of Amazon Web Services accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy. For example, you can group all accounts that belong to the same department into a departmental OU. Similarly, you can group all accounts running production services into a production OU. OUs are useful when you need to apply the same controls to a subset of accounts in your organization. Nesting OUs enables smaller units of management. For example, in a departmental OU, you can group accounts that belong to individual teams in team-level OUs. These OUs inherit the policies from the parent OU in addition to any controls assigned directly to the team-level OU.
Q: What is a policy?
A policy is a “document” with one or more statements that define the controls that you want to apply to a group of Amazon Web Services accounts. Amazon Organizations supports the following policies:
- Tag policies—defines tag keys and allowed values
Organizing Amazon Web Services accounts
Q: Can I define and manage my organization regionally?
You do not need to specify a region when you create and manage your organization. Users in your Amazon Web Services accounts can use Amazon Web Services services in any China regions in which that service is available.
Q: Can I change which Amazon Web Services account is the master account?
No. You cannot change which Amazon Web Services account is the master account. Therefore, you should select your master account carefully.
Q: How do I add an Amazon Web Services account to my organization?
Use one of the following two methods to add an Amazon Web Services account to your organization:
Method 1: Invite an existing account to join your organization
- Sign in as an administrator of the master account and navigate to the Amazon Organizations console.
- Choose the Accounts tab.
- Choose Add account and then choose Invite account.
- Provide the email address of the account that you want to invite or the Amazon Web Services account ID of the account.
Note: You can invite more than one Amazon Web Services account by providing a comma-separated list of email addresses or Amazon Web Services account IDs.
The specified Amazon Web Services account receives an email inviting it to join your organization. An administrator in the invited Amazon Web Services account must accept or reject the request using the Amazon Organizations console, Amazon CLI, or Organizations API. If the administrator accepts your invitation, the account becomes visible in the list of member accounts in your organization.
Method 2: Create an Amazon Web Services account in your organization
- Sign in as an administrator of your master account and navigate to the Amazon Organizations console.
- Choose the Accounts tab.
- Choose Add account and then choose Create account.
- Provide a name for the account and the email address for the account.
You can also create an account by using the Amazon SDK or Amazon CLI. For both methods, after you add the new account, you can move it to an organizational unit (OU). The new account automatically inherits the policies attached to the OU.
Q: Can an Amazon Web Services account be a member of more than one organization?
No. An Amazon Web Services account can be a member of only one organization at a time.
Q: Can I move an Amazon Web Services account that I have created using Amazon Organizations to another organization?
Yes. However, you must first remove the account from your organization and make it a standalone account (see below). After making the account standalone, it can then be invited to join another organization.
Q: Can I remove an Amazon Web Services account that I created using Organizations and make it a standalone account?
Yes. When you create an account in an organization using the Amazon Organizations console, API, or CLI commands, Amazon Web Services does not collect all of the information required of standalone accounts. For each account that you want to make standalone, you need to update this information, which can include: providing contact information, agreeing to the Sinnet Customer Agreement for Amazon Web Services (Beijing Region) and Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region), providing a valid payment method, authorizing or supplementing other information required for the Amazon Web Services account sign-up, and choosing a support plan option. We use the payment method you selected to charge for any billable Amazon Web Services activity that occurs while the account is not attached to an organization.
Q: How many Amazon Web Services accounts can I manage in my organization?
This can vary. If you need additional accounts, go to the Amazon Web Services Support Center and open a support case to request an increase.
Q: How can I remove an Amazon Web Services member account from an organization?
You can remove a member account by using one of the following two methods. You might have to provide additional information to remove an account that you created using Organizations. If the attempt to remove an account fails, go to the Amazon Web Services Support Center and ask for help with removing an account.
Method 1: Remove an invited member account by signing in to the master account
- Sign in as an administrator of the master account and navigate to the Amazon Organizations console.
- In the left pane, choose Accounts.
- Choose the account that you want to remove and then choose Remove account.
- If the account does not have a valid payment method, you must provide one.
Method 2: Remove an invited member account by signing in to the member account
- Sign in as an administrator of the member account that you want to remove from the organization.
- Navigate to the Amazon Organizations console.
- Choose Leave organization.
- If the account does not have a payment method, you must provide one.
Q: How can I create an organizational unit (OU)?
To create an OU, follow these steps:
- Sign in as an administrator of the master account and navigate to the Amazon Organizations console.
- Choose the Organize accounts tab.
- Navigate in the hierarchy to where you want to create the OU. You can create it directly under the root, or you can create it within another OU.
- Choose to Create organizational unit and provide a name for your OU. The name must be unique within your organization.
Note: You can rename the OU later.
You now can add Amazon Web Services accounts to your OU. You can also use the Amazon CLI and Amazon APIs to create and manage an OU.
Q: How can I add a member Amazon Web Services account to an OU?
Follow these steps to add member accounts to an OU:
- In the Amazon Organizations console, choose the Organize accounts tab.
- Choose the Amazon Web Services account, and then choose Move account.
- In the dialog box, select the OU to which you want to move the Amazon Web Services account.
Alternatively, you can use the Amazon CLI and Amazon APIs to add Amazon Web Services accounts to an OU.
Q: How many levels can I have in my OU hierarchy?
You can nest your OUs five levels deep. Including root and Amazon Web Services accounts created in the lowest OUs, your hierarchy can be five levels deep.
Billing
Q: What does Amazon Organizations cost?
Amazon Organizations is offered at no additional charge.
Q: Who pays for usage incurred by users under an Amazon Web Services member account in my organization?
The owner of the master account is responsible for paying for all usage, data, and resources used by the accounts in the organization.
Q: Will my bill reflect the organizational unit structure that I created in my organization?
No. For now, your bill will not reflect the structure that you have defined in your organization.
Control management
Q: At what levels of my organization can I apply a policy?
You can attach a policy to the root of your organization (applies to all accounts in your organization), to individual organizational units (OUs), which applies to all accounts in the OU including nested OUs, or to individual accounts.
Q: How can I attach a policy?
You can attach a policy in one of two ways:
- In the Amazon Organizations console, navigate to where you want to assign the policy (the root, an OU, or an account), and then choose Attach Policy.
- In the Organizations console, choose the Policies tab and do one of the following:Choose an existing policy, choose Attach Policy from the Actions drop-down list, and then choose the root, OU, or account to which you want to attach the policy.
- Choose Create Policy, and then as part of the policy creation workflow, choose the root, OU, or account to which you want to attach the new policy.
Q: Are policies inherited through hierarchical connections in my organization?
Yes. For example, let’s assume that you have arranged your Amazon Web Services accounts into OUs according to your application development stages: DEV, TEST, and PROD. Policy P1 is attached to the organization’s root, policy P2 is attached to the DEV OU, and policy P3 is attached to Amazon Web Services account A1 in the DEV OU. With this setup, P1+P2+P3 all apply to account A1.
Q: What types of policies does Amazon Organizations support?
Currently, Amazon Organizations supports the following policies:
- Tag policies—defines tag keys and allowed values