Remember as best Practice is not to use your root account, in this tutorial we are
In this step, you create an organization with your current AWS account as the management account. You also invite one AWS account to join your organization, and you create a second account as a member account. - we are only creating a second account as member account
Next, you create two organizational units (OUs) in your new organization and place the member accounts in those OUs.
You can apply restrictions to what actions can be delegated to users and roles in the member accounts by using service control policies (SCPs). In this step, you create two SCPs and attach them to the OUs in your organization.
You can sign in as users from each of the test accounts and see the effects that the SCPs have on the accounts.
None of the steps in this tutorial incurs costs to your AWS bill. AWS Organizations is a free service.
On the introduction page, choose Create an organization.
In the confirmation dialog box, choose Create an organization.
By default, the organization is created with all features enabled. You can also create the organization with only consolidated billing features enabled.
AWS creates the organization and shows you the AWS accounts page. If you're on a different page then choose AWS accounts in the navigation pane on the left.
If the account you use has never had its email address verified by AWS, a verification email is automatically sent to the address that is associated with your management account. There might be a delay before you receive the verification email.
Verify your email address within 24 hours. For more information, see Email address verification.
You now have an organization with your account as its only member. This is the management account of the organization.
Navigate to the AWS accounts page, and choose Add an AWS account.
In the box Email address or account ID of an AWS account to invite box, enter the email address of the owner of the account that you want to invite, similar to the following:
[email protected]. Alternatively, if you know the AWS account ID number, then you can enter it instead.Type any text that you want into the Message to include in the invitation email message box. This text is included in the email that is sent to the owner of the account.
Choose Send invitation. AWS Organizations sends the invitation to the account owner.
On the AWS Organizations console, on the AWS accounts page, choose Add AWS account.
On the Add an AWS account page, choose Create an AWS account.
For AWS account name, enter a name for the account, such as
Main Account.For Email address of the account's root user, enter the email address of the individual who is to receive communications on behalf of the account. This value must be globally unique. No two accounts can have the same email address. For example, you might use something like
[email protected].For IAM role name, you can leave this blank to automatically use the default role name of
OrganizationAccountAccessRole, or you can supply your own name. This role enables you to access the new member account when signed in as an IAM user in the management account. For this tutorial, leave it blank to instruct AWS Organizations to create the role with the default name.Choose Create AWS account. You might need to wait a short while and refresh the page to see the new account appear on the AWS accounts page.
In the steps in this section, you create organizational units (OUs) and place your member accounts in them. When you're done, your hierarchy looks like the following illustration. The management account remains in the root. One member account is moved to the Production OU, and the other member account is moved to the MainApp OU, which is a child of Production.
In the steps that follow, you interact with objects for which you can choose either the name of the object itself, or the radio button next to the object.
If you choose the name of the object, you open a new page that displays the objects details.
If you choose the radio button next to the object, you are identifying that object to be acted upon by another action, such as choosing a menu option.
The steps that follow have you choose the radio button so that you can then act on the associated object by making menu choices.
Choose the check box next to the Root container.
On the Children tab, choose Actions, and then under Organizational unit, choose Create new.
On the Create organizational unit in Root page, for the Organizational unit name, enter
Productionand then choose Create organizational unit
Return to the AWS accounts page, and then expand the tree under your Production OU by choosing the triangle next to it. This displays the MainApp OU as a child of Production.
Next to Memberaccount, choose the check box (not its name), choose Actions, and then under AWS account, choose Move.
On the Move AWS memberaccount page, choose the triangle next to Production to expand it. Next to Production, choose the radio button (not its name), and then choose Move AWS account.
Before you can attach a policy of any type to a root or to any OU within a root, you must enable the policy type for the organization. Policy types aren't enabled by default. The steps in this section show you how to enable the service control policy (SCP) type for your organization.
On the Service control policies page, choose Enable service control policies.
A green banner appears to inform you that you can now create SCPs in your organization.
In the steps in this section, you create three service control policies (SCPs) and attach them to the root and to the OUs to restrict what users in the organization's accounts can do. The first SCP prevents anyone in any of the member accounts from creating or modifying any AWS CloudTrail logs that you configure. The management account isn't affected by any SCP, so after you apply the CloudTrail SCP, you must create any logs from the management account.
Before you can attach a policy of any type to a root or to any OU within a root, you must enable the policy type for the organization. Policy types aren't enabled by default. The steps in this section show you how to enable the service control policy (SCP) type for your organization.
For Policy name, enter
Block CloudTrail Configuration Actions.In the Policy section, in the list of services on the right, select CloudTrail for the service. Then choose the following actions: AddTags, CreateTrail, DeleteTrail, RemoveTags, StartLogging, StopLogging, and UpdateTrail.
Still in the right pane, choose Add resource and specify CloudTrail and All Resources. Then choose Add resource.
The policy statement on the left should look similar to the following.
For name, enter Allow List for All Approved Services.
Allow the following services
In the Policy section on the left, select Amazon DynamoDB for the service. For the action, choose All actions.
Still in the left pane, choose Add resource and specify DynamoDB and All Resources. Then choose Add resource.
The policy statement on the right updates to look similar to the following.
On the AWS accounts page, choose Root (its name, not the radio button) to navigate to its details page.
On the Root details page, choose the Policies tab, and then under Service Control Policies, choose Attach.
On the Attach a service control policy page, choose the radio button next to the SCP named
Block CloudTrail Configuration Actions, and then choose Attach. In this tutorial, you attach it to the root so that it affects all member accounts to prevent anyone from altering the way that you configured CloudTrail.The Root details page, Policies tab now shows that two SCPs are attached to the root: the one you just attached and the default
FullAWSAccessSCP.
You now can sign in as a user in any of the member accounts and try to perform various AWS actions:
If you sign in as a user in the management account, you can perform any operation that is allowed by your IAM permissions policies. The SCPs don't affect any user or role in the management account, no matter which root or OU the account is located in.
If you sign in as a user in account 222222222222, you can perform any actions that are allowed by the allow list. AWS Organizations denies any attempt to perform an action in any service that isn't in the allow list. Also, AWS Organizations denies any attempt to perform one of the CloudTrail configuration actions.
If you sign in as a user in account 333333333333, you can perform any actions that are allowed by the allow list and not blocked by the deny list. AWS Organizations denies any attempt to perform an action that isn't in the allow list policy and any action that is in the deny list policy. Also, AWS Organizations denies any attempt to perform one of the CloudTrail configuration actions.