AWS – Setting up a master account with AWS Organizations

How to check for updates on Windows Server 2019

In the previous recipe, you used AWS Control Tower to automatically create your landing zone. AWS Control Tower relies on AWS Organizations to manage Organizational Units and Accounts, so it’s very important to understand how it works. In this recipe, you will use AWS Organizations to create your own account structure from scratch, starting with a new master account.

All accounts that use AWS Organizations for billing and control purposes must have a master account. This account controls membership to the organization and pays the bills of all the members (someone’s got to do it!).

How to do it…

To set up a master account, perform the following steps:

  1. Go to the  My Organization section of the account you want to become the master of. You must be logged in with your root credentials (that is, those you created the account with):

My Organization
  1. In the  AWS Organizations section of the AWS console, click on  Create organization, as shown in the following screenshot:

AWS Organizations
  1. Unless you have a specific requirement, choose to  ENABLE ALL FEATURES to get the full benefit of Organizations, as shown in the following screenshot:

Create new organization screen
  1. Now that your account has been converted, you can return to the  AWS Organizations page to see a list of all your accounts:

How it works…

While this is a very simple recipe, it’s the first thing you must do before you can use any of the useful features in AWS Organizations.

The following is a high-level diagram showing the relationships between master accounts, members, and organizational units (OUs):

Organization units

We deliberately enable all the features of organizations. The consolidated billing option is available for backward compatibility; before Organizations, consolidated billing was your only option for linking accounts.

Do not use your master account for day-to-day tasks. Since it is so important, it doesn’t make sense to risk using it and/or having access keys for it. If your master account somehow became compromised, it would impact all of your member accounts. Just don’t do it.

The master account will always have a star next to its name.

There’s more…

All of AWS Organization’s functionality is exposed via the API. This means you can use the AWS SDKs or the CLI tool to do the same things you would in the web console.

Using the CLI

You can easily create your master account with the CLI tool. The following command will turn your account into a master account, with all of AWS Organization’s features enabled:

aws organizations create-organization

You can extend this command with the --feature-set flag to enable consolidated billing without the rest of the advanced features associated with AWS Organizations.

See also

  • The Inviting an account recipe in this chapter
  • The Creating a member account recipe in this chapter

Comments are closed.