AWS Organizations 1: Getting Started
Life is tough as a AWS administrator. With so many accounts to looks after, your workload just keeps piling up. If only there was a way to organis-- OH WAIT!
When you're playing around with AWS for the first time, the sheer breadths of services you have access to can be overwhelming.
This feeling is multiplied several times when you're part of an organisation that employs the use of several accounts - larger companies can own accounts numbering in the hundreds.
Each of these AWS accounts can have their own pool of IAM users, and payment methods. In a large organisation this can become troublesome to manage.
Luckily, there is a way to consolidate some of these problems with AWS Organizations (the spelling isn't incorrect, it's American).
How it works
This idea is pretty simple. You take a single account and turn it into the Management account (previously known as the Master account) and this creates an organisation.
This accounts is where you will be able to control how the other accounts are organised.
Here you have 3 different AWS accounts:
- General
- Dev
- Prod
We're going to turn General into the Management account for our organisation.
Creating an Organisation
In the General account, search for AWS Organizations.
Go ahead and click Create an organization (top right). This will begin the process of converting the General account into the Management account.
Just like that, you now have an organisation.
Now that an organisation has been established it's time to add the other accounts.
This can be done by sending an invite.
I've already done it for Dev, so I'll demonstrate with Prod.
In order to send an invite, I will need the prod account ID. This can be found by logging into the prod account and click on the profile name on the top right.
Once you have that, navigate back to the AWS Organizations dashboard on the management account, and click Add an AWS account
Select Invite an existing AWS account and enter the account ID and (optionally) a little welcome message coercing the account admin to join your organisation.
Click Send invitation
To accept the invite, we need to go back to the prod account and navigate to AWS Organizations, then click on Invitations on the left-hand nav bar.
This will display the details of any pending invitations. Simply click Accept invitation and you're now part of the collective! Congrats!
If you navigate back to the AWS Organizations dashboard on the management account you can now see a new account has been added.
Now that Prod and Dev are at the mercy of our newly formed organisation, you will find that life gets a little bit easier.
For one, you no longer have to deal with 3 separate bills (one for each account).
As an organisation the bills accumulated from each account now gets consolidated in a single monthly payment billed to the root user of the newly promoted management account.
In the next post, you will learn how to make your life even easier with Role Switching.