Transcription of AWS Organizations - User Guide
1 AWS OrganizationsUser GuideAWS Organizations user GuideAWS Organizations : user GuideCopyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored Organizations user GuideTable of ContentsWhat Is AWS Organizations ?
2 1 AWS Organizations Features .. 1 AWS Organizations Pricing .. 2 Accessing AWS Organizations .. 2 Support and Feedback for AWS Organizations .. 3 Other AWS Resources .. 3 Getting Started with AWS Organizations .. 4 Learn about .. 4 AWS Organizations Terminology and Concepts .. 4 Tutorials .. 8 Tutorial: Creating and Configuring an organization .. 8 Prerequisites .. 9 Step 1: Create Your organization .. 9 Step 2: Create the Organizational Units .. 10 Step 3: Create the Service Control Policies .. 11 Step 4: Testing Your organization 's Policies .. 15 Tutorial: Monitor with CloudWatch Events.
3 15 Prerequisites .. 16 Step 1: Configure a Trail and Event Selector .. 17 Step 2: Configure a Lambda Function .. 17 Step 3: Create an Amazon SNS Topic That Sends Emails to Subscribers .. 18 Step 4: Create a CloudWatch Events Rule .. 18 Step 5: Test Your CloudWatch Events Rule .. 19 Clean Up: Remove the Resources You No Longer Need .. 20 Creating and Managing an organization .. 22 Creating an organization .. 22 Email Address Verification .. 23 Enabling All Features .. 24 Beginning the Process to Enable All Features .. 25 Approving the Request to Enable All Features or to Recreate the Service-Linked Role.
4 26 Finalizing the Process to Enable All Features .. 27 Viewing Details About Your organization .. 27 Viewing Details of an organization from the Master Account .. 28 Viewing Details of a Root .. 28 Viewing Details of an 29 Viewing Details of an Account .. 29 Remove the Master Account and Delete the organization .. 30 Managing Accounts .. 32 Impact on an AWS Account That You Invite to Join an organization .. 32 Impact on an AWS Account That You Create in an organization .. 33 Inviting an Account to Your organization .. 33 Sending Invitations to AWS Accounts .. 34 Managing Pending Invitations for Your organization .
5 35 Accepting or Declining an Invitation from an organization .. 36 Creating an Account .. 37 Creating an AWS Account That Is Part of Your organization .. 37 Accessing Member Accounts .. 39 Accessing a Member Account as the Root user .. 39 Creating the OrganizationAccountAccessRole in an Invited Member Account .. 40 Accessing a Member Account That Has a Master Account Access Role .. 41 Removing a Member Account .. 43 Before Removing an Account from an organization .. 43 Removing a Member Account from Your organization .. 44 Leaving an organization as a Member Account .. 45iiiAWS Organizations user GuideClosing an Account.
6 46 Managing 48 Navigating the Root and OU Hierarchy .. 48 Creating an OU .. 49 Renaming an OU .. 50 Moving an Account to an OU or Between the Root and OUs .. 50 Deleting an OU That You No Longer Need .. 51 Managing Policies .. 52 Listing and Displaying Information about organization Policies .. 53 Listing All Policies in the organization .. 53 Listing All Policies Attached to a Root, OU, or Account .. 53 Listing All Roots, OUs, and Accounts That a Policy Is Attached To .. 54 Getting Details About a Policy .. 54 Editing a Policy .. 55 Enabling and Disabling a Policy Type on a Root.
7 55 Attaching a Policy to Roots, OUs, or Accounts .. 56 Detaching a Policy from Roots, OUs, or Accounts .. 57 Deleting a Policy .. 58 Service Control Policies .. 58 Creating a Service Control Policy .. 60 Updating a Service Control Policy .. 61 About SCPs .. 62 Example SCPs .. 65 Enabling Trusted Access with Other AWS Services .. 69 Permissions Required to Enable Trusted Access .. 69 Permissions Required to Disable Trusted Access .. 70 How to Enable or Disable Trusted Access .. 71 AWS Organizations and Service-Linked Roles .. 71 Services That Support Trusted Access with Your organization .
8 72 AWS Artifact .. 72 AWS CloudTrail .. 73 AWS Config .. 73 AWS Directory Service .. 74 AWS Firewall Manager .. 74 AWS Resource Access Manager .. 75 AWS Single Sign-On .. 75 Authentication and Access Control for AWS Organizations .. 76 Access Control .. 77 Managing Access Permissions for Your AWS organization .. 77 AWS Organizations Resources and Operations .. 78 Understanding Resource Ownership .. 79 Managing Access to Resources .. 79 Specifying Policy Elements: Actions, Conditions, Effects, and Resources .. 81 Monitoring Your organization .. 82 Logging AWS Organizations API Calls with AWS CloudTrail.
9 82 AWS Organizations Information in CloudTrail .. 82 Understanding AWS Organizations Log File Entries .. 83 Amazon CloudWatch Events .. 87 AWS Organizations Reference .. 88 Limits of AWS Organizations .. 88 Limits on 88 Maximum and Minimum Values .. 88 Managed Policies .. 90 AWS Organizations Managed Service Control Policies .. 90 Service Control Policy Syntax .. 90 Version 90ivAWS Organizations user GuideStatement 90 Effect 91 Action 91 Resource 92 Principal 93 Condition 93 Troubleshooting AWS Organizations .. 94 Troubleshooting General Issues .. 94I get an "access denied" message when I make a request to AWS Organizations .
10 94I get an "access denied" message when I make a request with temporary security credentials .. 94I get an "access denied" message when I try to leave an organization as a member account orremove a member account as the master account .. 95I get a "limit exceeded" message when I try to add an account to my organization .. 95I get a "this operation requires a wait period" message while adding or removing accounts .. 95I get an " organization is still initializing" message when I try to add an account to myorganization .. 95I used an incorrect email address when I created a member account.
