Which AWS service or feature offers the ability to automatically create new AWS accounts?

AWS Organizations makes it easy to create policies to manage multiple AWS accounts. You can use Organizations to create groups of accounts, and then attach policies to those groups. Organizations helps you automate the creation and management of new accounts, without requiring custom scripts and manual processes.

Nội dung chính Show

• Which AWS service provides a quick and automated way to create and manage AWS account?
• Which service can be used to easily create multiple AWS accounts?
• How do I automate a new AWS account?
• Which of the following is an AWS feature that allows for multiple AWS accounts to be combined into a single structure?

Get Started with AWS Organizations

Try AWS Organizations

---

AWS Organizations is available to all AWS customers at no additional charge.

Create groups of AWS accounts with AWS Organizations. 

Attach service control policies (SCPs) to those groups to centrally control AWS service use. 

Entities in the AWS accounts can only use the AWS services allowed by both the SCP and the AWS IAM policy for the account.

Using AWS Organizations, you can create groups of AWS accounts. You can create separate groups of accounts to use with development and production resources, and then apply different policies to each group.

AWS Organizations provides you a policy framework for multiple AWS accounts. You can apply policies to a group of accounts or all the accounts in your organization.

With AWS Organizations, you can use service control policies (SCPs) to manage the use of AWS services at an API level. For example, you can apply a policy to a group of accounts to only allow AWS Identity and Access Management (IAM) users in those accounts to read data from Amazon S3 buckets.

The AWS Organizations APIs help you automate the creation and management of new AWS accounts. Using the Organizations APIs, you can create and add new accounts to a group. Policies attached to a group are automatically applied to accounts added to the group.

AWS Organizations enables you to set up a single payment method for all the AWS accounts in your organization through consolidated billing. With consolidated billing, you can see a combined view of charges incurred by all your accounts, as well as take advantage of pricing benefits from aggregated usage, such as volume discounts for Amazon EC2 and Amazon S3.

AWS Organizations allows you to create new organizations with only the consolidated billing features enabled. This enables you to set up a single payment method across your AWS accounts, roll up account activity from multiple accounts into a single invoice, and track costs centrally. Advanced policy controls such as Service Control Policies (SCPs) are not enabled.

AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari. Learn more »

Q: Can I define and manage my organization regionally?

All organization entities are globally accessible, except for organizations managed in China, similar to how AWS Identity and Access Management (IAM) works today. You do not need to specify an AWS Region when you create and manage your organization, but you will need to create a separate organization for accounts used in China. Users in your AWS accounts can use AWS services in any geographic region in which that service is available.

Q: Can I change which AWS account is the management account?

No. You cannot change which AWS account is the management account. Therefore, you should select your management account carefully.

Q: How do I add an AWS account to my organization?

Use one of the following two methods to add an AWS account to your organization:

Method 1: Invite an existing account to join your organization

1. Sign in as an administrator of the management account and navigate to the AWS Organizations console.

2. Choose the Accounts tab.

3. Choose Add account and then choose Invite account.

4. Provide the email address of the account that you want to invite or the AWS account ID of the account.

Note: You can invite more than one AWS account by providing a comma-separated list of email addresses or AWS account IDs.

The specified AWS account receives an email inviting it to join your organization. An administrator in the invited AWS account must accept or reject the request using the AWS Organizations console, AWS CLI, or Organizations API. If the administrator accepts your invitation, the account becomes visible in the list of member accounts in your organization. Any applicable policies, such as SCPs, will be enforced automatically in the newly added account. For example, if your organization has an SCP attached to the root of your organization it will directly be enforced on the newly created accounts.

Method 2: Create an AWS account in your organization

1. Sign in as an administrator of your management account and navigate to the AWS Organizations console.

2. Choose the Accounts tab.

3. Choose Add account and then choose Create account.

4. Provide a name for the account and the email address for the account.

You can also create an account by using the AWS SDK or AWS CLI. For both methods, after you add the new account, you can move it to an organizational unit (OU). The new account automatically inherits the policies attached to the OU.

Q: Can an AWS account be a member of more than one organization?

No. An AWS account can be a member of only one organization at a time.

Q: How can I access an AWS account that was created in my organization?

As part of AWS account creation, AWS Organizations creates an IAM role with full administrative permissions in the new account. IAM users and IAM roles with appropriate permissions in the master account can assume this IAM role to gain access to the newly created account.

Q: Can I set up multi-factor authentication (MFA) on the AWS account that I create in my organization programmatically?

No. This currently is not supported.

Q: Can I move an AWS account that I have created using AWS Organizations to another organization?

Yes. However, you must first remove the account from your organization and make it a standalone account (see below). After making the account standalone, it can then be invited to join another organization.

Q: Can I remove an AWS account that I created using Organizations and make it a standalone account?

Yes. When you create an account in an organization using the AWS Organizations console, API, or CLI commands, AWS does not collect all of the information required of standalone accounts. For each account that you want to make standalone, you need to update this information, which can include: providing contact information, agreeing to the AWS Customer Agreement, providing a valid payment method, and choosing a support plan option. AWS uses the payment method to charge for any billable (not AWS Free Tier) AWS activity that occurs while the account is not attached to an organization. For more information, see Removing a Member Account from Your Organization.

Q: How many AWS accounts can I manage in my organization?

This can vary. If you need additional accounts, go to the AWS Support Center and open a support case to request an increase.

Q: How can I remove an AWS member account from an organization?

You can remove a member account by using one of the following two methods. You might have to provide additional information to remove an account that you created using Organizations. If the attempt to remove an account fails, go to the AWS Support Center and ask for help with removing an account.

Method 1: Remove an invited member account by signing in to the management account

1. Sign in as an administrator of the master account and navigate to the AWS Organizations console.

2. In the left pane, choose Accounts.

3. Choose the account that you want to remove and then choose Remove account.

4. If the account does not have a valid payment method, you must provide one.

Method 2: Remove an invited member account by signing in to the member account

1. Sign in as an administrator of the member account that you want to remove from the organization.

2. Navigate to the AWS Organizations console.

3. Choose *Leave organization*.

4. If the account does not have a payment method, you must provide one.

Q: How can I create an organizational unit (OU)?

To create an OU, follow these steps:

1. Sign in as an administrator of the management account and navigate to the AWS Organizations console.

2. Choose the Organize accounts tab.

3. Navigate in the hierarchy to where you want to create the OU. You can create it directly under the root, or you can create it within another OU.

4. Choose to Create organizational unit and provide a name for your OU. The name must be unique within your organization.

Note: You can rename the OU later.

You now can add AWS accounts to your OU. You can also use the AWS CLI and AWS APIs to create and manage an OU.

Q: How can I add a member AWS account to an OU?

Follow these steps to add member accounts to an OU:

1. In the AWS Organizations console, choose the Organize accounts tab.

2. Choose the AWS account, and then choose Move account.

3. In the dialog box, select the OU to which you want to move the AWS account.

Alternatively, you can use the AWS CLI and AWS APIs to add AWS accounts to an OU.

Q: Can an AWS account be a member of multiple OUs?

No. An AWS account can be a member of only one OU at a time.

Q: Can an OU be a member of multiple OUs?

No. An OU can be a member of only one OU at a time.

Q: How many levels can I have in my OU hierarchy?

You can nest your OUs five levels deep. Including root and AWS accounts created in the lowest OUs, your hierarchy can be five levels deep.

Which AWS service provides a quick and automated way to create and manage AWS account?

Which service can be used to easily create multiple AWS accounts?

How do I automate a new AWS account?

Which of the following is an AWS feature that allows for multiple AWS accounts to be combined into a single structure?