4 min read

Managing multiple AWS accounts manually can quickly become overwhelming, especially for growing teams or businesses. That’s where AWS Organizations comes in. It allows to manage multiple AWS accounts cenntrally and set guardrails using Service Control Policies (SCPs), automate account creation, and streamline billing.

Lets see a simple process of creating a new AWS account using AWS Organizations—with screenshots for each step to make it super easy to follow.

Enable AWS Organizations and Set Up a Management Account

Start by signing in to the AWS Management Console with the root user credentials of the account which would be called as the management (or master) account.

👉 Go to the AWS Organizations console

👉 Click “Create an organization”

Once created, this account automatically becomes the management account of the organization.

Create a New AWS Account from the Organization Console

Now that the organization is set up, it’s time to add a new account.

1. While logged in as the management account, navigate to “Accounts”
2. Click “Add an account” → Select “Create an account”
3. Provide a unique email address and an account name
4. Click “Create”

This will create a brand-new AWS account under AWS organization, and it will appear as a member account.

Note: If we already have another AWS Account, we can add that to the organization by clicking on the “invite an existing AWS Account” button. But, ensure the target account should accept the invitation to be a part of this organization.

Log In to the New AWS Account for the First Time

Since it’s a newly created account, there won’t be a password set for the root user yet. Here’s how to log in:

• Go to aws.amazon.com
• Click “Sign In to the Console” → Choose “Root user”
• Enter the email address used while creating the new account
• Click “Forgot password?” and follow the steps to set a password
• After resetting, log in using the new root credentials

This is an essential step to activate and secure the new account.

Understand the Auto-Created IAM Role

When we create an account through AWS Organizations, AWS actually automatically sets up an IAM role called:

OrganizationAccountAccessRole

This role allows the management account to assume permissions in the member account and perform administrative tasks.

It can find it under the IAM Roles section in the newly created account.

Note: This role gets automatically created and we don’t need to do anything on this.

Behavior of the Child Account

The new account is now part of the AWS Organization as a child account. It will inherit policies, guardrails, and billing from the management account.

Adding Existing Accounts via Invitation

Instead of creating a new account, we can also invite an existing AWS account to join our organization as we saw above on our 3rd image.

But note: When we invite an existing account, AWS does not create the OrganizationAccountAccessRole automatically. we will need to manually create a similar IAM role in the invited account to allow the management account to assume control, same as the role that we saw above.

Setting up accounts using AWS Organizations helps to stay structured, secure, and scalable. Whether we are managing a startup with multiple environments or an enterprise handling various business units, this method simplifies the cloud operations.

But, what if we have an option to make this also automated and some Account factory which can build the aws account based on template with defined security and governance.

Hmm, its really possible with AWS Control Tower and we will learn control tower in our upcoming article.

Have questions about AWS best practices or multi-account strategies? Feel free to reach out or drop a comment! 💬