Did we use AWS Organizations wrong?

0

Rather than sharing a single "root" login for account A on a 3rd party service it's often preferable to invite other account (B, C, D, etc.) and assign permissions to each of these accounts (admin, viewer, etc.)

The "owner" of AWS account A invited the owner of account B into their "organization" by using owner B's email address associated with B's AWS root account.

Assumption: B would remain independent but be able to switch into a management (admin) role of account A as authorized. A should not have ANY access to account B.

Now it would appear Account A has consumed Account B?!?! What does "Organization" mean in AWS parlance (read: layman's speak)? IAM role is what should have been done but now I'm trying to understand what happened and help them back out of this…if possible?

1개 답변
1

When an account is invited to join an AWS Organization and becomes a member, the Organization management account is liable for all charges accrued by the new member account. Payment methods attached to the member account are no longer used.

Additionally, when an invited account (in this case) joins your organization, you do not automatically have full administrator control over the account. If you want the management account to have full administrative control over the invited member account, you must create OrganizationAccountAccessRole IAM role.

The following document details steps in removing a member account from an Organization.

profile pictureAWS
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠