Did we use AWS Organizations wrong?

Question

Rather than sharing a single "root" login for **account A** on a 3rd party service it's often preferable to invite other account (B, C, D, etc.)  and assign permissions to each of these accounts (admin, viewer, etc.)

The "owner" of AWS **account A** invited the owner of **account B** into their "organization" by using owner B's email address associated with **B's** AWS root account.

Assumption: **B** would remain independent but be able to switch into a management (admin) role of account **A** as authorized. **A** should not have ANY access to account **B**.

Now it would appear Account **A** has consumed Account **B**?!?!   What does "Organization" mean in AWS parlance (read: layman's speak)? IAM role is what should have been done but now I'm trying to understand what happened and help them back out of this…if possible?

mkosta-AWS · Answer

When an account is invited to join an AWS Organization and becomes a member, the Organization management account is liable for all charges accrued by the new member account. Payment methods attached to the member account are no longer used.

Additionally, when an invited account (in this case) joins your organization, you ***do not*** automatically have full administrator control over the account. If you want the management account to have full administrative control over the invited member account, you must create [OrganizationAccountAccessRole](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role) IAM role.

The [following](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html) document details steps in removing a member account from an Organization.

Did we use AWS Organizations wrong?

Relevant content