- Newest
- Most votes
- Most comments
OK, I answered my own question. Putting the information here in case someone else has the same problem.
First, I needed to understand the difference between AWS accounts and IAM users. When dealing with AWS Organizations, it's almost never IAM users. You are dealing with root AWS accounts. So, I created an AWS account for the company, then additional AWS accounts for each business unit. We did nothing with IAM at this point. The company account created a default organization, then additional organizations under it to represent the business units. This makes the company account the "master" account. The company account then invited all the accounts for the business units to join its organization. I had to login to each business unit AWS account and accept the invitation. Then I used the master account to place each business unit account into its business unit Organization.
The end result is that each business unit can create resources, including additional IAM users, and no other business unit can touch them. The billing for all business units is consolidated and paid for by the master account. This gave us a single bill each month along with isolation between business units.
Relevant content
- asked 2 years ago
- asked 4 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 7 months ago