My AWS organization is a total mess - as owner I've lost control

Question

As the owner of the organization I've lost control over my AWS environment.

What I can do: 
* login as Root User
* login as IAM User
* access services from IAM (Dynamo DB, S3 end else)

What I cannot do: 
* delete rights or users on IAM level
* delete rights or users in Root
* activate access credentials from console

What confuses me: 
* There is no IAM user when I look at my organisation from root
* There is no organisation when I look at it from IAM

What I am not familiar with: 
* CLI (whatever we find, it should be done on AWS console)

Thank you in advance.

![This is how it looks like](/media/postImages/original/IM8U19ppJkQc6yVUlKPRLH-Q)

Answer

It looks like you might be logging into a member of the AWS Organization, not the Organization root account.
One note of clarification here - there are root ACCOUNTS (the AWS account itself) and root USERS [1] (the user account you login with - the email address, not the IAM user [2]).

It also looks like you have some Service Control Policies (SCPs) [3] in place for the Organization that restrict actions of the root user in the member accounts.

If you login to the organization root account (shown under 'Root' in the Organization console) as a user with Admin privileges (or, as a last resort, root - but this is not recommended), you should have unrestricted access to make the changes you need to make to allow your member account IAM user (Mathias) to make the changes in the member account.

[1] https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
[2] https://docs.aws.amazon.com/accounts/latest/reference/root-user-vs-iam.html
[3] https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Answer

Thank you so much. Yes, there were certain restrictions and I now understood better what's Root user and account.

My AWS organization is a total mess - as owner I've lost control

Relevant content