By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Create an AWS organization with a production account with running workloads

0

Hello,

I want to create an AWS organization but I'm a bit worried about my production services.

I have an AWS account with all my workloads running in production.

I decided to manage those workloads by splitting in multiple accounts, like dev, pre, pro; however in the meanwhile I want to keep my "legacy" workloads running.

Is there any risk, when creating an organization, to loose any of the running services? Like EC2, RDS, EKS and so on.

Thank you!

Topics
Management & Governance
Tags
AWS Organizations
Language
English
rePost-User-9050467
asked a year ago353 views
1 Answer
0

The AWS Organization management/payer account should not have any workloads on it. These should be separated into member accounts and OUs. With that being said the recommendation would be for you to create a new AWS Account and use that account as the management account for your AWS Organization. On the management account you can define your OU structure and them invite the existing accounts to join your organization. You can see additional information on how to do that here.

Also important to point out that when you invite accounts to join your organization, you do not automatically have full administrator control over the account, unlike accounts created directly in AWS Organizations. If you want the management account to have full administrative control over an invited member account, you must create the OrganizationAccountAccessRole IAM role in the member account and grant permission to the management account to assume the role.

Inviting accounts or removing them from your organization should not have any impact on workloads except if you have any SCPs enabled. If you are using SCPs these policies can block accounts from calling AWS APIs thus bringing down workloads running on the accounts. I would suggest you only leave the 'FullAWSAccess' policy attached to root. You can then create OUs with the SCPs attached that you think you will need. You can then move test accounts into these OUs to make sure you get the effect that you want. After that you can move production accounts into these OUs and change out the SCPs on root if you want. You can also use IAM policy simulator to view the effects of SCPs.

AWS
debbie
answered a year ago
profile pictureAWS
EXPERT
kentrad
reviewed a year ago
  • rePost-User-9050467
    a year ago

    Thanks for your answer.

    Yes, I understand the implications of running workloads in a management account; however I'm not able due to business requeriments to risk a currently running workload, while migrating to a well-organized accounts topology.

    So, is there any risk, when creating an organization, to impact anyway in those running services like EC2, IAM users/roles/policies, and so on?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content