Reuse or link IAM users and groups from Management Account to a new AWS account / OU

Question

Since I am new with AWS, I just come across Organizations in AWS, and just created new OUs and AWS Accounts.

I have already created initial users and groups in the IAM before, which is now in the Management Account. I wanted these users (together with their accesses from the groups) to be able to access the newly created AWS Account. The only thing I can think of is to login the root user of the newly created AWS Account, and then recreate these users and groups there.

Is there a way I can give access to the existing users (from the Management Account) to the new AWS Account? Take note: We do not have any AD yet, as we are still a small group/startup, nor get Directory Service, because we do not have that much funding for that service.

Accepted Answer

Turns out, I can do this using AWS Single Sing On (SSO).

From the AWS SSO info page: [https://aws.amazon.com/single-sign-on/]

> AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and **manage access centrally across your AWS organization**. You can choose to manage access just to your AWS accounts or cloud applications. **You can create user identities directly in AWS SSO**, or you can bring them from your Microsoft Active Directory or a standards-based identity provider, such as Okta Universal Directory or Azure AD.

Answer

AWS SSO is the best way to manage users on multi account.
If you can't use it or your organization not having AD is enough small, you try cross account switch role with IAM Role.
Keep in mind that you need create IAM Role permissions in the new AWS account.

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Reuse or link IAM users and groups from Management Account to a new AWS account / OU

Relevant content