Unlocking the Power of AWS Organizations: A Comprehensive Guide to Creation and Authentication Methods to AWS Account

8 min readAug 8, 2023

Let Connect: LinkedIn | Twitter | GitHub | Hashnode (Practical Labs)

Introduction

In the vast landscape of Amazon Web Services (AWS), AWS Organizations (AWS Org) stand as a powerful tool that empowers businesses to streamline their cloud infrastructure and resources. Think of AWS Organization as the orchestrator, allowing you to efficiently manage multiple AWS accounts under a unified umbrella. Whether you’re a seasoned cloud professional or just beginning your journey, AWS Organizations opens a realm of possibilities to architect and administer your AWS environment with precision and ease.

Disclaimer

In this lab, it is assumed that you have created an AWS Free Tier account and you have access to a Root Account or an IAM User with Administrator Access.

Lab Task

This lab will guide you through the process of creating an AWS Organization, setting up an Organization Unit (OU), and establishing methods for accessing a newly created AWS Account in an OU.

On the AWS Org Activation page, click on Create an Organization to enable it.

You will be redirected to the AWS Organisation console with a message at the top stating “You successfully created an AWS organization”. Next, click on the “Create Add an AWS account button”

On Create AWS Account Page, select “Create an AWS account” and enter the AWS Account Name, Email Address, and Tags (optional). Once done, Click on the Create AWS account button.

On the AWS Organization page, when you click on List, you will be able to view the list of AWS Accounts. For now, you should have an AWS Account (Management account) and the new Account you just created (Here, MyTestOU account).

Creating Organization Unit (OU)

An Organizational Unit (OU) is a logical grouping within an AWS Organization that helps you organize and manage your accounts more efficiently. It acts as a container for AWS accounts, enabling you to apply policies, permissions, and controls to a specific subset of accounts. This hierarchical structure simplifies management by allowing you to apply consistent policies and governance to related accounts within the OU.

Next, you create an (OU) and associate the newly created AWS account with this OU.

To do this, select the check box on Root, then click on the Action menu and select “Create new” from the drop-down menu.

On the “Create organization unit in Root” page, Enter (OU) name and tag (optional) then click on the “Create organization unit”

Moving AWS Account to OU

Next, Move the newly created AWS Account (here, MyTestOU) to the organization (here, Test Sandbox)

To do this, click on the AWS account by checking the box “MyTestOU”, then click on the Action menu and select ‘Move’ under the AWS Account menu.

On the “Move AWS account ‘MyTestOU’ ” page, select the destination by selecting the radio button of the OU (here, Test Sandbox). Once done, click on “Move AWS account” button.

Once that is done, you will get a message displayed stating “Successfully moved the AWS account ‘MyTestOU’ to the organization unit ‘Test Sandbox’”

Three ways to Access AWS's newly Created Account

There are 3 ways to access the AWS account (here, MyTestOU).
NOTE: You can have a maximum of 10 AWS Accounts added to AWS Org but you can increase the quota.

🔐 Method 1 — Forget Password Flaws

Using the Forget Password Flaws to login to the Account

On the AWS Account page, copy the AWS email of the user (here, MyTestOU)

Open Another Browser or Chrome incognito Mode and search for the AWS management console login. On the AWS login page, Select Root user and enter the copied email address.

On the Password Page, click on “Forgot Password” to reset your Password.

Verify the captcha and click the “Send Email” button.

On your Email page, copy the reset password link on paste it into the incognito tab.

You will be redirected to the Reset password page. Enter a Password of your choice and log in to your AWS Account.

Now, you can log in with the newly created Password to the root account.

🔐Method 2 — Switch Role

In this method, if you use an IAM user to create/ activate AWS Org, you can use the Switch role method. Watch the Video Here.

🔐 Method 3 — IAM Identity Center

You can assign a User from IAM Identity Center to access any AWS account on your AWS Organization.

On the IAM Identity Center (successor to AWS Single Sign-On) console page, click on Enable.

On IAM Identity Center Page, click on Users from the left pane

On the Users page, click Add User at the top right.

On Specify User Details page, supply the necessary details. Here in this lab, Under Primary information. Username (D3m0) and your preferred email. Retain other default settings and click the Next button.

Next on Add user to groups, it is optional. Click Next

On the Review and add user page, Review Settings and scroll down to click on Add User.

The Username (here, D3m0) is successfully created. Next, click on AWS accounts from the left pane under multi-account permissions.

On AWS accounts, click on the Account you want to Assign to the new user (here, D3m0). Click on the AWS account MyTestOU under Test Sandbox Organization Unit (OU). Then Click on Assign Users or Group at the top right.

On Assign users and groups to the “MyTestOU” page, Click Users and select the user (here, D3m0) and click Next.

You will be redirected to the Select permission set type page, select Permission type as “Predefined permission set” and “AdministratorAccess” under Policy for predefined permission set. Then scroll down and click Next.

On Specify permission set details page, retain default settings and click Next.

On the Review and Create page, review settings and click on Create below.

Navigate back to Assign permission sets to “MyTestOU” and click on the Refresh button. Then select the new Permission set. (here, AdministratorAccess) click Next.