

# Accessing member accounts in an organization with AWS Organizations
<a name="orgs_manage_accounts_access"></a>

When you create an account in your organization, in addition to the root user, AWS Organizations automatically creates an IAM role that is by default named `OrganizationAccountAccessRole`. You can specify a different name when you create it, however we recommend that you name it consistently across all of your accounts. AWS Organizations doesn't create any other users or roles.

To access the accounts in your organization, you must use one of the following methods:

**Minimum permissions**  
To access an AWS account from any other account in your organization, you must have the following permission:  
`sts:AssumeRole` – The `Resource` element must be set to either an asterisk (\$1) or the account ID number of the account with the user who needs to access the new member account 

------
#### [ Using the root user (Not recommended for everyday tasks) ]

When you create new member account in your organization, the account has no root user credentials by default. Member accounts can't sign in to their root user or perform password recovery for their root user unless account recovery is enabled.

You can [centralize root access for member accounts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html) to remove root user credentials for existing member accounts in your organization. Deleting root user credentials removes the root user password, access keys, signing certificates, and deactivates multi-factor authentication (MFA). These member accounts do not have root user credentials, can't sign in as a root user, and are prevented from recovering the root user password. New accounts you create in Organizations have no root user credentials by default.

Contact your administrator if you need to perform a task that requires root user credentials on a member account where root user credentials are not present.

To access your member account as the root user, you must go through the process for password recovery. For more information, see [I forgot my root user password for my AWS account](https://docs.aws.amazon.com/signin/latest/userguide/troubleshooting-sign-in-issues.html#troubleshoot-forgot-root-password) in the *AWS Sign-In User Guide*. 

If you must access a member account using the root user, follow these best practices:
+ Don't use the root user to access your account except to create other users and roles with more limited permissions. Then sign in as one of those users or roles.
+ [Enable multi-factor authentication (MFA) on the root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html#ru-bp-mfa). Reset the password, and [assign an MFA device to the root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html).

For the complete list of tasks that require you to sign in as the root user, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. For additional root user security recommendations, see [Root user best practices for your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html) in the *IAM User Guide*.

------
#### [ Using trusted access for IAM Identity Center ]

Use [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) and enable trusted access for IAM Identity Center with AWS Organizations. This allows users to sign in to the AWS access portal with their corporate credentials and access resources in their assigned management account or member accounts.

For more information, see [Multi-account permissions](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html) in the *AWS IAM Identity Center User Guide.* For information about setting up trusted access for IAM Identity Center, see [AWS IAM Identity Center and AWS Organizations](services-that-can-integrate-sso.md).

------
#### [ Using the IAM role OrganizationAccountAccessRole ]

If you create an account by using the tools provided as part of AWS Organizations, you can access the account by using the preconfigured role named `OrganizationAccountAccessRole` that exists in all new accounts that you create this way. For more information, see [Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations](orgs_manage_accounts_access-cross-account-role.md).

If you invite an existing account to join your organization and the account accepts the invitation, you can then choose to create an IAM role that allows the management account to access the invited member account. This role is intended to be identical to the role automatically added to an account that is created with AWS Organizations.

To create this role, see [Creating OrganizationAccountAccessRole for an invited account with AWS Organizations](orgs_manage_accounts_create-cross-account-role.md).

After you create the role, you can access it using the steps in [Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations](orgs_manage_accounts_access-cross-account-role.md).

------

**Topics**
+ [Creating an IAM access role](orgs_manage_accounts_create-cross-account-role.md)
+ [Using the IAM access role](orgs_manage_accounts_access-cross-account-role.md)

# Creating OrganizationAccountAccessRole for an invited account with AWS Organizations
<a name="orgs_manage_accounts_create-cross-account-role"></a>

By default, if you create a member account as part of your organization, AWS automatically creates a role in the account that grants administrator permissions to IAM users in the management account who can assume the role. By default, that role is named `OrganizationAccountAccessRole`. For more information, see [Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations](orgs_manage_accounts_access-cross-account-role.md).

However, member accounts that you *invite* to join your organization ***do not*** automatically get an administrator role created. You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, `OrganizationAccountAccessRole`, for your manually created roles for consistency and ease of remembering.

------
#### [ AWS Management Console ]

**To create an AWS Organizations administrator role in a member account**

1. Sign in to the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the member account. The user or role must have permission to create IAM roles and policies.

1. In the IAM console, navigate to **Roles** and then choose **Create role**.

1. Choose **AWS account**, and then select **Another AWS account**.

1. Enter the 12-digit account ID number of the management account that you want to grant administrator access to. Under **Options**, please note the following:
   + For this role, because the accounts are internal to your company, you should **not** choose **Require external ID**. For more information about the external ID option, see [When should I use an external ID?](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html#external-id-use) in the *IAM User Guide*. 
   + If you have MFA enabled and configured, you can optionally choose to require authentication using an MFA device. For more information about MFA, see [Using multi-factor authentication (MFA) in AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the *IAM User Guide*. 

1. Choose **Next**.

1. On the **Add permissions** page, choose the AWS managed policy named `AdministratorAccess` and then choose **Next**.

1. On the **Name, review, and create** page, specify a role name and an optional description. We recommend that you use `OrganizationAccountAccessRole`, for consistency with the default name assigned to the role in new accounts. To commit your changes, choose **Create role**.

1. Your new role appears on the list of available roles. Choose the new role's name to view its details, paying special note to the link URL that is provided. Give this URL to users in the member account who need to access the role. Also, note the **Role ARN** because you need it in step 15.

1. Sign in to the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). This time, sign in as a user in the management account who has permissions to create policies and assign the policies to users or groups.

1. Navigate to **Policies** and then choose **Create policy**.

1. For **Service**, choose **STS**.

1. For **Actions**, start typing **AssumeRole** in the **Filter** box and then select the check box next to it when it appears.

1. Under **Resources**, ensure that **Specific** is selected and then choose **Add ARNs**.

1. Enter the AWS member account ID number and then enter the name of the role that you previously created in steps 1–8. Choose **Add ARNs**.

1. If you're granting permission to assume the role in multiple member accounts, repeats steps 14 and 15 for each account.

1. Choose **Next**.

1. On the **Review and create** page, enter a name for the new policy and then choose **Create policy** to save your changes.

1. Choose **User groups** in the navigation pane and then choose the name of the group (not the check box) that you want to use to delegate administration of the member account.

1. Choose the **Permissions** tab.

1. Choose **Add permissions**, choose **Attach policies**, and then select the policy that you created in steps 11–18.

------

The users who are members of the selected group now can use the URLs that you captured in step 9 to access each member account's role. They can access these member accounts the same way as they would if accessing an account that you create in the organization. For more information about using the role to administer a member account, see [Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations](orgs_manage_accounts_access-cross-account-role.md). 

# Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations
<a name="orgs_manage_accounts_access-cross-account-role"></a>

When you create a member account using the AWS Organizations console, AWS Organizations *automatically* creates an IAM role named `OrganizationAccountAccessRole` in the account. This role has full administrative permissions in the member account. The scope of access for this role includes all principals in the management account, such that the role is configured to grant that access to the organization's management account.

You can create an identical role for an invited member account by following the steps in [Creating OrganizationAccountAccessRole for an invited account with AWS Organizations](orgs_manage_accounts_create-cross-account-role.md).

To use this role to access the member account, you must sign in as a user from the management account that has permissions to assume the role. To configure these permissions, perform the following procedure. We recommend that you grant permissions to groups instead of users for ease of maintenance.

------
#### [ AWS Management Console ]

**To grant permissions to members of an IAM group in the management account to access the role**

1. Sign in to the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/) as a user with administrator permissions in the management account. This is required to delegate permissions to the IAM group whose users will access the role in the member account.

1. <a name="step-create-policy"></a>Start by creating the managed policy that you need later in [Step 14](#step-choose-group). 

   In the navigation pane, choose **Policies** and then choose **Create policy**.

1. On the Visual editor tab, choose **Choose a service**, enter **STS** in the search box to filter the list, and then choose the **STS** option.

1. In the **Actions** section, enter **assume** in the search box to filter the list, and then choose the **AssumeRole** option.

1. In the **Resources** section, choose **Specific**, choose** Add ARNs**

1. In the **Specify ARN(s)** section, choose **Other account** for Resource in.

1. Enter the ID of the member account you just created

1. For **Resource role name with path**, enter the name of the role that you created in the previous section (we recommended naming it `OrganizationAccountAccessRole`).

1. Choose **Add ARNs** when the dialog box displays the correct ARN.

1. (Optional) If you want to require multi-factor authentication (MFA), or restrict access to the role from a specified IP address range, then expand the Request conditions section, and select the options you want to enforce.

1. Choose **Next**.

1. On the **Review and create** page, enter a name for the new policy. For example : **GrantAccessToOrganizationAccountAccessRole**. You can also add an optional description. 

1. <a name="step-end-policy"></a>Choose **Create policy** to save your new managed policy.

1. <a name="step-choose-group"></a>Now that you have the policy available, you can attach it to a group.

   In the navigation pane, choose **User groups** and then choose the name of the group (not the check box) whose members you want to be able to assume the role in the member account. If necessary, you can create a new group.

1. Choose the **Permissions** tab, choose **Add permissions**, and then choose **Attach policies**.

1. (Optional) In the **Search** box, you can start typing the name of your policy to filter the list until you can see the name of the policy you just created in [Step 2](#step-create-policy) through [Step 13](#step-end-policy). You can also filter out all of the AWS managed policies by choosing **All types** and then choosing **Customer managed**.

1. Check the box next to your policy, and then choose **Attach policies**.

------

IAM users that are members of the group now have permissions to switch to the new role in the AWS Organizations console by using the following procedure.

------
#### [ AWS Management Console ]

**To switch to the role for the member account**

When using the role, the user has administrator permissions in the new member account. Instruct your IAM users who are members of the group to do the following to switch to the new role. 

1. From the upper-right corner of the AWS Organizations console, choose the link that contains your current sign-in name and then choose **Switch Role**.

1. Enter the administrator-provided account ID number and role name.

1. For **Display Name**, enter the text that you want to show on the navigation bar in the upper-right corner in place of your user name while you are using the role. You can optionally choose a color.

1. Choose **Switch Role**. Now all actions that you perform are done with the permissions granted to the role that you switched to. You no longer have the permissions associated with your original IAM user until you switch back.

1. When you finish performing actions that require the permissions of the role, you can switch back to your normal IAM user. Choose the role name in the upper-right corner (whatever you specified as the **Display Name**) and then choose **Back to *UserName***.

------