# Managing account invitations with AWS Organizations
After you [create an organization](orgs_manage_org_create.md) and [verify that you own the email address](about-email-verification.md) associated with the management account, you can invite existing AWS accounts to join your organization. Use the AWS Organizations console to initiate and manage invitations that you send to other accounts. You can send an invitation to other accounts only from the management account of your organization.
When you invite an account, AWS Organizations sends an invitation to the account owner, who can decide to accept or decline the invitation.
If you are the administrator of an AWS account, you also can accept or decline an invitation from an organization. If you accept, your account becomes a member of that organization.
To create an account that automatically is part of an organization, see [Creating a member account in an organization with AWS Organizations](orgs_manage_accounts_create.md).
**Important**
All accounts in an organization must come from the same AWS partition as the management account. Accounts in the commercial AWS Regions partition can't be in an organization with accounts from the China Regions partition or accounts in the AWS GovCloud (US) Regions partition.
**Topics**
+ [Considerations](#impact_of_join)
+ [Sending invitations](orgs_manage_accounts_invite-account.md)
+ [Managing pending invitations](orgs_manage_accounts_manage-invites.md)
+ [Accepting or declining invitations](orgs_manage_accounts_accept-decline-invite.md)
## Considerations
**Limitations on the number of invite you can send per day**
For limitations on the number of invitations you can send per day, see [Maximum and minimum values](orgs_reference_limits.md#min-max-values). Accepted invitations don't count against this quota. As soon as one invitation is accepted, you can send another invitation that same day. Each invitation must be responded to within 15 days, or it expires.
An invitation that is sent to an account counts against the quota of accounts in your organization. The count is reset if the invited account declines, the management account cancels the invitation, or the invitation expires.
**An account can only join one organization**
An account can only join one organization. If you receive multiple invitations, you can accept only one.
**Billing history and reports stay with the management account**
Billing history and reports for all accounts stay with the management account in an Organization. Before you move the account to a new Organization, export or back up any billing and report histories for any member accounts that you want to keep. This might include [Cost and Usage Reports](https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html), [Cost Explorer Reports](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-reports.html), [Savings Plans Reports](https://docs.aws.amazon.com/savingsplans/latest/userguide/ce-sp-usingPR.html#ce-dl-pr), and [Reserved Instance (RI) utilization and coverage](https://repost.aws/knowledge-center/ec2-ri-utilization-coverage-cost-explorer).
**The management account is responsible for all charges accrued by member accounts**
After an account accepts the invitation to join an organization, the management account of the organization becomes responsible for all charges accrued by the new member account. The payment method attached to the member account is no longer used. Instead, the payment method attached to the management account of the organization pays for all charges accrued by the member account.
**Organizations automatically creates the service-linked role `AWSServiceRoleForOrganizations`**
AWS Organizations creates a service-linked role called `AWSServiceRoleForOrganizations` to support integrations between AWS Organizations and other AWS services. For more information, see [AWS Organizations and service-linked roles](orgs_integrate_services.md#orgs_integrate_services-using_slrs). The invited account must have this role if your organization supports [all features](orgs_getting-started_concepts.md#feature-set-all). You can delete this role if the organization supports only the [consolidated billing](orgs_getting-started_concepts.md#feature-set-cb-only) feature set. If you delete this role and later you enable all features in your organization, AWS Organizations recreates this role for the account.
**Organizations does not automatically create the IAM role `OrganizationAccountAccessRole`**
For invited member accounts, AWS Organizations doesn't automatically create the IAM role [`OrganizationAccountAccessRole`](orgs_manage_accounts_access-cross-account-role.md). This role grants users in the management account administrative access to the member account. If you want to enable that level of administrative control to an invited account, you can manually add the role. For more information, see [Creating OrganizationAccountAccessRole for an invited account with AWS Organizations](orgs_manage_accounts_create-cross-account-role.md).
**Note**
When you create an account in your organization instead of inviting an existing account to join, AWS Organizations automatically creates the IAM role `OrganizationAccountAccessRole`by default.
**Policies attached to the root or OU that contain the account immediately apply**
If you have any policies attached to the root or the organizational unit (OU) that contains the invited account, those policies immediately apply to all users and roles in the invited account.
You can [enable service trust for another AWS service](orgs_integrate_services_list.md) for your organization. When you do, that trusted service can create service-linked roles or perform actions in any member account in the organization, including an invited account.
**Organizations with only the consolidated billing feature set can still invite accounts**
You can invite an account to join an organization that has only the consolidated billing features enabled. If you later want to enable all features for the organization, invited accounts must approve the change.
# Sending account invitations with AWS Organizations
To invite accounts to your organization, you must first verify that you own the email address associated with the management account. For more information, see [Email address verification with AWS Organizations](about-email-verification.md). After you verify your email address, complete the following steps to invite accounts to your organization.
**Minimum permissions**
To invite an AWS account to join your organization, you must have the following permissions:
`organizations:DescribeOrganization` (console only)
`organizations:InviteAccountToOrganization`
------
#### [ AWS Management Console ]
**To invite another account to join your organization**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. If you already verified your email address with AWS, skip this step.
If you haven't yet verified your email address, follow the instructions in the [verification email](about-email-verification.md) within 24 hours after you create the organization. There might be a delay before you receive the verification email message. You can't invite an account to join your organization until you verify your email address.
1. Navigate to the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, and choose **Add an AWS account**.
1. On the **[Add an AWS account](https://console.aws.amazon.com/organizations/v2/home/accounts/add/create)** page, choose **Invite an existing AWS account**.
1. On the **[Invite an existing AWS](https://console.aws.amazon.com/organizations/v2/home/accounts/add/invite)** page, for **Email address or account ID of the AWS account to invite** enter either the email address associated with the account to be invited, or its account ID number.
1. (Optional) For **Message to include in the invitation email message**, enter any text that you want to include in the email invitation to the invited account owner.
1. (Optional) In the **Add tags** section, specify one or more tags that are automatically applied to the account after its administrator accepts the invitation. To do this, choose **Add tag** and then enter a key and an optional value. Leaving the value blank sets it to an empty string; it isn't `null`. You can attach up to 50 tags to an AWS account.
1. Choose **Send invitation**.
**Important**
If you get a message that you exceeded your account quotas for the organization or that you can't add an account because your organization is still initializing, contact [AWS Support](https://console.aws.amazon.com/support/home#/).
1. The console redirects you to the **[Invitations](https://console.aws.amazon.com/organizations/v2/home/accounts/invitations)** page page where you can view all open and accepted invitations here. The invitation that you just created appears at the top of the list with its status set to **OPEN**.
AWS Organizations sends an invitation to the email address of the owner of the account that you invited to the organization. This email message includes a link to the AWS Organizations console, where the account owner can view the details and choose to accept or decline the invitation. Alternatively, the owner of the invited account can bypass the email message, go directly to the AWS Organizations console, view the invitation, and accept or decline it.
The invitation to this account immediately counts against the maximum number of accounts that you can have in your organization. AWS Organizations doesn't wait until the account accepts the invitation. If the invited account declines, the management account cancels the invitation. If the invited account doesn't respond within the specified time period, the invitation expires. In either case, the invitation no longer counts against your quota.
------
#### [ AWS CLI & AWS SDKs ]
**To invite another account to join your organization**
You can use one of the following commands to invite another account to join your organization:
+ AWS CLI: [invite-account-to-organization](https://docs.aws.amazon.com/cli/latest/reference/organizations/invite-account-to-organization.html)
```
$ aws organizations invite-account-to-organization \
--target '{"Type": "EMAIL", "Id": "juan@example.com"}' \
--notes "This is a request for Juan's account to join Bill's organization."
{
"Handshake": {
"Action": "INVITE",
"Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111",
"ExpirationTimestamp": 1482952459.257,
"Id": "h-examplehandshakeid111",
"Parties": [
{
"Id": "o-exampleorgid",
"Type": "ORGANIZATION"
},
{
"Id": "juan@example.com",
"Type": "EMAIL"
}
],
"RequestedTimestamp": 1481656459.257,
"Resources": [
{
"Resources": [
{
"Type": "MASTER_EMAIL",
"Value": "bill@amazon.com"
},
{
"Type": "MASTER_NAME",
"Value": "Management Account"
},
{
"Type": "ORGANIZATION_FEATURE_SET",
"Value": "FULL"
}
],
"Type": "ORGANIZATION",
"Value": "o-exampleorgid"
},
{
"Type": "EMAIL",
"Value": "juan@example.com"
}
],
"State": "OPEN"
}
}
```
+ AWS SDKs: [InviteAccountToOrganization](https://docs.aws.amazon.com/organizations/latest/APIReference/API_InviteAccountToOrganization.html)
------
# Managing pending account invitations with AWS Organizations
When you sign in to your management account, you can view all the linked AWS accounts in your organization and cancel any pending (open) invitations. To do this, complete the following steps.
**Minimum permissions**
To manage pending invitations for your organization, you must have the following permissions:
`organizations:DescribeOrganization` – required only when using the Organizations console
`organizations:ListHandshakesForOrganization`
`organizations:CancelHandshake`
------
#### [ AWS Management Console ]
**To view or cancel invitations that are sent from your organization to other accounts**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. Navigate to the **[Invitations](https://console.aws.amazon.com/organizations/v2/home/accounts/invitations)** page.
This page displays all invitations that are sent from your organization and their current status.
If you can't see an invitation, check if the invited account is the management account of another organization. Only member accounts and standalone accounts are able to receive invitations. Management accounts cannot receive invitations.
If you want to invite an account that is a management account in another organization, it is recommended that you make that account a standalone account.
**Note**
Accepted, canceled, and declined invitations continue to appear in the list for 30 days. After that, they're deleted and no longer appear in the list.
1. Choose the radio button ![\[Blue circular icon with a white checkmark symbol in the center.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/radio-button-selected.png)next to the invitation that you want to cancel, and then choose **Cancel invitation**. If the radio button is grayed out, then that invitation can't be canceled.
The status of the invitation changes from **OPEN** to **CANCELED**.
AWS sends an email message to the account owner stating that you canceled the invitation. The account can no longer join the organization unless you send a new invitation.
------
#### [ AWS CLI & AWS SDKs ]
**To view or cancel invitations that are sent from your organization to other accounts**
You can use the following commands to view or cancel invitations:
+ AWS CLI: [list-handshakes-for-organization](https://docs.aws.amazon.com/cli/latest/reference/organizations/list-handshakes-for-organization.html), [cancel-handshake](https://docs.aws.amazon.com/cli/latest/reference/organizations/cancel-handshake.html)
+ The following example shows the invitations sent by this organization to other accounts.
```
$ aws organizations list-handshakes-for-organization
{
"Handshakes": [
{
"Action": "INVITE",
"Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111",
"ExpirationTimestamp": 1482952459.257,
"Id": "h-examplehandshakeid111",
"Parties": [
{
"Id": "o-exampleorgid",
"Type": "ORGANIZATION"
},
{
"Id": "juan@example.com",
"Type": "EMAIL"
}
],
"RequestedTimestamp": 1481656459.257,
"Resources": [
{
"Resources": [
{
"Type": "MASTER_EMAIL",
"Value": "bill@amazon.com"
},
{
"Type": "MASTER_NAME",
"Value": "Management Account"
},
{
"Type": "ORGANIZATION_FEATURE_SET",
"Value": "FULL"
}
],
"Type": "ORGANIZATION",
"Value": "o-exampleorgid"
},
{
"Type": "EMAIL",
"Value": "juan@example.com"
},
{
"Type":"NOTES",
"Value":"This is an invitation to Juan's account to join Bill's organization."
}
],
"State": "OPEN"
},
{
"Action": "INVITE",
"State":"ACCEPTED",
"Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111",
"ExpirationTimestamp": 1.471797437427E9,
"Id": "h-examplehandshakeid222",
"Parties": [
{
"Id": "o-exampleorgid",
"Type": "ORGANIZATION"
},
{
"Id": "anika@example.com",
"Type": "EMAIL"
}
],
"RequestedTimestamp": 1.469205437427E9,
"Resources": [
{
"Resources": [
{
"Type":"MASTER_EMAIL",
"Value":"bill@example.com"
},
{
"Type":"MASTER_NAME",
"Value":"Management Account"
}
],
"Type":"ORGANIZATION",
"Value":"o-exampleorgid"
},
{
"Type":"EMAIL",
"Value":"anika@example.com"
},
{
"Type":"NOTES",
"Value":"This is an invitation to Anika's account to join Bill's organization."
}
]
}
]
}
```
The following example shows how to cancel an invitation to an account.
```
$ aws organizations cancel-handshake --handshake-id h-examplehandshakeid111
{
"Handshake": {
"Id": "h-examplehandshakeid111",
"State":"CANCELED",
"Action": "INVITE",
"Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111",
"Parties": [
{
"Id": "o-exampleorgid",
"Type": "ORGANIZATION"
},
{
"Id": "susan@example.com",
"Type": "EMAIL"
}
],
"Resources": [
{
"Type": "ORGANIZATION",
"Value": "o-exampleorgid",
"Resources": [
{
"Type": "MASTER_EMAIL",
"Value": "bill@example.com"
},
{
"Type": "MASTER_NAME",
"Value": "Management Account"
},
{
"Type": "ORGANIZATION_FEATURE_SET",
"Value": "CONSOLIDATED_BILLING"
}
]
},
{
"Type": "EMAIL",
"Value": "anika@example.com"
},
{
"Type": "NOTES",
"Value": "This is a request for Susan's account to join Bob's organization."
}
],
"RequestedTimestamp": 1.47008383521E9,
"ExpirationTimestamp": 1.47137983521E9
}
}
```
+ AWS SDKs: [ListHandshakesForOrganization](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListHandshakesForOrganization.html), [CancelHandshake](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CancelHandshake.html)
------
# Accepting or declining account invitations with AWS Organizations
If you receive an invitation to join an organization, you can accept or decline the invitation.
## Considerations
**An account’s status with an organization affects what cost and usage data is visible**
If a member account leaves an organization and becomes a standalone account, the account no longer has access to cost and usage data from the time range when the account was a member of the organization. The account has access only to the data that is generated as a standalone account.
If a member account leaves organization A to join organization B, the account no longer has access to cost and usage data from the time range when the account was a member of organization A. The account has access only to the data that is generated as a member of organization B.
If an account rejoins an organization that it previously belonged to, the account regains access to its historical cost and usage data.
**Only member accounts and standalone accounts can accept or decline an invitation**
Only member accounts and standalone accounts can accept or decline an invitation to join an organization. If an invitation is sent to a management account that is already part of an organization, that account won't be able to view the invitation until they [remove all member accounts from their organization](orgs_manage_accounts_remove.md) and [delete the organization](orgs_manage_org_delete.md).
**CloudTrail logging takes place in the account taking the action **
If a member account or standalone account accepts or declines an account invitation, that action will be logged in the CloudTrail log of the acting account. If the acting account is a member account, that action will not be logged in the management account's CloudTrail logs. This is consistent with CloudTrail logging in related scenarios (ex. Member account leaving organization will be logged in member account trail, management account removing member account will be logged in management account trail).
## Accept or decline to an account invitation
To accept or decline the invitation, complete the following steps.
**Minimum permissions**
To accept or decline an invitation to join an organization, you must have the following permissions:
`organizations:ListHandshakesForAccount` – Required to see the list of invitations in the AWS Organizations console.
`organizations:AcceptHandshake`.
`organizations:DeclineHandshake`.
`organizations:LeaveOrganization` – Required only when accepting an invitation when your account is already a member of an organization.
`iam:CreateServiceLinkedRole` – Required only when accepting the invitation requires the creation of a service-linked role in the member account to support integration with other AWS services. For more information, see [AWS Organizations and service-linked roles](orgs_integrate_services.md#orgs_integrate_services-using_slrs).
------
#### [ AWS Management Console ]
**To accept or decline an invitation**
1. An invitation to join an organization is sent to the email address of the account owner. If you are an account owner and you receive an invitation email message, follow the instructions in the email invitation or go to [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) in your browser, and then choose **Invitations**, or go straight to the **[member account's Invitation](https://console.aws.amazon.com/organizations/v2/home/invitations)** page.
1. If prompted, sign in to the invited account as an IAM user, assume an IAM role, or sign in as the account's root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)).
1. The **[member account's Invitation](https://console.aws.amazon.com/organizations/v2/home/invitations)** page displays your account's open invitations to join organizations.
Choose **Accept invitation** or **Decline invitation** as appropriate.
+ If you choose **Accept invitation** in the preceding step, the console redirects you to the [Organization overview](https://console.aws.amazon.com/organizations/v2/home/dashboard) page with details about the organization that your account is now a member of. You can view the organization's ID and the owner's email address.
**Note**
Accepted invitations continue to appear in the list for 30 days. After that, they are deleted and no longer appear in the list.
AWS Organizations automatically creates a service-linked role in the new member account to support integration between AWS Organizations and other AWS services. For more information, see [AWS Organizations and service-linked roles](orgs_integrate_services.md#orgs_integrate_services-using_slrs).
AWS sends an email message to the owner of the organization's management account stating that you accepted the invitation. It also sends an email message to the member account owner stating that the account is now a member of the organization.
+ If you choose **Decline** in the preceding step, your account remains on the **[member account's Invitation](https://console.aws.amazon.com/organizations/v2/home/invitations)** page that lists any other pending invitations.
AWS sends an email message to the organization's management account owner stating that you declined the invitation.
**Note**
Declined invitations continue to appear in the list for 30 days. After that, they are deleted and no longer appear in the list.
------
#### [ AWS CLI & AWS SDKs ]
**To accept or decline an invitation**
You can use the following commands to accept or decline an invitation:
+ AWS CLI: [accept-handshake](https://docs.aws.amazon.com/cli/latest/reference/organizations/accept-handshake.html), [decline-handshake](https://docs.aws.amazon.com/cli/latest/reference/organizations/decline-handshake.html)
The following example shows how to accept an invitation to join an organization.
```
$ aws organizations accept-handshake --handshake-id h-examplehandshakeid111
{
"Handshake": {
"Action": "INVITE",
"Arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111",
"RequestedTimestamp": 1481656459.257,
"ExpirationTimestamp": 1482952459.257,
"Id": "h-examplehandshakeid111",
"Parties": [
{
"Id": "o-exampleorgid",
"Type": "ORGANIZATION"
},
{
"Id": "juan@example.com",
"Type": "EMAIL"
}
],
"Resources": [
{
"Resources": [
{
"Type": "MASTER_EMAIL",
"Value": "bill@amazon.com"
},
{
"Type": "MASTER_NAME",
"Value": "Management Account"
},
{
"Type": "ORGANIZATION_FEATURE_SET",
"Value": "ALL"
}
],
"Type": "ORGANIZATION",
"Value": "o-exampleorgid"
},
{
"Type": "EMAIL",
"Value": "juan@example.com"
}
],
"State": "ACCEPTED"
}
}
```
The following example shows how to decline an invitation to join an organization.
+ AWS SDKs: [AcceptHandshake](https://docs.aws.amazon.com/organizations/latest/APIReference/API_AcceptHandshake.html), [DeclineHandshake](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeclineHandshake.html)
------