- Newest
- Most votes
- Most comments
Hi, Thanks for your answer.
It may be an misunderstanding on my side due to this message when I try to use a service in the new account: As the account has been created recently, I didn't really see the part at the bottom which said: "It might take up to 24 hours to fully activate your AWS services.". Maybe it's due to this part that I can't access to the services.
Nataliya I am pretty confused. As I understand it, the idea behind AWS Organizations is you have a single management account that pays the bills, and then you can create many (possibly very many if done programmatically?) different accounts and OUs to segment your organization into different roles and environments. For example this chart showing a recommended organization setup https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/advanced-organization.html. Are you saying that every one of those accounts needs to verify and add credit card information? I just encountered the same thing as the OP where I am trying to just create a staging/testing environment to deploy a replica of our infra into. I created the account but am unable to do anything because it says the "AWS Access Key Id needs a subscription for the service". When I try to go to things like Systems Manager in the console, i am taken to the same thing that asks me to "Complete Singup" and add a credit card, verify, ect. What is the point of a management account if every other account needs to add their own payment information? And how is it sane to utilize this to provision different environments? Or maybe this is just a thing that I need to wait on? Pretty sure I created the account over 24 hrs ago. I feel like i am missing something! Any help appreciated.
You don't have to add a payment method on an account that's created inside Organization (created by the Payer), however you would have to add a payment method, if you wanted to kick that account out, or if the account decides to leave, because in that case the account would exist outside the Org as a Standalone account. However, if you invite existing account to join your Organization, it means that account is currently a Standalone account (it has to be, because otherwise it can't join your Organization), and it means it already has a payment method added.
Now, let's assume when your invited account joins Organization, and you want to remove a payment method. It's not possible to remove last existing default payment method from that account, because valid payment method needs to be present if you would later want to leave the Organization (even if that linked account will be joining a new Organization - it needs to leave existing one, and therefore it will become a Standalone account for the time in between).
On AWS side we don't prevent customers from removing their accounts from Organization, so to protect both customers, and AWS, some of these measures are in place. Customers can use their own controls (like Service Control Policies), so they can for example prevent linked accounts from leaving. You as a customer have (and should have) control over governance of your accounts. So, let's say if you decide to remove an account from Organization, that account becomes Standalone and must have a valid payment method to pay for its own usage & bills. If account could exist from outside Organization without payment method, that... would be risky :) from financial point of view. From another side (though it's not exactly billing related, but more from access and control side of the story) - imagine there's a linked account that's owned by a company, and therefore, that company is responsible for paying the bills. Imagine someone gets unathorized access to the account, removes it from Organization, starts generating large charges, while the company would be still responsible for paying those charges. In this case it would be a risk both for the customer and for AWS, which is why many of such account-management related restrictions are in place.
I don't understand the logic for requiring payment method added even account is a linked account. Management account is a main source of paying all the bills for linked accounts. AWS should allow to delete payment method if it's linked to any management account.
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Ah, fair enough :) Yes, usually the accounts are getting activated quickly, but it indeed may take several hours, or a day for a full verification, and before you can start using the services. If something still doesn't work after 24h, you should open a support case with customer service (payment or paid support plan is NOT required), and they'll investigate.