Questions tagged with AWS Organizations
Content language: English
Sort by most recent
I have a basic organization set up with a handful of OUs. These OUs only have one SCP to restrict member account root users. I also have an AWS account that's not part of the organization which runs production and critical workloads. Currently, users login with IAM users but the organization has SSO enabled. My assumption is that the risks associated with joining the account to the organization are almost non-existent. Meaning the workloads will remain unaffected and existing IAM users will continue to work as they do now. Of course, the root user of the account will stop working because of the SCP. Can anyone think of any other risks I should account for? Has anyone experienced issued?
Hi, we have an existing Grafana environment in one of our AWS accounts and were previously able to login to Grafana through the assigned user from the IAM Identity Center in the same account. We have now restructured our AWS organization by introducing a new management account which now hosts the IAM Identity Center. Assignments have been updated and the new user is assigned in Grafana as Admin. Unfortunately, we are now unable to sign in to Grafana with IAM Idendity Center. We get "Login Failed - internal server error". ![Login Failed](/media/postImages/original/IMBoPh7_-cQRmz0_65yzLoNQ) Is somebody able to help us with this issue? Thanks! Manfred
I have a task where I'm required to make sure all my GuardDuty logs from multiple accounts are logged to one account using a centralized logging solution. At the moment, I'm trying to find a way either via console or cli, or both to confirm if my guardduty logs are centralized in the account I am in. Is there an easy way to confirm this?
Hi everyone, I have a customer who is looking for moving from a Partner to AWS directly, thier consume is around $20K and they want to continue with the consume without a Support Plan; it's that ok? Can they working without a Plan? Thanks in advance,
In my Control Tower I have some small projects account that have some EC2/ECS that are periodically (every 1-6 hours) started to do some task and than stopped. AWS Config costs me a lot more than EC2/ECS itself. For me it is not sustainable. I state that I have never used AWS Config outside of Control Tower. How can I disable entirely (or at least for EC2/ECS start/stop events) for some (or all accounts) in my Control Tower?
Suppose there are 4 different AWS accounts, lets say accounts are aws1, aws2, aws3, aws4, aws5. aws1 is kind of parent account through which all other accounts are managed through aws organization and SSO setup in aws1. Also if we need to give permission to any user for any aws resources in any aws account,then we do it from aws1 account only. so its kind of hectic managing permissions for each and every user from aws1 account for all other aws accounts. is there a way, we can streamline this user permission things across different aws accounts in a more efficient ways. Thanks in Advance !
Hello, currently, we have an AWS account A, which is a root account in AWS Organizations with consolidated billing for all account members. Plan: create account B, it's billing joins the billing under account A Organizations and it's other members, but at the same time, it will be independent root account in it's own AWS organizations. So, the accounts A and B are not members of the same Organization, but have linked billing. Is that doable? Thanks, Michal
Hi, I have multiple organizations in my account hierarchy. We're using multiple organizations as each needs to be billed separately (different countries). Is it possible to have a single instance of IAM Identity Center to enable SSO across multiple organizations? Note: Multiple organizations is a suggested approach per AWS documentation - https://d0.awsstatic.com/aws-answers/AWS_Multi_Account_Billing_Strategy.pdf
I am trying to enable AWS config as trusted service from AWS Organizations as mentioned in official documentation. However, i see a note that AWS recommend to enable trusted service from AWS Config service and not from AWS Organizations. How do i enable trusted service from AWS Conifg so that any rule or pack i enable in management account get automatically replicated to member accounts?
I told my team members not to use this account, and we tried to migrate to a different cloud account since last month. But AWS sent me a big surprising bill this month, there were many unrecognized activities in our account. I email and talked to AWS a number of time in last two weeks. AWS staff checked my account, seeing no usage activities as we have deleted everything ( except I failed to delete the organization and the was some error message) . Meanwhile AWS still keeps charging me everyday. It is really frustrating/upsetting that AWS keeps charging me everyday while we donot use anything (they have verified also). Appreciate any advice. Thanks
Greetings to everyone. When trying to add an AWS account to my existing organization in AWS Organization (when sending an invitation), I get the error "You have exceeded the allowed number of AWS accounts." I am aware that the default account limit is 10. And I do not exceed this limit. I get the same error when I create a new organization. Thank you in advance for your support.
Hi, I've an AWS organisation account setup with Identity Center enabled in the management account. I've enabled MFA sign-in for a test user. I've applied an SCP to one of the member account to deny certain operations. ``` Statement: - Sid: DenyAllExceptListedActionsIfNoMFA ----- Condition: BoolIfExists: aws:MultiFactorAuthPresent: 'false' ``` Now when I sign in as the test user to the member account these operations are denied for me irrespective of whether I used MFA to sign-in or not. Would you be able to give an example of how this is supposed to work on console as well as on command line? How do I pass the token? Thanks.