Outshift | Simplifying account-based billing through AWS organizational setup

Billing is core to the smooth operation of any business, and an organized AWS account structure using the AWS Organizations Service ensures that your billing processes run smoothly. This post walks through how the AWS Organizations Service can be used to simplify account-based billing for organizations. The image below shows a sample AWS account structure made using the AWS Organizations Service. Once configured, after going to the AWS Billing console, the user will see the billing information for each account added. Sample Organizational Structure in AWS Organizations View The AWS Organizations setup must be done in the owners AWS account, also known as a management account. This owner account is financially responsible for all AWS accounts added under it. Suppose an admin in the management account is setting up a structure for an organization. This post will walk through the steps required to create an initial admin account and account root credentials for an organization. The management account’s admin can provide these credentials to the organization’s admin, who can then create department accounts and billing entities. The management accounts admin can also give role-based access to a group of admins at the organization, who can then access and manage additional user accounts.

Setup Steps

Create organization’s account

[To be created by a management account admin] a. Ensure that you are logged in as root/IAM user in the management account with appropriate permissions. b. Go to the AWS Organizations service and click the Actions dropdown. Select Create new to create the organization. The organization account will map to an AWS Org Organizational Unit (OU).

Create initial admin account for the organization

[To be created by a management account admin] a. Ensure that you are logged in as root/IAM user in the admin management account with proper permissions. b. Ensure that you have an email ID that is not registered with any existing AWS Account. It will be used for the new account. c. Go to the AWS Organizations service and select Add an AWS Account at the top of the page. Select Create an AWS Account. Note that we are describing the steps to creating a new AWS Account as part of an AWS OU rather than inviting an existing AWS account. The benefit of this approach is that it creates a default AWS admin role in the child account, enabling the parent account to manage the child account using cross account procedures. When inviting an existing AWS Account as part of an AWS OU, the organization account user must manually create this admin role in the account — the admin user cannot create the role. a. Save the created account’s root credentials so they can be provided to the organization’s user. b. In the Organization view, select the Actions dropdown menu and select Move to move it to the OU. a. Create an admin account for the organization (if needed). The management root account is the financial owner of an organization’s accounts, but this role does not have any other access to those accounts. You can follow the steps below for a management account to be able to access the member account. Follow the steps listed in the AWS documentation Accessing a member account that has a management account access role. By switching to the management account role, you can create an admin account for the organization to manage all accounts within the organization, as shown below.

Create department accounts and billing entities

If the original admin user (from the management account) is creating department accounts and billing entities for an organization, follow the steps listed in #2 above for each department. If an organization’s admin is creating department accounts and billing entities, follow the steps listed below. a. The admin will need to create and configure an IAM role in advance by an admin. This will give permission to an organization’s admin user to create an account under their OU. Use the code below:

{
	"Version": "2012–10–17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "organizations:MoveAccount",
			"Resource": [
				"arn:aws:organizations::*:account/o-*/*",
				"arn:aws:organizations::111111111111:root/o-dddddddd/r-dddd",
				"arn:aws:organizations::111111111111:ou/o -ddddddddd /ou-ddddddd"
			]
		},
		{
			"Sid": "VisualEditor1",
			"Effect": "Allow",
			"Action": ["organizations:CreateAccount"],
			"Resource": "*"
		}
	]
}

b. Set up cross-account access from organization’s admin account to the original admin account using the steps in the next section entitled, Enable cross-account access for organization’s admins. Once those steps are complete, follow the steps in #2 for each department.

Enable cross-account access for organization’s admins to manage individual department accounts

An organization’s admin must complete the steps below. The steps below describe a scenario where Account A requires access to Account B after both accounts are created.

Log in to Account B. Check if the role required exists. If it does not, create a new role with an inline policy by going to AWS IAM and selecting Create Role. Below is an example of a role allowing access to all an account’s resources.
Ensure that the correct trust policy is set on the role. The image below shows that a specific user in Account A has been granted access.
Now, log in to Account A. Go to IAM and select Create Policy. Ensure that the roles shown in the accounts in the image below exist.
Next, associate the role with a user group. Go to IAM and select Create an IAM User.
Go to IAM and select Create an IAM User Group. Next, add the user and policy created to this group.
Switch roles as IAM user in Account A to access resources in Account B: a. Log in as IAM User in Account A that is added as part of the above group in step 2. b. Switch roles to Account B. You can now access resources in Account B.