Search code examples
amazon-web-servicesaws-organizationsaws-control-toweraws-landing-zone

Can you create AWS accounts from member accounts?


I am creating an AWS organization and some member accounts within their own OUs (organizational Unit). Is there a way to create new accounts in the OUs from the member accounts or is the only way to create new accounts from within the Management account? For example: account a-acc is in OU a-ou and has a service catalog product to create new accounts in a-ou but not only there. If this is possible, how can I do it?


Solution

  • As far as I'm aware, the only way to create new accounts in an AWS organization is via the Organizations API in the management account.

    It appears what you want to do is provide self-service tenant provisioning capabilities to your teams. There's a few options

    • Use AWS Control Tower Account Factories expose them via AWS Marketplace to member accounts
    • Use a custom AWS Marketplace service (e.g. the "old" Account Vending Machine solution)
    • Build an in-house tenant provisioning process outside of AWS, e.g. with GitOps or an existing service management portal (ITSM)

    With all of these solutions you need to implement a form of the "same OU" restriction you mention. For the AWS marketplace based solutions you can e.g. create a product wrapping the "generic" account factory and pre-populate the OU parameter for where the account is going to be placed. This means that you have to create and manage many different "wrapping" products.

    From my experience with setting up resource hierarchies for enterprises on many different clouds its much better to stay flat and refrain from modeling your organizational structure (e.g. departments, teams, divisions) into the cloud resource hierarchy. Most IT systems outlive the organizational structure they were born from and re-organizing your cloud resource hierarchy is usually pretty painful. I'm just mentioning this here because your "same OU" restriction sounds like "I want to give this team their own OU and manage their own accounts".

    If this accurately describes what you're trying to accomplish, here's some ideas for alternatives

    • model organizational hierarchy like department etc. as tags on accounts instead of mapping to OUs
    • leverage a cloud foundation platform that can enforce permission models (who can create a new account) and tagging (e.g. accounts requested by this team always get tagged with their team id)