How to create new account in AWS Organization

How to create new account in AWS Organization

Pre-requisite • Decide the name of the account and created appropriate email address example aws_income_mgmt_connect+prod@hhs.iowa.gov • Find which org dos it belongs to

Step 1: First start from AWS Management Console

  1. Sign in to the AWS Management Console • Go to the AWS Management Console. • Sign in using your root user or an IAM user that has sufficient permissions to create new accounts (e.g., organizations:CreateAccount).
  2. Navigate to AWS Organizations • In the AWS Management Console, search for and select Organizations in the search bar or navigate to Services > Management & Governance > AWS Organizations.
  3. Access the “Accounts” Section • In the AWS Organizations console, on the left-hand navigation panel, click on Accounts.
  4. Create a New Account • On the Accounts page, click the Create account button at the top right of the page.
  5. Provide New Account Information You will need to provide the following details for the new account: • Account Name: Choose a name for the new AWS account (e.g., NewAccount). • Email Address: Enter a valid email address for the new account. This email address will be used for account management and recovery, and it must be unique across AWS accounts. • IAM Role Name: Provide the role name that will be created in the new account. By default, this role is named OrganizationAccountAccessRole. This role allows you to access the new account from within your organization. • Optional: Organizational Unit (OU): Choose an organizational unit (OU) where the new account will reside. You can leave this as the root of the organization if you do not want to place it in an existing OU. • IAM User Access to Billing: Select whether or not you want to allow IAM users in the new account to access billing information. The options are: o Allow: IAM users in the account can access billing information. o Do not allow: IAM users cannot access billing information.
  6. Review and Create • After filling in the information, review the details, and click Create.
  7. Wait for Account Creation • AWS will begin creating the new account. This may take a few minutes to complete. You’ll be able to see the status of the account creation in the console. o The status will initially show as In Progress. o Once the account is successfully created, the status will change to Succeeded, and the new account will appear in the Accounts list.
  8. Verify and Access the New Account • After the new account has been created, you can view the account details in the Accounts section of the AWS Organizations console. • You can also switch to the new account by using the IAM role (OrganizationAccountAccessRole) created in the new account. This role grants access to the account from the root account or another IAM account within the organization.
  9. For each account:

1: Sign in with administrator access to the management account of the organization that currently contains the account you wish to enroll. #

For example, if you created this account from AWS Organizations and you use a cross-account IAM role to sign in, then you may follow these steps:

  1. Sign in to your organization’s management account.
  2. Go to AWS Organizations.
  3. Under Accounts, select the account you want to enroll and copy its account ID.
  4. Open the account dropdown menu on the top navigation bar and choose Switch Role.
  5. On the Switch role form, fill in the following fields: • Under Account, enter the account ID you copied. • Under Role, enter the name of the IAM role that enables cross-account access to this account. The name of this role was defined when the account was created. If you did not specify a role name when you created the account, enter the default role name, OrganizationAccountAccessRole.
  6. Choose Switch Role.
  7. You should now be signed into the AWS Management Console as the child account.
  8. When you’re finished, stay in the child account for the next part of the procedure.
  9. Make note of the management account ID, because you will need to enter it in the next step.

2: Give AWS Control Tower permission to manage the account. #

  1. Go to IAM.
  2. Go to Roles.
  3. Choose Create role.
  4. When asked to select which service the role is for, choose Custom trust policy.
  5. Copy the code example shown here and paste it into the Policy Document. Replace the string Management Account ID with the actual management account ID of your management account. Here is the policy to paste: { “Version”:“2012-10-17”, “Statement”:[ { “Effect”:“Allow”, “Principal”:{ “AWS”: “arn:aws:iam::Management Account ID:root” }, “Action”: “sts:AssumeRole”, “Condition”: {} } ] } When asked to attach policies, choose AdministratorAccess. Choose Next:Tags. You may see an optional screen titled Add tags. Skip this screen for now by choosing Next:Review On the Review screen, in the Role name field, enter AWSControlTowerExecution. Enter a brief description in the Description box, such as Allows full account access for enrollment. Choose Create role. Please make sure all the above steps are completed, without which the pipeline will fail with errors Step 2: Update the Config in the Git Repository In this step, you’ll update the AWS Accelerator configuration by cloning the repository, creating a new branch, and editing the configuration file (accounts-config.yaml). Here’s a detailed guide on how to do this:

Step-by-Step Guide:

  1. Clone the Repository
  2. Clone the GitHub Repository: o Open your terminal or Git client. o Run the following command to clone the repository from GitHub:

git clone https://github.com/iowahhs/hhs-aws-accelerator-config.git 2. Navigate to the Repository Directory: o After cloning the repository, navigate to the directory where it was cloned: cd hhs-aws-accelerator-config

  1. Create a New Branch
  2. Create a New Branch: o It’s important to work on a separate branch rather than directly on the main branch. o Create a new branch for your changes. You can name the branch according to the feature or update you are working on (e.g., update-account-config): git checkout -b update-account-config
  3. Push the New Branch to Remote: o Push the newly created branch to the remote repository to ensure your changes will be tracked: git push origin update-account-config
  1. Update the accounts-config.yaml File
  2. Locate the accounts-config.yaml File: o In the repository, locate the file named accounts-config.yaml. This file contains the configuration for the AWS accounts that will be part of the AWS Accelerator setup.
  3. Edit the accounts-config.yaml File: o Open the accounts-config.yaml file in your text editor or IDE. o Add the new account details. For example, you will add new attributes like the following:
  • name: hhsaws-income-mgmt-callcenter-dev description: hhsaws-income-mgmt-callcenter-dev email: aws_income_mgmt_connect+dev@hhs.iowa.gov organizationalUnit: Workloads/Dev Explanation of Attributes: o name: The name of the new AWS account you are adding. o description: A description of the new account (you can use the same value as the name or provide more details). o email: The email address associated with the account. o organizationalUnit: The AWS Organizational Unit (OU) where the new account will be placed. For example, Workloads/Dev places the account in the Workloads OU under the Dev folder.
  1. Repeat: o Add any additional account entries following the same structure as above.

Check this sample PR https://github.com/iowahhs/hhs-aws-accelerator-config/commit/485b6f1831d39ff68757f4b4ecf89814ecf902e9

Step 2: Run the Accelerator pipeline
This document provides a detailed, step-by-step guide to log in to the AWS Console, access AWS CodePipeline, and run the AWSAccelerator-Pipeline. Below is the summarized and detailed procedure: Login to AWS Console and Search for CodePipeline: • In the AWS Management Console, search for CodePipeline in the search bar located at the top. • Go to CodePipeline: • From the search results, click on CodePipeline under the Services section to open the CodePipeline dashboard.

Trigger the Pipeline • Start the Pipeline: • On the Release pipeline page, you’ll see a button labeled Release change or Release (depending on the setup). • Click on Release to trigger the pipeline. This will initiate the pipeline execution, triggering all the stages in the pipeline as configured.

Monitor Pipeline Execution: • You can monitor the progress of each stage within the pipeline. It will show details such as source changes, build status, deployment status, etc. • If any errors occur, they will be displayed here with logs and error messages to help troubleshoot.

Edit this page