AWS Account is Part of an Organization

Overview

This check verifies that your AWS account is a member of an AWS Organization with an ACTIVE status. AWS Organizations is a free service that lets you centrally manage multiple AWS accounts, apply security policies, and consolidate billing.

Risk

Running AWS accounts outside of an Organization creates governance gaps:

No centralized security policies - You cannot use Service Control Policies (SCPs) to enforce security guardrails across accounts
Fragmented visibility - Logging, monitoring, and incident response are harder to coordinate
Billing complexity - You lose consolidated billing and cost allocation features
Excessive permissions - Individual accounts may drift into unsafe configurations without centralized oversight

Remediation Steps

Prerequisites

Access to the AWS account that will become the management account (the "parent" account)
IAM permissions to create an organization (typically requires administrator access)

AWS Console Method

Sign in to the AWS Management Console
Open the AWS Organizations console at https://console.aws.amazon.com/organizations/
Click Create an organization
Choose Create organization to confirm (this defaults to "All Features" mode, which is recommended)
Verify the organization status shows Active on the Settings page

After creation, you can invite existing AWS accounts to join or create new member accounts directly.

AWS CLI (optional)

Create an organization:

aws organizations create-organization \
    --feature-set ALL \
    --region us-east-1

The --feature-set ALL option enables all organization features including Service Control Policies (SCPs). If you only need consolidated billing, use CONSOLIDATED_BILLING instead.

Verify the organization exists and is active:

aws organizations describe-organization \
    --region us-east-1 \
    --query 'Organization.{Id:Id,Status:Status,FeatureSet:FeatureSet}'

Expected output:

{
    "Id": "o-exampleorgid",
    "Status": "ACTIVE",
    "FeatureSet": "ALL"
}

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: Create an AWS Organization with all features enabled

Resources:
  Organization:
    Type: AWS::Organizations::Organization
    Properties:
      FeatureSet: ALL

Outputs:
  OrganizationId:
    Description: The ID of the organization
    Value: !Ref Organization
  OrganizationArn:
    Description: The ARN of the organization
    Value: !GetAtt Organization.Arn
  ManagementAccountId:
    Description: The account ID of the management account
    Value: !GetAtt Organization.ManagementAccountId

Deploy the stack:

aws cloudformation create-stack \
    --stack-name aws-organization \
    --template-body file://organization.yaml \
    --region us-east-1

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_organizations_organization" "org" {
  # Enable integration with common AWS services
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
    "sso.amazonaws.com"
  ]

  feature_set = "ALL"

  # Enable common policy types
  enabled_policy_types = [
    "SERVICE_CONTROL_POLICY",
    "TAG_POLICY"
  ]
}

output "organization_id" {
  description = "The ID of the organization"
  value       = aws_organizations_organization.org.id
}

output "organization_arn" {
  description = "The ARN of the organization"
  value       = aws_organizations_organization.org.arn
}

output "master_account_id" {
  description = "The account ID of the management account"
  value       = aws_organizations_organization.org.master_account_id
}

Apply the configuration:

terraform init
terraform apply

Verification

Go to the AWS Organizations console
Check that the Organization overview page loads without errors
Confirm the organization status shows Active

CLI verification

aws organizations describe-organization \
    --region us-east-1 \
    --query 'Organization.Status' \
    --output text

This should return ACTIVE.

Additional Resources

Creating an organization - AWS Documentation
Viewing details about an organization - AWS Documentation
AWS Organizations best practices - AWS Documentation
Service control policies (SCPs) - AWS Documentation

Notes

This is a one-way decision: Once you create an organization, the account becomes the management account. Deleting the organization later requires removing all member accounts first.
Management account responsibilities: The management account pays for all member account charges and has special permissions. Keep this account secure and use it sparingly.
Feature set upgrade: You can upgrade from CONSOLIDATED_BILLING to ALL features later, but you cannot downgrade.
Existing accounts: If your account is already part of an organization, this check passes. You only need to remediate if the account is standalone.
GovCloud limitation: The consolidated billing feature set is not available in AWS GovCloud (US) Region.

Overview​

Risk​

Remediation Steps​

Prerequisites​

AWS Console Method​

Verification​

Additional Resources​

Notes​