When to use AWS Organizations

AWS Organizations is an AWS service that you can use to manage your AWS accounts as a group. This provides features like consolidated billing, where all of your accounts' bills are grouped together and handled by a single payer. You can also centrally manage the security of your organization by using policy based controls. For more information about AWS Organizations, see the AWS Organizations User Guide.

Trusted access

When you use AWS Organizations to manage your accounts as a group, most administrative tasks for the organization can be performed by only the organization's management account. By default, this includes only operations related to managing the organization itself. You can extend this additional functionality to other AWS services by enabling trusted access between Organizations and that service. Trusted access grants permissions to the specified AWS service to access information about the organization and the accounts it contains. When you enable trusted access for Account Management, the Account Management service grants Organizations and its management account permissions to access the metadata, such as the primary or alternate contact information, for all of the organization's member accounts.

For more information, see Enable trusted access for AWS Account Management.

Delegated admin

After you enable trusted access, you can also choose to designate one of your member accounts as a delegated admin account for AWS Account Management. This allows the delegated admin account to perform the same Account Management metadata management tasks for the member accounts in your organization that previously only the management account could do. The delegated admin account can access only the management tasks for the Account Management service. The delegated admin account doesn't have all of the administrative access to the organization that the management account has.

For more information, see Enable a delegated admin account for AWS Account Management.