Migracja kont AWS pomiędzy organizacjami

Migration of AWS accounts between organizations

Lukasz Dorosz
Ponad 14 lat w branży IT. Konsultant i architekt projektów Amazon Web Services. Entuzjasta rozwiązań serverless. Współtwórca AWS User Group (3500+ osób). AWS Community HERO. Masz pytanie, napisz do mnie.
pl flag
en flag
Voiced by Amazon Polly

You leave the company - take your account

This is probably one of the reasons why you might need to move accounts between organizations.

Some companies use a “lab” account policy for each employee so that you can experiment with the opportunities provided by AWS.

Certainly the reasons for migration or joining can be many, such as:

One company buys another and wants to transfer the systems to its organization,

On a very large scale, the division into a larger number of organizations,

Large amount of data to be transferred

etc.

When I talk about the organization, I mean the AWS Organizations service, which allows you to manage more AWS accounts.

So, let's move on to the concrete.

I recently had a need to transfer my lab account from Organization A to Organisation B. I found that it would be much easier and faster to secure the entire account than to copy and transfer all sorts of resources like some test lambda, script or, for example, the Cloud9 environment, which I use for different things.

This last one could be quite easy to move, but this can already be left for another entry 😎

WHAT IS NEEDED TO SURGE THE ACCOUNT

To succeed in creating an account, you need a few things, mainly about the right access:

Full access to the account that will be transferred. We are talking about ROOT access, because there you will need to change some things in the configuration of the account itself.

Administrative access to the Organization to which the above AWS account will be attached.

You may need to make copies of your reports or your billing history (if you need it).

Payment card - for the time of unfasting it will be necessary to enter it.

Optional - you will also need a new email address if you no longer have access to the current email address.

Having these things prepared, you can start the process of moving. The first steps begin on the account, which will be repinned.

STEP 1: LEAVING THE ORGANIZATION

In order to leave the organization, you must log in to the account (root user, or IAM userame with administrative privileges).

Next, you need to go to AWS Organizations, where you should see a message that the account currently belongs to your organization.

By pressing the Leave organization button, a message will appear in which you will be asked to enter a few more information. My account was created from within the organization, so I just had to fill in some data before I could leave the organization.

Some of these steps look identical to creating an account. You must accept the contract, provide payment card details and, of course, pass telephone verification and choose the support plan option.

After completing these steps, you will now be able to press the button again and successfully leave the current organization.

You can immediately go to the My Account tab (upper right corner) and immediately replace information such as contact details or ROOT email address.

Make a note of the account ID immediately, you will need it in step 2.

Now the second part, which will be performed on the side of the new organization.

STEP 2: JOINING THE NEW ORGANIZATION

To do this, you log in to the account where the organization is configured to which you will pin your account. Of course, log in to the user who has permission to manage the organization.

Again, we go to AWS Organizations and this time click on And account and then select Invite Account.

Please enter your email address or Account ID and click Invite.

The further part again takes place on the side of the account migrated.

STEP 3: ACCEPTANCE AND CONFIGURATION

The email address of ROOT, the link account will be sent to the email address of the invitation to the new organization. Verify that the information of the inviting organisation agrees.

If everything is OK, just click on Accept.

Now you just need to check if the account has appeared in the new organization.

The further configuration depends heavily on the environment. Perhaps some issues of the location of the account in the relevant OU or imposition of appropriate policies.

Of course, you should remember about the issues of logging into your account. In my case, this is the AWS SSO service. Therefore, it was still necessary to set up a new account and add the ability to login in sso.

Perhaps there will be other things in your account, so it's worth checking especially what you use. In my case, Cloud9 also required minor resuscitation (rights issues).

P. I wonder if you use Cloud9? If so, what to do?

Cheers! Cheers!