Reputation: 325
AWS IAM Organization Issue - I can't see IAM users or any buckets
I know a lot of the stuff I already did is wrong. Here's what happened:
I created a AWS Account and created an Organization.
I added someone else (let's call him Joe) to the orgnization as a root user.
Joe created a bunch of IAM users and those users started creating S3 buckets.
I log back into my root account and I cannot see any S3 buckets 
I see nothing running under EC2
And I don't see any IAM users
Basically it seems like we are in completely different world.
I had Joe create an IAM user for me and I was able to login through that account. Through that account, I see everything properly. It is really important that I figure this out because Joe will eventually leave the project and I need to make sure that everything is under the correct AWS root account.
I made sure that the regions are the same. I tried going to my root account and enabling service control policies and attaching FullAWSAccess.
Upvotes: 0
Views: 1848
Answers (1)
Reputation: 179414
This is how Organizations works.
While you have consolidated billing and can enforce policies across the boundaries, Organizations is about consolidated, high-level management of accounts -- not a consolidated view that all subordinate resources percolate up into.
Accounts are still separate entities, and resources are still owned by and associated with the account that created them -- so unless you want the project to remain in a separate account, you don't want these things to be created in a separate account.
Possibly, the conceptual problem here is that you are considering an AWS account as belonging to a person -- Joe's account -- but that isn't how it's intended. The individual accounts under an organzation are all intended to be your company's accounts -- a division's account, a project's account, etc. AWS accounts "own" users (defined in IAM) -- users don't "own" AWS accounts. The root credentials are the high-privileged credentials of an account, used only administratively for initial bootstrapping and as few other operstions as are necessary -- and are not intended to be used by an individual person beyond that.
See Accessing a Member Account That Has a Master Account Access Role for the way Organizations allows you to switch your console view from account to account without logging out/logging in.
Upvotes: 5
Related Questions
- AWS: instance metadata for iam is not found
- aws iam role succesfully created but unvailable
- AWS IAM is failing with missing permissions that are unrecognized by AWS
- Newly created AWS member account is missing IAM role
- EC2 cannot access S3 object via IAM role
- Enabling AWS IAM Users access to shared bucket/objects
- AWS EC2 access to S3 with IAM role
- Amazon S3 IAM User can' access S3 bucket
- Can't see IAM user instances in AWS
- Can't access s3 buckets after creating instance using IAM profile