# Getting started with AWS Organizations
<a name="orgs_getting-started"></a>

The following topics provide information to help you start using AWS Organizations. You can also use the following tutorials to begin performing tasks using AWS Organizations.

[Tutorial: Creating and configuring an organization](orgs_tutorials_basic.md)  
Get up and running with step-by-step instructions to create your organization, invite your first member accounts, create an OU hierarchy that contains your accounts, and apply some service control policies (SCPs).

[Tutorial: Monitor important changes to your organization with Amazon EventBridge](orgs_tutorials_cwe.md)  
Monitor key changes in your organization by configuring Amazon EventBridge to trigger an alarm in the form of an email, SMS text message, or log entry when actions that you designate occur in your organization. For example, many organizations want to know when a new account is created or when an account attempts to leave the organization.

**Topics**
+ [Signing up for AWS](#getting-started-signing-up)
+ [Accessing AWS Organizations](#how-to-access)
+ [Tutorial: Creating and configuring an organization](orgs_tutorials_basic.md)
+ [Tutorial: Monitor an organization with Amazon EventBridge](orgs_tutorials_cwe.md)
+ [Working with AWS SDKs](sdk-general-information-section.md)

## Signing up for AWS
<a name="getting-started-signing-up"></a>

**Topics**
+ [Sign up for an AWS account](#sign-up-for-aws)
+ [Create a user with administrative access](#create-an-admin)

### Sign up for an AWS account
<a name="sign-up-for-aws"></a>

If you do not have an AWS account, complete the following steps to create one.

**To sign up for an AWS account**

1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).

1. Follow the online instructions.

   Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.

   When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.

### Create a user with administrative access
<a name="create-an-admin"></a>

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

**Secure your AWS account root user**

1.  Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.

1. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.

**Create a user with administrative access**

1. Enable IAM Identity Center.

   For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.

1. In IAM Identity Center, grant administrative access to a user.

   For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.

**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

  For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

**Assign access to additional users**

1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

   For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.

1. Assign users to a group, and then assign single sign-on access to the group.

   For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.

## Accessing AWS Organizations
<a name="how-to-access"></a>

You can work with AWS Organizations in any of the following ways:

**AWS Management Console**  
The [AWS Organizations console](https://console.aws.amazon.com/organizations/) is a browser-based interface that you can use to manage your organization and your AWS resources. You can perform any task in your organization by using the console.

**AWS Command Line Tools**  
With the AWS command line tools, you can issue commands at your system's command line to perform AWS Organizations and AWS tasks. Working with the command line can be faster and more convenient than using the console. The command line tools also are useful if you want to build scripts that perform AWS tasks.  
AWS provides two sets of command line tools:  
+  [AWS Command Line Interface](https://aws.amazon.com/cli/)

  The AWS Command Line Interface (AWS CLI) is a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.

  For information about installing and using the AWS CLI, see the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/).
+  [AWS Tools for Windows PowerShell](https://aws.amazon.com/powershell/)

  The Tools for Windows PowerShell let developers and administrators manage their AWS services and resources in the PowerShell scripting environment. You can manage your AWS resources with the same PowerShell tools you use to manage your Windows, Linux, and MacOS environments.

  For information about installing and using the Tools for Windows PowerShell, see the [AWS Tools for PowerShell User Guide](https://docs.aws.amazon.com/powershell/latest/userguide/).

**AWS SDKs**  
The AWS SDKs consist of libraries and sample code for various programming languages and platforms (for example, Java, Python, Ruby, .NET, iOS, and Android). The SDKs take care of tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For more information about the AWS SDKs, including how to download and install them, see [Tools for Amazon Web Services](https://aws.amazon.com/tools/#sdk).

**AWS Organizations HTTPS Query API**  
The AWS Organizations HTTPS Query API gives you programmatic access to AWS Organizations and AWS. The HTTPS Query API lets you issue HTTPS requests directly to the service. When you use the HTTPS API, you must include code to digitally sign requests using your credentials. For more information, see [Calling the API by Making HTTP Query Requests](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_query-requests.html) and the [AWS Organizations API Reference](https://docs.aws.amazon.com/organizations/latest/APIReference/).

# Tutorial: Creating and configuring an organization
<a name="orgs_tutorials_basic"></a>

In this tutorial, you create your organization and configure it with two AWS member accounts. You create one of the member accounts in your organization, and you invite the other account to join your organization. Next, you use the [allow list](orgs_manage_policies_scps_evaluation.md#how_scps_allow) technique to specify that account administrators can delegate only explicitly listed services and actions. This allows administrators to validate any new service that AWS introduces before they permit its use by anyone else in your company. That way, if AWS introduces a new service, it remains prohibited until an administrator adds the service to the allow list in the appropriate policy. The tutorial also shows you how to use a [deny list](orgs_manage_policies_scps_evaluation.md#how_scps_deny) to ensure that no users in a member account can change the configuration for the auditing logs that AWS CloudTrail creates.

The following illustration shows the main steps of the tutorial.

![\[Four-step process for creating an organization, units, policies, and testing restrictions.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/tutorialorgs.png)

**[Step 1: Create your organization](#tutorial-orgs-step1)**  
In this step, you create an organization with your current AWS account as the management account. You also invite one AWS account to join your organization, and you create a second account as a member account.

**[Step 2: Create the organizational units](#tutorial-orgs-step2)**  
Next, you create two organizational units (OUs) in your new organization and place the member accounts in those OUs.

**[Step 3: Create the service control policies](#tutorial-orgs-step3)**  
You can apply restrictions to what actions can be delegated to users and roles in the member accounts by using [service control policies (SCPs)](orgs_manage_policies_scps.md). In this step, you create two SCPs and attach them to the OUs in your organization.

**[Step 4: Testing your organization's policies](#tutorial-orgs-step4)**  
You can sign in as users from each of the test accounts and see the effects that the SCPs have on the accounts.

None of the steps in this tutorial incurs costs to your AWS bill. AWS Organizations is a free service.

## Prerequisites
<a name="tut-basic-prereqs"></a>

This tutorial assumes that you have access to two existing AWS accounts (you create a third as part of this tutorial) and that you can sign in to each as an administrator.

The tutorial refers to the accounts as the following:
+ `111111111111` – The account that you use to create the organization. This account becomes the management account. The owner of this account has an email address of `OrgAccount111@example.com`.
+ `222222222222` – An account that you invite to join the organization as a member account. The owner of this account has an email address of `member222@example.com`.
+ `333333333333` – An account that you create as a member of the organization. The owner of this account has an email address of `member333@example.com`.

Substitute the values above with the values that are associated with your test accounts. We recommend that you don't use production accounts for this tutorial.

## Step 1: Create your organization
<a name="tutorial-orgs-step1"></a>

In this step, you sign in to account 111111111111 as an administrator, create an organization with that account as the management account, and invite an existing account, 222222222222, to join as a member account.

------
#### [ AWS Management Console ]

1. Sign in to AWS as an administrator of account 111111111111 and open the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2).

1. On the introduction page, choose **Create an organization**.

1. In the confirmation dialog box, choose **Create an organization**.
**Note**  
By default, the organization is created with all features enabled. You can also create the organization with only [consolidated billing features](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/useconsolidatedbilling-procedure.html) enabled.

   AWS creates the organization and shows you the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page. If you're on a different page then choose **AWS accounts** in the navigation pane on the left.

   If the account you use has never had its email address verified by AWS, a verification email is automatically sent to the address that is associated with your management account. There might be a delay before you receive the verification email.

1. Verify your email address within 24 hours. For more information, see [Email address verification with AWS Organizations](about-email-verification.md).

------

You now have an organization with your account as its only member. This is the management account of the organization.

### Invite an existing account to join your organization
<a name="tut-basic-invite-existing"></a>

Now that you have an organization, you can begin to populate it with accounts. In the steps in this section, you invite an existing account to join as a member of your organization.

------
#### [ AWS Management Console ]

**To invite an existing account to join**

1. Navigate to the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, and choose **Add an AWS account**.

1. On the **[Add an AWS account](https://console.aws.amazon.com/organizations/v2/home/accounts/add/create)** page, choose **Invite an existing AWS account**.

1. In the box **Email address or account ID of an AWS account to invite** box, enter the email address of the owner of the account that you want to invite, similar to the following: **member222@example.com**. Alternatively, if you know the AWS account ID number, then you can enter it instead.

1. Type any text that you want into the **Message to include in the invitation email message** box. This text is included in the email that is sent to the owner of the account.

1. Choose **Send invitation**. AWS Organizations sends the invitation to the account owner.
**Important**  
Expand the error message if indicated. If the error indicates that you exceeded your account limits for the organization or that you can't add an account because your organization is still initializing, wait until one hour after you created the organization and try again. If the error persists, contact [AWS Support](https://console.aws.amazon.com/support/home#/).

1. For the purposes of this tutorial, you now need to accept your own invitation. Do one of the following to get to the **Invitations** page in the console:
   + Open the email that AWS sent from the management account and choose the link to accept the invitation. When prompted to sign in, do so as an administrator in the invited member account. 
   + Open the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) and navigate to the **[Invitations](https://console.aws.amazon.com/organizations/v2/home/accounts/invitations)** page.

1. On the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, choose **Accept** and then choose **Confirm**.
**Tip**  
The invitation receipt could be delayed and you might need to wait before you can accept the invitation.

1. Sign out of your member account and sign in again as an administrator in your management account. 

------

### Create a member account
<a name="tut-basic-create-new"></a>

In the steps in this section, you create an AWS account that is automatically a member of the organization. We refer to this account in the tutorial as 333333333333.

------
#### [ AWS Management Console ]

**To create a member account**

1. On the AWS Organizations console, on the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, choose **Add AWS account**.

1. On the **[Add an AWS account](https://console.aws.amazon.com/organizations/v2/home/accounts/add/create)** page, choose **Create an AWS account**. 

1. For **AWS account name**, enter a name for the account, such as **MainApp Account**.

1. For **Email address of the account's root user**, enter the email address of the individual who is to receive communications on behalf of the account. This value must be globally unique. No two accounts can have the same email address. For example, you might use something like **mainapp@example.com**.

1. For **IAM role name**, you can leave this blank to automatically use the default role name of `OrganizationAccountAccessRole`, or you can supply your own name. This role enables you to access the new member account when signed in as an IAM user in the management account. For this tutorial, leave it blank to instruct AWS Organizations to create the role with the default name.

1. Choose **Create AWS account**. You might need to wait a short while and refresh the page to see the new account appear on the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page.
**Important**  
If you get an error that indicates that you exceeded your account limits for the organization or that you can't add an account because your organization is still initializing, wait until one hour after you created the organization and try again. If the error persists, contact [AWS Support](https://console.aws.amazon.com/support/home#/).

------

## Step 2: Create the organizational units
<a name="tutorial-orgs-step2"></a>

In the steps in this section, you create organizational units (OUs) and place your member accounts in them. When you're done, your hierarchy looks like the following illustration. The management account remains in the root. One member account is moved to the Production OU, and the other member account is moved to the MainApp OU, which is a child of Production. 

![\[Tutorial organization structure showing Production and Security OUs with MainApp sub-OU\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/orgs-lab-structure.jpg)


------
#### [ AWS Management Console ]

**To create and populate the OUs**
**Note**  
In the steps that follow, you interact with objects for which you can choose either the name of the object itself, or the radio button next to the object.  
If you choose the name of the object, you open a new page that displays the objects details.
If you choose the radio button next to the object, you are identifying that object to be acted upon by another action, such as choosing a menu option.
The steps that follow have you choose the radio button so that you can then act on the associated object by making menu choices.

1. On the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) navigate to the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page.

1. Choose the check box ![\[Blue checkmark icon indicating confirmation or completion of a task.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/checkbox-selected.png) next to the **Root** container.

1. Choose the **Actions** dropdown, and then under **Organizational unit**, choose **Create new**.

1. On the **Create organizational unit in Root** page, for the **Organizational unit name**, enter **Production** and then choose **Create organizational unit**.

1. Choose the check box ![\[Blue checkmark icon indicating confirmation or completion of a task.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/checkbox-selected.png) next to your new **Production** OU.

1. Choose **Actions**, and then under **Organizational unit**, choose **Create new**.

1. On the **Create organizational unit in Production** page, for the name of the second OU, enter **MainApp** and then choose **Create organizational unit**.

   Now you can move your member accounts into these OUs.

1. Return to the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, and then expand the tree under your **Production** OU by choosing the triangle ![\[Gray cloud icon with an arrow pointing downward, indicating download or cloud storage.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/expand-icon.png) next to it. This displays the **MainApp** OU as a child of **Production**.

1. Next to **333333333333**, choose the check box ![\[Blue checkmark icon indicating confirmation or completion of a task.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/checkbox-selected.png) (not its name), choose **Actions**, and then under **AWS account**, choose **Move**.

1. On the **Move AWS account '333333333333'** page, choose the triangle next to **Production** to expand it. Next to **MainApp**, choose the radio button ![\[Blue circular icon with a white checkmark symbol in the center.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/radio-button-selected.png) (not its name), and then choose **Move AWS account**.

1. Next to **222222222222**, choose the check box ![\[Blue checkmark icon indicating confirmation or completion of a task.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/checkbox-selected.png) (not its name), choose **Actions**, and then under **AWS account**, choose **Move**.

1. On the **Move AWS account '222222222222'** page, next to **Production**, choose the radio button (not its name), and then choose **Move AWS account**.

------

## Step 3: Create the service control policies
<a name="tutorial-orgs-step3"></a>

In the steps in this section, you create three [service control policies (SCPs)](orgs_manage_policies_scps.md) and attach them to the root and to the OUs to restrict what users in the organization's accounts can do. The first SCP prevents anyone in any of the member accounts from creating or modifying any AWS CloudTrail logs that you configure. The management account isn't affected by any SCP, so after you apply the CloudTrail SCP, you must create any logs from the management account.

### Enable the service control policy type for the organization
<a name="tutorial-orgs-step3-enable-scp"></a>

Before you can attach a policy of any type to a root or to any OU within a root, you must enable the policy type for the organization. Policy types aren't enabled by default. The steps in this section show you how to enable the service control policy (SCP) type for your organization.

------
#### [ AWS Management Console ]

**To enable SCPs for your organization**

1. Navigate to the **[Policies](https://console.aws.amazon.com/organizations/v2/home/policies)** page, and then choose **Service control policies**.

1. On the **[Service control policies](https://console.aws.amazon.com/organizations/v2/home/policies/service-control-policy)** page, choose **Enable service control policies**.

   A green banner appears to inform you that you can now create SCPs in your organization.

------

### Create your SCPs
<a name="tutorial-orgs-step3-create-pols"></a>

Now that service control policies are enabled in your organization, you can create the three policies that you need for this tutorial.

------
#### [ AWS Management Console ]

**To create the first SCP that blocks CloudTrail configuration actions**

1. Navigate to the **[Policies](https://console.aws.amazon.com/organizations/v2/home/policies)** page, and then choose **Service control policies**.

1. On the **[Service control policies](https://console.aws.amazon.com/organizations/v2/home/policies/service-control-policy)** page, choose **Create policy**.

1. For **Policy name**, enter **Block CloudTrail Configuration Actions**.

1. In the **Policy** section, in the list of services on the right, select CloudTrail for the service. Then choose the following actions: **AddTags**, **CreateTrail**, **DeleteTrail**, **RemoveTags**, **StartLogging**, **StopLogging**, and **UpdateTrail**.

1. Still in the right pane, choose **Add resource** and specify **CloudTrail** and **All Resources**. Then choose **Add resource**.

   The policy statement on the left should look similar to the following.

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "Stmt1234567890123",
               "Effect": "Deny",
               "Action": [
                   "cloudtrail:AddTags",
                   "cloudtrail:CreateTrail",
                   "cloudtrail:DeleteTrail",
                   "cloudtrail:RemoveTags",
                   "cloudtrail:StartLogging",
                   "cloudtrail:StopLogging",
                   "cloudtrail:UpdateTrail"
               ],
               "Resource": [
                   "*"
               ]
           }
       ]
   }
   ```

------

1. Choose **Create policy**.

------

The second policy defines an [allow list](orgs_manage_policies_scps_evaluation.md#how_scps_allow) of all the services and actions that you want to enable for users and roles in the Production OU. When you're done, users in the Production OU can access ***only*** the listed services and actions.

------
#### [ AWS Management Console ]

**To create the second policy that allows approved services for the production OU**

1. From the **[Service control policies](https://console.aws.amazon.com/organizations/v2/home/policies/service-control-policy)** page, choose **Create policy**.

1. For **Policy name**, enter **Allow List for All Approved Services**.

1. Position your cursor in the right pane of the **Policy** section and paste in a policy like the following.

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "Stmt1111111111111",
               "Effect": "Allow",
               "Action": [ 
                   "ec2:*",
                   "elasticloadbalancing:*",
                   "codecommit:*",
                   "cloudtrail:*",
                   "codedeploy:*"
                 ],
               "Resource": [ "*" ]
           }
       ]
   }
   ```

------

1. Choose **Create policy**.

------

The final policy provides a [deny list](orgs_manage_policies_scps_evaluation.md#how_scps_deny) of services that are blocked from use in the MainApp OU. For this tutorial, you block access to Amazon DynamoDB in any accounts that are in the **MainApp** OU.

------
#### [ AWS Management Console ]

**To create the third policy that denies access to services that can't be used in the MainApp OU**

1. From the **[Service control policies](https://console.aws.amazon.com/organizations/v2/home/policies/service-control-policy)** page, choose **Create policy**.

1. For **Policy name**, enter **Deny List for MainApp Prohibited Services**.

1. In the **Policy** section on the left, select **Amazon DynamoDB** for the service. For the action, choose **All actions**.

1. Still in the left pane, choose **Add resource** and specify **DynamoDB** and **All Resources**. Then choose **Add resource**.

   The policy statement on the right updates to look similar to the following.

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Deny",
         "Action": [ "dynamodb:*" ],
         "Resource": [ "*" ]
       }
     ]
   }
   ```

------

1. Choose **Create policy** to save the SCP.

------

### Attach the SCPs to your OUs
<a name="tut-basic-attach-scp"></a>

Now that the SCPs exist and are enabled for your root, you can attach them to the root and OUs.

------
#### [ AWS Management Console ]

**To attach the policies to the root and the OUs**

1. Navigate to the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page.

1. On the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, choose **Root** (its name, not the radio button) to navigate to its details page.

1. On the **Root** details page, choose the **Policies** tab, and then under **Service Control Policies**, choose **Attach**.

1. On the **Attach a service control policy** page, choose the radio button next to the SCP named `Block CloudTrail Configuration Actions`, and then choose **Attach**. In this tutorial, you attach it to the root so that it affects all member accounts to prevent anyone from altering the way that you configured CloudTrail. 

   The **Root** details page, **Policies** tab now shows that two SCPs are attached to the root: the one you just attached and the default `FullAWSAccess` SCP. 

1. Navigate back to the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, and choose the **Production** OU (it's name, not the radio button) to navigate to its details page.

1. On the **Production** OU's details page, choose the **Policies** tab. 

1. Under **Service Control Policies**, choose **Attach**.

1. On the **Attach a service control policy** page, choose the radio button next to `Allow List for All Approved Services`, and then choose **Attach**. This enables users or roles in member accounts in the **Production** OU to access the approved services.

1. Choose the **Policies** tab again to see that two SCPs are attached to the OU: the one that you just attached and the default `FullAWSAccess` SCP. However, because the `FullAWSAccess` SCP is also an allow list that allows all services and actions, you must now detach this SCP to ensure that only your approved services are allowed.

1. To remove the default policy from the **Production** OU, choose the radio button to **FullAWSAccess**, choose **Detach**, and then on the confirmation dialog box, choose **Detach policy**.

   After you remove this default policy, all member accounts under the **Production** OU immediately lose access to all actions and services that are not on the allow list SCP that you attached in the preceding steps. Any requests to use actions that aren't included in the **Allow List for All Approved Services** SCP are denied. This is true even if an administrator in an account grants access to another service by attaching an IAM permissions policy to a user in one of the member accounts.

1. Now you can attach the SCP named `Deny List for MainApp Prohibited services` to prevent anyone in the accounts in the MainApp OU from using any of the restricted services.

   To do this, navigate to the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, choose the triangle icon to expand the **Production** OU's branch, and then choose the **MainApp** OU (it's name, not the radio button) to navigate to its contents.

1. On the **MainApp** details page, choose the **Policies** tab.

1. Under **Service Control Policies**, choose Attach, and then in the list of available policies, choose the radio button next to **Deny List for MainApp Prohibited Services**, and then choose **Attach policy**.

------

## Step 4: Testing your organization's policies
<a name="tutorial-orgs-step4"></a>

You now can [sign in](https://docs.aws.amazon.com//signin/latest/userguide/what-is-sign-in.html) as a user in any of the member accounts and try to perform various AWS actions:
+ If you sign in as a user in the management account, you can perform any operation that is allowed by your IAM permissions policies. The SCPs don't affect any user or role in the management account, no matter which root or OU the account is located in.
+ If you sign in as a user in account 222222222222, you can perform any actions that are allowed by the allow list. AWS Organizations denies any attempt to perform an action in any service that isn't in the allow list. Also, AWS Organizations denies any attempt to perform one of the CloudTrail configuration actions.
+ If you sign in as a user in account 333333333333, you can perform any actions that are allowed by the allow list and not blocked by the deny list. AWS Organizations denies any attempt to perform an action that isn't in the allow list policy and any action that is in the deny list policy. Also, AWS Organizations denies any attempt to perform one of the CloudTrail configuration actions.

# Tutorial: Monitor important changes to your organization with Amazon EventBridge
<a name="orgs_tutorials_cwe"></a>

This tutorial shows how to configure Amazon EventBridge, formerly Amazon CloudWatch Events, to monitor your organization for changes. You start by configuring a rule that is triggered when users invoke specific AWS Organizations operations. Next, you configure Amazon EventBridge to run an AWS Lambda function when the rule is triggered, and you configure Amazon SNS to send an email with details about the event. 

The following illustration shows the main steps of the tutorial.

**[Step 1: Configure a trail and event selector](#tutorial-cwe-step1)**  
Create a log, called a *trail*, in AWS CloudTrail. You configure it to capture all API calls.

**[Step 2: Configure a Lambda function](#tutorial-cwe-step2)**  
Create an AWS Lambda function that logs details about the event to an S3 bucket.

**[Step 3: Create an Amazon SNS topic that sends emails to subscribers](#tutorial-cwe-step3)**  
Create an Amazon SNS topic that sends emails to its subscribers, and then subscribe yourself to the topic.

**[Step 4: Create an Amazon EventBridge rule](#tutorial-cwe-step4)**  
Create a rule that tells Amazon EventBridge to pass details of specified API calls to the Lambda function and to SNS topic subscribers.

**[Step 5: Test your Amazon EventBridge rule](#tutorial-cwe-step5)**  
Test your new rule by running one of the monitored operations. In this tutorial, the monitored operation is creating an organizational unit (OU). You view the log entry that the Lambda function creates, and you view the email that Amazon SNS sends to subscribers.

**Tip**  
You can also use this tutorial as a guide in configuring similar operations, such as sending email notifications when account creation is complete. Because account creation is an asynchronous operation, you're not notified by default when it completes. For more information on using AWS CloudTrail and Amazon EventBridge with AWS Organizations, see [Logging and monitoring in AWS Organizations](orgs_security_incident-response.md).

## Prerequisites
<a name="tutorial-cwe-prereqs"></a>

This tutorial assumes the following:
+ You can sign in to the AWS Management Console as an IAM user from the management account in your organization. The IAM user must have permissions to create and configure a log in CloudTrail, a function in Lambda, a topic in Amazon SNS, and a rule in Amazon EventBridge. For more information about granting permissions, see [Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*, or the guide for the service for which you want to configure access.
+ You have access to an existing Amazon Simple Storage Service (Amazon S3) bucket (or you have permissions to create a bucket) to receive the CloudTrail log that you configure in step 1.

**Important**  
Currently, AWS Organizations is hosted in only the US East (N. Virginia) Region (even though it is available globally). To perform the steps in this tutorial, you must configure the AWS Management Console to use that region. 

## Step 1: Configure a trail and event selector
<a name="tutorial-cwe-step1"></a>

In this step, you sign in to the management account and configure a log (called a *trail*) in AWS CloudTrail. You also configure an event selector on the trail to capture all read/write API calls so that Amazon EventBridge has calls to trigger on.

**To create a trail**

1. Sign in to AWS as an administrator of the organization's management account and then open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).

1. On the navigation bar in the upper-right corner of the console, choose the **US East (N. Virginia)** Region. If you choose a different region, AWS Organizations doesn't appear as an option in the Amazon EventBridge configuration settings, and CloudTrail doesn't capture information about AWS Organizations.

1. In the navigation pane, choose **Trails**.

1. Choose **Create trail**.

1. For **Trail name**, enter **My-Test-Trail**. 

1. Perform one of the following options to specify where CloudTrail is to deliver its logs:
   + If you need to create a bucket, choose **Create new S3 bucket** and then, for **Trail log bucket and folder**, enter a name for the new bucket.
**Note**  
S3 bucket names must be ***globally*** unique.
   + If you already have a bucket, choose **Use existing S3 bucket** and then choose the bucket name from the **S3 bucket** list.

1. Choose **Next**.

1. On the **Choose log events** page, in the **Management events** section, choose **Read** and **Write**.

1. Choose **Next**.

1. Review your selections and choose **Create trail**.

Amazon EventBridge enables you to choose from several different ways to send alerts when an alarm rule matches an incoming API call. This tutorial demonstrates two methods: invoking a Lambda function that can log the API call and sending information to an Amazon SNS topic that sends an email or text message to the topic's subscribers. In the next two steps, you create the components you need: the Lambda function, and the Amazon SNS topic.

## Step 2: Configure a Lambda function
<a name="tutorial-cwe-step2"></a>

In this step, you create a Lambda function that logs the API activity that is sent to it by the Amazon EventBridge rule that you configure later.

**To create a Lambda function that logs Amazon EventBridge events**

1. Open the AWS Lambda console at [https://console.aws.amazon.com/lambda/](https://console.aws.amazon.com/lambda/).

1. If you are new to Lambda, choose **Get Started Now** on the welcome page; otherwise, choose **Create function**.

1. On the **Create function** page, choose **Use a blueprint**.

1. From the **Blueprints** search box, enter **hello** for the filter and choose the **hello-world** blueprint.

1. Choose **Configure**.

1. On the **Basic information** page, do the following:

   1. For the Lambda function name, enter **LogOrganizationEvents** in the **Name** text box. 

   1. For **Role**, choose **Create a new role with basic Lambda permissions**. This role grants your Lambda function permissions to access the data it requires and to write its output log.

1. Edit the Lambda function code, as shown in the following example.

   ```
   console.log('Loading function');
   
   exports.handler = async (event, context) => {
       console.log('LogOrganizationsEvents');
       console.log('Received event:', JSON.stringify(event, null, 2));
       return event.key1;  // Echo back the first key value
       // throw new Error('Something went wrong');
   };
   ```

   This sample code logs the event with a **LogOrganizationEvents** marker string followed by the JSON string that makes up the event.

1. Choose **Create function**. 

## Step 3: Create an Amazon SNS topic that sends emails to subscribers
<a name="tutorial-cwe-step3"></a>

In this step, you create an Amazon SNS topic that emails information to its subscribers. You make this topic a target of the Amazon EventBridge rule that you create later.

**To create an Amazon SNS topic to send an email to subscribers**

1. Open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/](https://console.aws.amazon.com/sns/v3/). 

1. In the navigation pane, choose **Topics**.

1. Choose **Create new topic**.

   1. For **Topic name**, enter **OrganizationsCloudWatchTopic**.

   1. For **Display name**, enter **OrgsCWEvnt**.

   1. Choose **Create topic**.

1. Now you can create a subscription for the topic. Choose the ARN for the topic that you just created.

1. Choose **Create subscription**.

   1. On the **Create subscription** page, for **Protocol**, choose **Email**.

   1. For **Endpoint**, enter your email address.

   1. Choose **Create subscription**. AWS sends an email to the email address that you specified in the preceding step. Wait for that email to arrive, and then choose the **Confirm subscription** link in the email to verify that you successfully received the email.

   1. Return to the console and refresh the page. The **Pending confirmation** message disappears and is replaced by the now valid subscription ID.

## Step 4: Create an Amazon EventBridge rule
<a name="tutorial-cwe-step4"></a>

Now that the required Lambda function exists in your account, you create an Amazon EventBridge rule that invokes it when the criteria in the rule are met.

**To create an EventBridge rule**

1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 

1. Set the console to the **US East (N. Virginia)** Region or information about Organizations is not available. On the navigation bar in the upper-right corner of the console, choose the **US East (N. Virginia)** Region.

1. For instructions on creating rules, see [Rules in Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html) in the Amazon EventBridge user guide.

## Step 5: Test your Amazon EventBridge rule
<a name="tutorial-cwe-step5"></a>

In this step, you create an organizational unit (OU) and observe the Amazon EventBridge rule, generate a log entry, and send an email to yourself with details about the event.

------
#### [ AWS Management Console ]

**To create an OU**

1. Open the AWS Organizations console to the [**AWS accounts** page](https://console.aws.amazon.com/organizations/v2/home/accounts). 

1.  Choose the check box ![\[Blue checkmark icon indicating confirmation or completion of a task.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/checkbox-selected.png) **Root** OU, choose **Actions**, and then under **Organizational unit** choose **Create new**.

1. For the name of the OU, enter **TestCWEOU** and then choose **Create organizational unit**.

------

**To see the EventBridge log entry**

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the navigation page, choose **Logs**.

1. Under **Log Groups**, choose the group that is associated with your Lambda function: **/aws/lambda/LogOrganizationEvents**.

1. Each group contains one or more streams, and there should be one group for today. Choose it.

1. View the log. You should see rows similar to the following.  
![\[Sample CloudWatch Events log showing Organizations API call details\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/tutorial-sample-CWE-log.png)

1. Select the middle row of the entry to see the full JSON text of the received event. You can see all the details of the API request in the `requestParameters` and `responseElements` pieces of the output.

   ```
   2017-03-09T22:45:05.101Z 0999eb20-051a-11e7-a426-cddb46425f16 Received event:
   {
       "version": "0",
       "id": "123456-EXAMPLE-GUID-123456",
       "detail-type": "AWS API Call via CloudTrail",
       "source": "aws.organizations",
       "account": "123456789012",
       "time": "2017-03-09T22:44:26Z",
       "region": "us-east-1",
       "resources": [],
       "detail": {
           "eventVersion": "1.04",
           "userIdentity": {
               ...
           },
           "eventTime": "2017-03-09T22:44:26Z",
           "eventSource": "organizations.amazonaws.com",
           "eventName": "CreateOrganizationalUnit",
           "awsRegion": "us-east-1",
           "sourceIPAddress": "192.168.0.1",
           "userAgent": "AWS Organizations Console, aws-internal/3",
           "requestParameters": {
               "parentId": "r-exampleRootId",
               "name": "TestCWEOU"
           },
           "responseElements": {
               "organizationalUnit": {
                   "name": "TestCWEOU",
                   "id": "ou-exampleRootId-exampleOUId",
                   "arn": "arn:aws:organizations::1234567789012:ou/o-exampleOrgId/ou-exampleRootId-exampeOUId",
                   "path": "o-exampleOrgId/r-exampleRootId/ou-exampleRootId-exampleOUId/"
               }
           },
           "requestID": "123456-EXAMPLE-GUID-123456",
           "eventID": "123456-EXAMPLE-GUID-123456",
           "eventType": "AwsApiCall"
       }
   }
   ```

1. Check your email account for a message from **OrgsCWEvnt** (the display name of your Amazon SNS topic). The body of the email contains the same JSON text output as the log entry that is shown in the preceding step.

## Clean up: Remove the resources you no longer need
<a name="clean-up-resources"></a>

To avoid incurring charges, you should delete any AWS resources that you created as part of this tutorial that you don't want to keep.

**To clean up your AWS environment**

1. Use the [CloudTrail console](https://console.aws.amazon.com/cloudtrail/) to delete the trail named **My-Test-Trail** that you created in step 1.

1. If you created an Amazon S3 bucket in step 1, use the [Amazon S3 console](https://console.aws.amazon.com/s3/) to delete it.

1. Use the [Lambda console](https://console.aws.amazon.com/lambda/) to delete the function named **LogOrganizationEvents** that you created in step 2.

1. Use the [Amazon SNS console](https://console.aws.amazon.com/sns/) to delete the Amazon SNS topic named **OrganizationsCloudWatchTopic** that you created in step 3.

1. Use the [CloudWatch console](https://console.aws.amazon.com/cloudwatch/) to delete the EventBridge rule named **OrgsMonitorRule** that you created in step 4.

1. Finally, use the [Organizations console](https://console.aws.amazon.com/organizations/) to delete the OU named **TestCWEOU** that you created in step 5.

That's it. In this tutorial, you configured EventBridge to monitor your organization for changes. You configured a rule that is triggered when users invoke specific AWS Organizations operations. The rule ran a Lambda function that logged the event and sent an email that contains details about the event.

# Using AWS Organizations with an AWS SDK
<a name="sdk-general-information-section"></a>

AWS software development kits (SDKs) are available for many popular programming languages. Each SDK provides an API, code examples, and documentation that make it easier for developers to build applications in their preferred language.


| SDK documentation | Code examples | 
| --- | --- | 
| [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp) | [AWS SDK for C\$1\$1 code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp) | 
| [AWS CLI](https://docs.aws.amazon.com/cli) | [AWS CLI code examples](https://docs.aws.amazon.com/code-library/latest/ug/cli_2_code_examples.html) | 
| [AWS SDK for Go](https://docs.aws.amazon.com/sdk-for-go) | [AWS SDK for Go code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2) | 
| [AWS SDK for Java](https://docs.aws.amazon.com/sdk-for-java) | [AWS SDK for Java code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2) | 
| [AWS SDK for JavaScript](https://docs.aws.amazon.com/sdk-for-javascript) | [AWS SDK for JavaScript code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3) | 
| [AWS SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin) | [AWS SDK for Kotlin code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin) | 
| [AWS SDK for .NET](https://docs.aws.amazon.com/sdk-for-net) | [AWS SDK for .NET code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3) | 
| [AWS SDK for PHP](https://docs.aws.amazon.com/sdk-for-php) | [AWS SDK for PHP code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php) | 
| [AWS Tools for PowerShell](https://docs.aws.amazon.com/powershell) | [AWS Tools for PowerShell code examples](https://docs.aws.amazon.com/code-library/latest/ug/powershell_5_code_examples.html) | 
| [AWS SDK for Python (Boto3)](https://docs.aws.amazon.com/pythonsdk) | [AWS SDK for Python (Boto3) code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python) | 
| [AWS SDK for Ruby](https://docs.aws.amazon.com/sdk-for-ruby) | [AWS SDK for Ruby code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby) | 
| [AWS SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust) | [AWS SDK for Rust code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1) | 
| [AWS SDK for SAP ABAP](https://docs.aws.amazon.com/sdk-for-sapabap) | [AWS SDK for SAP ABAP code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap) | 
| [AWS SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift) | [AWS SDK for Swift code examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift) | 

**Example availability**  
Can't find what you need? Request a code example by using the **Provide feedback** link at the bottom of this page.