Troubleshooting AWS Organizations

If you encounter issues when working with AWS Organizations, consult the topics in this section.

Troubleshooting general issues

Use the information here to help you diagnose and fix access-denied or other common issues that you might encounter when working with AWS Organizations.

Topics

I get an "access denied" message when I make a request to AWS Organizations
I get an "access denied" message when I make a request with temporary security credentials
I get an "access denied" message when I try to leave an organization as a member account or remove a member account as the management account
I get a "quota exceeded" message when I try to add an account to my organization
I get a "this operation requires a wait period" message while adding or removing accounts
I get an "organization is still initializing" message when I try to add an account to my organization
I get an "Invitations are disabled" message when I try to invite an account to my organization.
Changes that I make aren't always immediately visible

I get an "access denied" message when I make a request to AWS Organizations

Verify that you have permissions to call the action and resource that you have requested. An administrator must grant permissions by attaching an IAM policy to your user, group, or role. If the policy statements that grant those permissions include any conditions, such as time-of-day or IP address restrictions, you also must meet those requirements when you send the request. For information about viewing or modifying policies for a user, group, or role, see Working with Policies in the IAM User Guide.
If you are signing API requests manually (without using the AWS SDKs), verify that you have correctly signed the request.

I get an "access denied" message when I make a request with temporary security credentials

Verify that the user or role that you are using to make the request has the correct permissions. Permissions for temporary security credentials are derived from an user or role, so the permissions are limited to those granted to the user or role. For more information about how permissions for temporary security credentials are determined, see Controlling Permissions for Temporary Security Credentials in the IAM User Guide.
Verify that your requests are being signed correctly and that the request is well formed. For details, see the toolkit documentation for your chosen SDK or Using Temporary Security Credentials to Request Access to AWS Resources in the IAM User Guide.
Verify that your temporary security credentials haven't expired. For more information, see Requesting Temporary Security Credentials in the IAM User Guide.

I get an "access denied" message when I try to leave an organization as a member account or remove a member account as the management account

You can remove a member account only after you enable IAM user access to billing in the member account. For more information, see Activating Access to the Billing and Cost Management Console in the AWS Billing User Guide.
You can remove an account from your organization only if the account has the information required for it to operate as a standalone account. When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, that information isn't automatically collected. For an account that you want to make standalone, you must accept the AWS Customer Agreement, choose a support plan, provide and verify the required contact information, and provide a current payment method. AWS uses the payment method to charge for any billable (not AWS Free Tier) AWS activity that occurs while the account isn't attached to an organization. For more information, see Leave an organization from a member account with AWS Organizations.

I get a "quota exceeded" message when I try to add an account to my organization

There is a maximum number of accounts that you can have in an organization. Deleted or closed accounts continue to count against this quota.

An invitation to join counts against the maximum number of accounts in your organization. The count is returned if the invited account declines, the management account cancels the invitation, or the invitation expires.

Before you close or delete an AWS account, remove it from your organization so that it doesn't continue to count against your quota.
See Maximum and minimum values for information about how to request a quota increase.

I get a "this operation requires a wait period" message while adding or removing accounts

Some actions require a wait period. For example, you can't immediately remove newly created accounts. Try the action again in a few days. If you experience issues with account quotas while adding and removing accounts, see Maximum and minimum values for information about how to request a quota increase.

I get an "organization is still initializing" message when I try to add an account to my organization

If you receive this error and it's been over an hour since you created the organization, contact AWS Support.

I get an "Invitations are disabled" message when I try to invite an account to my organization.

This happens when you enable all features in your organization. This operation can take some time and requires that all member accounts respond. Until the operation is completed, you can't invite new accounts to join the organization.

Changes that I make aren't always immediately visible

As a service that is accessed through computers in data centers around the world, AWS Organizations uses a distributed computing model called eventual consistency. Any change that you make in AWS Organizations takes time to become visible from all possible endpoints. Some of the delay results from the time it takes to send the data from server to server or from replication zone to replication zone. AWS Organizations also uses caching to improve performance, but in some cases this can add time. The change might not be visible until the previously cached data times out.

Design your global applications to account for these potential delays and ensure that they work as expected, even when a change made in one location isn't instantly visible at another.

For more information about how some other AWS services are affected by this, consult the following resources:

Managing Data Consistency in the Amazon Redshift Database Developer Guide
Amazon S3 Data Consistency Model in the Amazon Simple Storage Service User Guide
Ensuring Consistency When Using Amazon S3 and Amazon Elastic MapReduce for ETL Workflows in the AWS Big Data Blog
EC2 Eventual Consistency in the Amazon EC2 API Reference.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Infrastructure security

Making HTTP Query requests