How AWS Organizations differs for AWS GovCloud (US)Creating Your Account Inviting Accounts to an Organization Documentation for AWS Organizations Export-controlled content

AWS Organizations in AWS GovCloud (US)

AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business.

How AWS Organizations differs for AWS GovCloud (US)

You must use AWS Organizations with all features enabled. The consolidated billing feature set is not available in this Region.
You must meet the U.S. regulatory requirements as described in Signing Up for AWS GovCloud (US).
Creating accounts from within AWS Organizations operates differently in the AWS GovCloud (US) Regions compared to commercial AWS Regions:
- You start creating AWS GovCloud (US) accounts by calling the CreateGovCloudAccount action from the management account of the organization in the commercial Region. Calling account creation APIs from the AWS GovCloud (US) Regions is not supported.
- When you call the CreateGovCloudAccount API action, you create two accounts: a standalone account in the AWS GovCloud (US) Regions, and an associated account in the commercial Region for billing and support purposes. The account in the commercial Region is automatically a member of the organization whose credentials made the request. Both accounts are associated with the same email address.
- After creating the standalone account in the AWS GovCloud (US) Regions, you can invite it to an organization in the AWS GovCloud (US) Regions only.
- Accounts created in other AWS Regions cannot be members of an organization in the AWS GovCloud (US) Regions.
Organizations that you create in the AWS GovCloud (US) Regions are independent from organizations created in commercial AWS Regions.
The CreateGovCloudAccount API action is not available from the AWS GovCloud (US) Regions.
To sign in to the AWS Organizations console in the AWS GovCloud (US) Regions, you must be signed in from a AWS GovCloud (US) account.
To learn what AWS services are currently available for trusted access with AWS Organizations, check the list in the AWS Organizations console from the AWS GovCloud (US) Regions.
The following Organizations API operations work only when you specify the AWS GovCloud (US-West) Region:
- DeletePolicy
- DisablePolicyType
- EnablePolicyType
- Any operation that references the organization root, such as ListRoots.
Organization policies – You can use only the following policy types in an AWS GovCloud (US) organization:
- Service control policies
- Tag policies
  Note
  As a rule, you can create tag policies that reference only those resource types whose services are supported in the AWS GovCloud (US) Regions. However, you can use the following additional resource types in a tag policy even though the associated service is not yet supported in the AWS GovCloud (US) Regions:
  
  chime:meeting
  
  codepipeline:pipeline
  
  Tag policy compliance reporting works only in the AWS GovCloud (US-West) Region.
  The following tagging API operations work only when you specify the AWS GovCloud (US-West) Region:
  
  DescribeReportCreation
  
  GetComplianceSummary
  
  GetResources
  
  StartReportCreation
- You can't create or use resource control policies (RCPs), chatbot policies, or AI services opt-out policies.

Creating Your Account

When you create accounts in the AWS GovCloud (US) Regions from AWS Organizations, an associated account in the commercial Region is automatically created for billing and support purposes. The account in the commercial Region and the account in the AWS GovCloud (US) Regions are linked. The account in the commercial Region is automatically a member of the organization whose credentials made the request, but the account in the AWS GovCloud (US) Regions is a standalone account until you invite it to an organization in that same Region.

Before creating accounts in the AWS GovCloud (US) Regions from AWS Organizations, make sure that you meet specific U.S. regulatory requirements as described in Signing Up for AWS GovCloud.

To create an account in the AWS GovCloud (US) Regions from AWS Organizations

From the management account of your organization in the commercial Region, sign in to the Organizations console at https://console.aws.amazon.com/organizations
From the Command Line Interface (CLI), Call the CreateGovCloudAccount API action.

Accounts and roles are created as follows

An account is created in the commercial Region and it is automatically a member of the organization whose credentials made the request.
A role is created in the new account in the commercial Region that the management account in this same Region can assume.
The account in the AWS GovCloud (US) Regions is created and it links to the associated account that was created at the same time in the commercial Region.
The account in the AWS GovCloud (US) Regions is a standalone account and is not yet a member of an organization.
A role is created in the AWS GovCloud (US) account that the AWS GovCloud (US) account that is linked to the management account in the commercial Region can assume.

Inviting Accounts to an Organization

After creating a standalone account in the AWS GovCloud (US) Regions, you can invite it to organizations in the AWS GovCloud (US) Regions. You cannot invite accounts in the AWS GovCloud (US) Regions to organizations in other AWS Regions.

The following diagram explains account access works so that you can invite standalone accounts in the AWS GovCloud (US) Regions to an organization in the same Region.

Diagram showing AWS Standard and GovCloud(US) regions with account pairing and IAM role access.

To invite an account in the AWS GovCloud (US) Regions to an Organization

From the AWS GovCloud (US) account that’s associated with the management account of your organization in the commercial Region, assume the role of the AWS GovCloud (US) account you just created in the AWS GovCloud (US) Regions.

In the above example, start from AWS GovCloud (US) Account 1 and assume the role that was created in AWS GovCloud (US) Account 2.
Follow the procedure described in Sending Invitations to AWS Accounts in the AWS Organizations User Guide to invite the account in the AWS GovCloud (US) Regions to the organization.

To access the new account in the AWS GovCloud (US) Regions

Sign in to the GovCloud account that is mapped to your commercial organization's management account.
Assume the role into the newly-created AWS GovCloud (US) management account.

The role is automatically created when you create the account. By default, the role is named OrganizationAccountAccessRole but you can change it using the RoleName parameter when you call the CreateGovCloudAccount operation.

Documentation for AWS Organizations

AWS Organizations documentation.

Export-controlled content

For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.

This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Network Firewall

AWS Outposts