Initial steps

Creating the transit account

Make sure to replace ${ACCOUNT_EMAIL} with a correct mail address which you have access to.

AWS_PROFILE=myorg-master aws organizations create-account --email ${ACCOUNT_EMAIL} --account-name "Transit"

The response should look like this:

{
    "CreateAccountStatus": {
        "Id": "car-ldsfjdflsjldfsjlsdffjlfds",
        "AccountName": "Log archive",
        "State": "IN_PROGRESS",
        "RequestedTimestamp": 1562429570.66
    }
}

Moving the account to the Core organizational unit

Get the root id of your organization:

AWS_PROFILE=myorg-master aws organizations list-roots --query 'Roots[].Id' --output text

Get the id of the organizational unit “Core”:

AWS_PROFILE=myorg-master aws organizations list-organizational-units-for-parent --parent-id ${ROOT_ID} --query 'OrganizationalUnits[?Name==`Core`].Id' --output text

Get the id of the new AWS account:

AWS_PROFILE=myorg-master aws organizations list-accounts --query 'Accounts[?Name==`Transit`].Id' --output text

Move the new account to the organizational unit “Core”:

AWS_PROFILE=myorg-master aws organizations move-account --account-id ${ACCOUNT_ID} --source-parent-id ${ROOT_ID} --destination-parent-id {OU_CUSTOM_ID}

Setting up account access for the CLI

The role OrganizationAccountAccessRole is automatically created in the new account.
This allows access for all the users in the Administrators group.

Enhance the file ~/.aws/config as follows:

[profile myorg-transit]
role_arn = arn:aws:iam::${TRANSIT_AWS_ACCOUNT_ID}:role/OrganizationAccountAccessRole
mfa_serial = ${MFA_SERIAL}
source_profile = myorg-master

Replace ${TRANSIT_AWS_ACCOUNT_ID} with the account id of log archive and ${MFA_SERIAL} with the MFA serial of your user.

Get the account id as follows:

AWS_PROFILE=myorg-master aws organizations list-accounts --query 'Accounts[?Name==`Transit`].Id' --output text

Testing CLI access

Type in the following command to check if CLI access is working:

AWS_PROFILE=myorg-transit aws sts get-caller-identity

The response should look as follows:

{
    "UserId": "AROAS6SDLJKFLJDJFDKLFDL:botocore-session-1562431482",
    "Account": "20123434555",
    "Arn": "arn:aws:sts::20123434555:assumed-role/OrganizationAccountAccessRole/botocore-session-1562431482"
}

Enable RAM on the AWS Organization

Enable RAM on the AWS Organization:

AWS_PROFILE=myorg-master aws organizations enable-aws-service-access --service-principal ram.amazonaws.com

Enable sharing within your AWS Organization:

AWS_PROFILE=myorg-master aws ram enable-sharing-with-aws-organization --region eu-central-1