Multiple Root accounts in single AWS organization: IAM admin can't see all EC2 instances in specified region

Question

This question may seem noobish, but I am pulling my hair out with our AWS organization. We have 3 separate root accounts connected in a single organization with IAM accounts and policies. We can only see instances from the default root account in the EC2 list (yes I am looking in the correct region). We have shared full account access across all of the others accounts and accepted the invitations. Our billing works perfectly, and funnels from our main root account (and I can see billing of the other separate accounts fine). Even our highest level of admin (literally a grant permission to everything) cannot see instances launched from one of the separate root accounts.

Our goal is our admin group should see EC2 instances from all 3 root accounts in the organization without switching accounts or credentials.

I know this has to be possible, but I have spent at least 2 hours and have not gotten far. Any suggestions on how to achieve this?

Answer 1

@jarmod's answer provides a good overview of the terminology. I don't think it addresses your visibility problem.

Your assumptions appears to be that the master account of the organization should be able to directly see all resources of all accounts within the organization in its AWS console or via the API. That's not correct.

The resources in the accounts are generally still separated (allthough some things can be shared, but that's another matter), but you can change into these accounts by assuming a role in the accounts and then you're able to see the resources - this is what @jarmod is describing. After you changed into the accounts, you'll be able to see all resources within that respective account.

To learn more about organizations and their capabilities, here are some helpful links:

• Documentation on Managing Access Permissions for Your AWS Organization
• Services that can be used in conjunction with organizations

Resources within an AWS Account logically belong to that account and not to its organization.

Answer 2

There are some terminology issues here. There are no root accounts or main root accounts in AWS Organizations. There is one management AWS account and there are zero or more member AWS accounts.

The term root refers to an AWS Organizations construct within the management account that is the parent container for all of the member accounts in your organization. See AWS Organizations Terminology and Concepts for more.

There are two ways to 'join' a member account to an organization:

1. an admin in the management account creates a new member account
2. an admin in the management account invites an existing account to become a member

If you use option #1, administrative control over the member account is automatically provided for you through an auto-created IAM role called OrganizationAccountAccessRole that you can use to grant users in the management account administrator access to the created member account.

If you use option #2, you do not automatically have full administrator control over the member account. If you want the management account to have full administrative control over an invited member account, you must create the OrganizationAccountAccessRole IAM role in the member account and grant permission to the management account to assume the role. To configure this, after the invited account becomes a member, follow the steps in Creating the OrganizationAccountAccessRole in an Invited Member Account.