This article serves to provide the reader with an understanding of how AWS Organizations is leveraged in a DLT Management Account, DLT's Role with the Management account, what permissions are given to the end user, and finally how to get comprehensive billing data for your AWS Organization.
Account Ownership and DLT's Role
In accordance with AWS's partner guidelines, DLT owns the AWS Management account that you use to leverage AWS Organizations. It is DLT's responsibility to maintain the security and governance of the Management account. The access we provide to the Management account is through a specially designed IAM policy that allows the customer leverage AWS Organizations in its entirety while still allowing DLT to maintain compliance with AWS's partner guidelines.
Management Account Permissions - OrgAdmin
The Organizations Administrator policy (OrgAdmin) is a baseline policy designed to give the end user the ability to manage AWS Organizations and all related services (Control Tower, SSO, SCP's etc.). It is DLT's mission to provide our customers with the tools needed to be successful which is why we refer to this policy as a "baseline". Although DLT routinely provides updates to the permission set, we recognize that with the many services AWS onboards annually we may not always have an up to date policy and will be more than willing to work with customers when new services need to be added to the policy.
The billing console is not available in DLT owned Management accounts. Member accounts however still have access to their billing consoles. It is because of this, DLT offers Cloudcheckr to all customers free of charge. Cloudcheckr is used by our Project Accounting team to invoice our customers and will therefor have all of your credits and discounts applied when viewing the data opposed to the AWS Billing console which does not account for credits and discounts.
If you need to have a user created for Cloudcheckr you can simply put in a request by emailing firstname.lastname@example.org, and providing the full name and email address of the user.
- What if I cannot perform necessary functions with the OrgAdmin access provided?
Answer: Our OrgAdmin IAM role aims to strike a balance between functionality and security. We understand that this may not be a one size fits all and would love to talk about what you are trying to achieve. Please reach out to us by sending an email to email@example.com describing the issue you are experiencing.
- Why can't I create additional IAM users in the Management Account?
Answer: In DLT Management accounts, DLT is responsible for the overall account governance. By default we provide customers with an Organizations Administrator policy which has access to all of the services you need to manage your organization. The access to the management account we do provide is for the express purpose of managing your organization. AWS's guidelines for partners prohibit that level of access to the end user. If additional OrgAdmin's are needed or if you require a user with a more restricted set of permissions we would be happy to get those created for you.
Simply email firstname.lastname@example.org with the following information and we will get the user created for you:
Name(first and last)
Mobile Number (used for passing off temporary password)
- I can log into the account but I don't have permissions to anything. Why?
Answer: You likely need to establish MFA (multi-factor authentication) on your IAM user. DLT has an explicit deny against any call made by a user who is NOT signed in with an MFA token. Instructions for setting up MFA on this user can be found here (See section Enable a virtual MFA device for your AWS account root user). Once you have MFA established on the user log out and back in. If you are still experiencing issues please open a support case.
- I noticed the IAM roles in the DLT-owned Payer account have changed. Why?
Answer: DLT regularly reviews IAM policies and processes to securely perform billing and administrative functions.
- How do I get AWS Root account access?
Answer: AWS Root account credentials may be provided for member/linked accounts. We recommend you follow AWS Root Account User Best Practices.
- What if I have additional AWS account program questions?
Answer: Should you have additional questions, feel free to contact your DLT Account Representative or email us at email@example.com.