AWS Organization Management

The AWS Organizations page allows you to connect and manage AWS Organizations within TagOps, enabling centralized tagging operations across all member accounts in your organization using CloudFormation StackSets.

Multiple AWS Organizations Supported

TagOps supports connecting multiple AWS Organizations. You can add more than one AWS Organization, each with its own management account and member accounts. TagOps will keep organizational data, configurations, and member account onboarding status separate for each AWS Organization. This allows you to centrally manage resource tagging and policies across several AWS Organizations from a single TagOps account.

Adding an AWS Organization

Prerequisites

Before adding an organization:

  • [ ] AWS Organization with management account access
  • [ ] 12-digit AWS Management Account ID
  • [ ] Permissions to create CloudFormation stacks and StackSets
  • [ ] Permissions to create IAM roles
  • [ ] Permissions to manage AWS Organizations (if using Organizational Units)
  • [ ] CloudFormation StackSets must be enabled in your organization

Free Trial Limitation

Free Trial accounts can only add 1 AWS account total (including organization member accounts). Upgrade to add more accounts.

Step-by-Step Process

1. Open Add Organization Dialog

  1. Navigate to AWS Accounts page
  2. Click Add AWS Organization button
  3. Organization creation dialog appears

2. Fill Organization Information

Organization Name (Required)

  • Friendly name for the organization
  • Examples: "Production Organization", "Enterprise AWS Org", "Company Organization"
  • 1-50 characters
  • Letters, numbers, spaces, hyphens, underscores allowed

Management Account ID (Required)

  • Your AWS Organization's 12-digit management account number
  • Numbers only
  • Find in AWS Console → Organizations → Settings
  • Example: 123456789012

IAM Role Name (Required)

  • Default: tagops-exec-role
  • 1-64 characters
  • Letters, numbers, and _+=,.@- allowed
  • No spaces
  • Note: The actual role created will have -org suffix (e.g., tagops-exec-role-org)

External ID (Required)

  • Auto-generated random string
  • Click Generate to create new ID
  • Copy to use in CloudFormation
  • Example: Xy9Pq4Mn2Lk7

Allowed Regions (Required)

  • Select AWS regions where TagOps should operate
  • At least one region must be selected
  • Use multi-select to choose multiple regions
  • Common selections: us-east-1, us-west-2, eu-west-1

Organizational Unit IDs (Optional)

  • Comma-separated list of Organizational Unit IDs (OU IDs)
  • Format: ou-xxxx-xxxxxxxx or r-xxxx for root OU
  • Example: ou-xxxx-xxxxxxxx, ou-xxxx-yyyyyyyy
  • Leave empty to deploy to entire organization (root OU)
  • Find OU IDs in AWS Console → Organizations → Organizational units

Include Management Account (Optional)

  • Default: false
  • When true: Includes the management account in TagOps deployment
  • When false: Management account is excluded (recommended for security)
  • Note: If enabled, a separate CloudFormation stack is created for the management account

3. Create CloudFormation Stack

TagOps provides two options:

Option A: Automated (Recommended)

  1. Click Provision CloudFormation Stack
  2. New tab opens to AWS CloudFormation console

  3. Parameters are pre-filled:

    • Stack name: cf-tagops-organization-onboarding
    • RoleName: tagops-exec-role
    • ExternalId: [your generated ID]
    • OrganizationalUnitIds: [your OU IDs or empty]
    • IncludeManagementAccount: true or false
    • AWSAdditionalRegions: [comma-separated regions]

  4. Review the configuration

  5. Check "I acknowledge that AWS CloudFormation might create IAM resources"
  6. Check "I acknowledge that AWS CloudFormation might create IAM resources with custom names"
  7. Click Create Stack
  8. Wait for stack status: CREATE_COMPLETE (5-10 minutes for StackSets)

StackSet Deployment Time

CloudFormation StackSets may take 5-10 minutes to deploy across all member accounts. The stack creates a StackSet that automatically deploys to all accounts in the specified Organizational Units.

Option B: Manual

  1. Click Copy CF Link
  2. Open link in AWS CloudFormation console
  3. Follow same steps as Option A

4. Verify Organization

After CloudFormation stack completes:

  1. Return to TagOps dialog
  2. Click Verify Organization

  3. TagOps performs verification:

    • ✅ IAM role exists in management account
    • ✅ Trust policy configured correctly
    • ✅ Required permissions granted
    • ✅ AssumeRole works

  4. Success or failure notification displays:

    • Success: "Organization verified successfully!"
    • Failure: Error message with details

Verification Process

Verification checks the management account role configuration. Member account roles are verified when individual accounts are onboarded.

5. Complete Organization Addition

  1. After successful verification, click Add Organization
  2. TagOps registers the organization
  3. Organization appears in the organizations table
  4. Success notification displays: Organization Added Successfully! "Production Organization" has been added successfully.
  5. Organization members are automatically loaded and displayed

Automatic Member Discovery

After adding an organization, TagOps automatically fetches and displays all member accounts from the organization.

Viewing Organization Members

Show/Hide Members

  1. Click the expand/collapse arrow icon in the first column of the organization row
  2. Member accounts table expands or collapses below the organization row

  3. When expanded, the table displays:

    • Account ID: 12-digit AWS account ID
    • Account Name: Friendly name (if onboarded)
    • Status: Onboarded, Not onboarded, or Processing
    • Regions: Enabled regions for the account
    • Actions: Verify, Add Account, or Remove buttons

Member Account States

Not Onboarded

  • Account exists in organization but not yet connected to TagOps
  • Shows Verify and Add Account buttons
  • Must verify before adding

Onboarded

  • Account successfully connected to TagOps
  • Shows account name and status
  • Shows Remove button to disconnect
  • Click account name to view account details

Processing

  • Account is being added or removed
  • Shows "Processing..." or "Updating..." status
  • Actions are disabled during processing

Adding Member Accounts

Prerequisites

  • Organization must be added and verified
  • Member account must exist in the AWS Organization
  • CloudFormation stack must be deployed to the member account (via StackSet)

Add Process

  1. Click the expand arrow icon in the organization row to show members
  2. Find the member account in the table

  3. Click Verify button

    • TagOps verifies the account configuration
    • Checks IAM role exists
    • Validates permissions
    • After verification, click Add Account

    • Enter Account Name (required)

    • Friendly name for the account

    • Examples: "Production Account", "Dev Environment"
    • 1-50 characters

  4. Click Add Account in the dialog

  5. Account is registered in TagOps
  6. Success notification displays

Account Limits

Adding member accounts counts toward your subscription account limit. Free Trial users can only have 1 total account (including organization members).

CloudTrail and Permissions Warnings

Member accounts may show warning icons for:

  • CloudTrail: Not enabled (affects event-based tagging)
  • Permissions: Missing role permissions (affects tagging capabilities)
  • Region: us-east-1 disabled (affects monitoring features)

Editing an Organization

What Can Be Modified

Editable:

  • Organization Name
  • IAM Role Name
  • Allowed Regions
  • Organizational Unit IDs
  • Include Management Account

Non-Editable:

  • Management Account ID (permanent)
  • External ID (security requirement)

Edit Process

  1. Click Edit button for the organization
  2. Edit Organization dialog opens
  3. Modify editable fields

  4. If changing IAM Role Name or other parameters:

    • Click Update CloudFormation Stack
    • Update the stack in AWS Console
    • Update parameters as needed

  5. Click Verify Organization to confirm changes

  6. Click Update Organization

StackSet Updates

If you change parameters, you must update the CloudFormation stack in your AWS account. StackSet updates will propagate to all member accounts.

Updating Member Accounts

After updating an organization:

  1. TagOps automatically updates all onboarded member accounts
  2. Each account update is processed individually
  3. Progress notifications show which account is being updated: Updating account: 123456789012 Account "Production Account" updated successfully
  4. Updates apply the new organization configuration to each member account

Automatic Member Updates

When you update an organization, TagOps automatically updates all onboarded member accounts with the new configuration. This ensures consistency across your organization.

Removing an Organization

Deletion Process

  1. Click Remove button for the organization
  2. Confirmation dialog appears
  3. Review what will be deleted
  4. Confirm deletion
  5. Organization and all member accounts removed from TagOps

Onboarded Members Restriction

You cannot delete an organization if any member accounts are onboarded. Remove all member accounts first, then delete the organization.

CloudFormation Cleanup

After deleting an organization, clean up AWS resources:

  1. CloudFormation Cleanup Dialog appears
  2. Click Delete CloudFormation Stack
  3. Opens AWS Console to stack

  4. Delete the stack to remove:

    • CloudFormation StackSet
    • IAM roles
    • SSM parameters

Alternatively: - Click Copy CF Link to save cleanup link - Click Later to dismiss dialog

StackSet Cleanup

Deleting the CloudFormation stack will also delete the StackSet and all stack instances in member accounts. Ensure you want to remove TagOps from all member accounts before deleting.

Removing Member Accounts

Remove Process

  1. Click the expand arrow icon in the organization row to show members
  2. Find the onboarded member account
  3. Click Remove button
  4. Confirmation dialog appears

  5. Review what will be deleted:

    • Account connection from TagOps
    • Scan configurations
    • Inventory data
    • Tagging history
    • Scheduled scans

  6. Confirm deletion

  7. Account removed from TagOps
  8. Account remains in AWS Organization but is disconnected from TagOps

Account Status After Removal

After removing a member account, it will appear as "Not onboarded" in the members table. You can add it again later if needed.