Migrating AWS Organizations: How I Did It and Why
Migrating AWS Organizations is a rarely discussed topic that quickly becomes an administrative and technical challenge when you need to change the management account. This is because AWS Organizations does not allow changing the organization root account once it has been set. As a result, it's necessary to create a new organization and manually migrate all member accounts to complete the migration.
In my case, apart from migrating AWS accounts to a new management account within a new organization, I also changed the authentication method. I moved from IAM users to AWS Identity Center, formerly known as SSO. In this article, I share my experiences during this process, the challenges I faced, and insights that might be helpful to others.
Why Did I Have to Migrate?
My AWS Organization is my personal setup, which I use for learning and small projects. I created my first AWS account back in 2016 with the intention of learning serverless. As my needs grew, I added more accounts and eventually formed an AWS Organization. Due to a lack of experience at the time, I used my first account as the management account. This account already hosted various resources, primarily serverless projects. Over time, I learned that this setup violated best practices and needed improvement, but I couldn't make changes without a major migration. For a long while, I operated like this—after all, it was my personal organization, and I didn't need to pass any audits. 😉
Then, AWS Identity Center (previously called SSO) came along, and I wanted to enable it. However, I didn't want to do it in my old, disorganized setup, as I knew it would only make it harder to align with AWS best practices in the future. So, I kept postponing it.
Things changed in 2024, with the arrival of AWS Q Developer Pro, which I wanted to enable to assist me in coding. It requires AWS Identity Center, which finally pushed me to act. I wanted to deploy it, but not in the messy old organization. I knew that enabling Identity Center in my current structure would further complicate aligning with best practices.
The third reason, based on some hints and speculation, was that old AWS accounts seem to differ from those created recently. While I don't know the specifics, it's generally better to have a newer account as the management account for the organization. I recall that when AWS finally enabled multiple hardware MFA keys for IAM users, my old AWS account from 2016 only gained this capability a few weeks after the announcement, and AWS Support cited its age as the reason for the delay.
How Did the Migration Go?
In my case, the migration focused solely on transferring member accounts to the new organization, without moving resources between accounts. Here are the main steps:
Recommended by LinkedIn
Challenges I Faced
AWS Identity Center - A Fresh Start
Implementing AWS Identity Center in the new organization represented a major shift in my approach to access and security management. You can find more details in my previous article Simplified Configuration of SSO Profiles in AWS CLI Using SSO Sessions. Additionally, unlike in the old organization where resources were deployed directly on the management account, I decided to strictly adhere to AWS best practices and keep the management account empty.
Interestingly, AWS recommends configuring Identity Center on the management account, so it isn't entirely empty, but this is the only exception to the rule of not placing resources on the management account.
Recommendations
If you need help with setting up your AWS Organization or Identity Center, I recommend the excellent instructional videos by Łukasz Dorosz, which helped me get up to speed. In fact, if my memory serves me right, Łukasz was advising me to switch to Identity Center back in 2023. Thank you, Łukasz!
Summary
Migrating AWS Organizations is a complex task that may require many manual steps, but it is achievable with the right approach. In my case, creating a new organization and manually migrating accounts was the best solution, allowing me to organize resources and implement better security practices. Ultimately, it enabled me to use AWS Q Developer Pro.
For those considering a similar migration, the most important advice is to plan the process carefully and prepare all the necessary elements, especially payment setups and root account access for all AWS accounts being migrated. While the process is time-consuming, the benefits of a well-structured setup and increased security far outweigh the effort.
If you're just starting out with AWS Organizations, remember to create a fresh, dedicated management account without any resources. This will save you from the need for migration in the future and ensure you're aligned with AWS best practices from the start.
I hope my story will be helpful to those facing a similar challenge and that it will help you avoid my mistakes when creating your own AWS organization.
Software Engineer and Cloud Architect
3wI did an org move last year with about 70 accounts, I ended up building a solution to automate parts of that but still had to handle updating the payment info for each manually :( I want to build a new version of that solution that I can open source this time. But I still don't have a satisfying solution for the payment issue.