Table of Contents
How Do I Send an AWS Organizations Invitation from a Management Account?
Learn which account is authorized to invite other accounts to join an AWS Organization. Understand the central role of the management account in AWS security governance and why member accounts and IAM users in other accounts cannot issue invitations.
Question
The process of asking another account to join your organization is called an Invitation. Who can issue an invitation?
A. Any account added to the Root of the AWS Organization
B. Any member account designated by the management account
C. Organization’s management account
D. Any IAM user attached with the AWSOrgFullControl Policy
Answer
C. Organization’s management account
Explanation
The correct answer is C. Only the organization’s management account has the authority to issue invitations for other AWS accounts to join the organization. This is a fundamental security and governance design principle of AWS Organizations.
The management account is the single, authoritative source for managing the organization’s structure, including its membership. This centralized control prevents unauthorized or accidental additions of accounts to the organization, ensuring a clear and secure governance model. While an IAM user or role within the management account can perform this action if granted the necessary permissions (specifically organizations:InviteAccountToOrganization), the action itself originates from the authority of the management account.
Option A is incorrect because placing an account in the root organizational unit (OU) does not grant it administrative privileges to manage the organization’s membership. All member accounts reside within the root, but they do not inherit this capability.
Option B is incorrect because the ability to send invitations is a non-delegable permission. The management account cannot designate a member account to perform this function on its behalf.
Option D is incorrect because the AWSOrganizationsFullAccess policy is only effective for this action when attached to an IAM principal within the management account. An IAM user in a member account, even with this policy, lacks the authority to invite other accounts into the organization. The context of the request must be the management account.
AWS Security Governance at Scale certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the AWS Security Governance at Scale exam and earn AWS Security Governance at Scale certificate.