AWS - about the OrganizationAccountAccessRole

Hi All, I am new to AWS and my organisation has decided to move billing to an AWS Partner so that we get due date extension and I am in charge of the transition.
As part of the process, we should accept a AWS Organisation invite from the partner account. The invitation message reads
> The organization with the following details invites your AWS account to become a member of the organization. This organization has all features enabled and can assume full control of your account.
From reading the docs I understood the following
• Even after accepting the invite I have to manually create OrganizationAccountAccessRole for the partner management account and only then they can manage our account.
What I don’t understand clearly from the document are the following

  1. What access does the management account have if I only accept the invite and don’t create the OrganizationAccountAccessRole. What they can see and can’t see.
  2. Does SCP (Service Control Policies) need OrganizationAccountAccessRole to work? I read that SCP automatically applies on member accounts so accepting the invite will in anyway modify our account without OrganizationAccountAccessRole?

I think, when you accept an invitation to join an AWS Organization, the management account of that organization does not automatically gain access to manage your account. The management account can only manage your account if you manually create the OrganizationAccountAccessRole.

If you only accept the invite and don’t create the OrganizationAccountAccessRole, the management account will not have access to your account. They will not be able to see or manage your resources.

Service Control Policies (SCPs) do not need the OrganizationAccountAccessRole to work. SCPs are used to set fine-grained permissions and control access to services and actions across all accounts in an organization. When you join an AWS Organization, any SCPs that are in place will automatically apply to your account. This means that accepting the invite could modify your account in terms of what services and actions are allowed or denied, even without the OrganizationAccountAccessRole.

However, it’s important to note that SCPs do not grant permissions. Instead, they are a means of restricting permissions that are otherwise granted by IAM policies. Therefore, even if an SCP allows a certain action, the action can only be performed if the necessary permissions are granted by an IAM policy.

Double check all of the above mentioned, just to be sure.

You’ve got to be very careful with this. If you’re part of an organisation with “all features” you have to assume the organisation account can access your account and all your resources. There’s at least to ways that come to mind:

  1. they can setup AWS SSO and grant access (even admin type) to any “child” account. As far as I’m aware there is nothing you can do to prevent this from happening or stop it from outside the organisation account
  2. they can use Stacksets to provision any type of resource that Cloudformation supports. That includes roles and permissions. Again there is no control on this from the “child” account. (though in this case there is nothing stopping you from deleting the created resources, except perhaps SCPs)