Organisation Setup
The Organisation Setup Wizard is the recommended way to connect multiple AWS accounts that belong to a single AWS Organisation. It connects your management account, discovers member accounts, and generates the IAM policies you need — all in one guided flow.
Open the Organisation Setup Wizard →
Prerequisites
- Access to your AWS Organisation management account
- IAM permissions to create roles and policies in the management account and in each member account you want to connect
- Your 12-digit management account ID (find it in the AWS console or by running
aws sts get-caller-identity)
Wizard walkthrough
The wizard has five steps. You can pause at any step and resume later — sessions are saved for 7 days.
Step 1 — Connect the management account
Enter the following details:
| Field | Description |
|---|---|
| Management Account ID | Your 12-digit AWS account ID for the organisation management account. |
| IAM Role Name | The name of the IAM role frugally.app will assume. Default: FrugallyOrganizationRole. |
| External ID | Auto-generated unique identifier. You will use this when creating the IAM role. |
Toggle optional features for the organisation level:
- CloudTrail — Read organisation-wide CloudTrail audit logs
- Cost Explorer — Query AWS Cost Explorer for spend data and forecasts
- CUR — Read Cost and Usage Reports from S3
See Features for details on each.
[SCREENSHOT: org-wizard-connect.png — wizard Connect step showing account ID, role name, external ID, feature toggles]
Create the IAM role in your management account
- Open the IAM Roles console in your management account.
- Click Create role.
- Select Another AWS account as the trusted entity.
- Enter the frugally.app account ID:
829513654501. - Check Require external ID and paste the External ID shown in the wizard.
- Attach the management account policy — the wizard displays the exact JSON. You can also export it as CloudFormation or Terraform.
- Name the role exactly as shown in the wizard (default:
FrugallyOrganizationRole). - Click Create role.
The management account policy includes organizations: read actions so frugally.app can discover your accounts. If you enabled Cost Explorer, CloudTrail, or CUR, the policy will include those permissions too. See the IAM policy reference for a full breakdown.
The External ID is a unique token (ULID) generated by frugally.app. It is embedded in the IAM trust policy to prevent confused-deputy attacks. Only frugally.app knows this value, so only frugally.app can assume the role. Never share it publicly.
Once the IAM role is created, click Verify in the wizard. frugally.app will assume the role, confirm it can read your organisation, and detect whether the enabled features are working.
Step 2 — Discover member accounts
After the management account is verified, frugally.app calls the AWS Organisations API to list all member accounts. You will see a table of accounts with their IDs and names.
Select the accounts you want to connect. You can onboard all of them or pick a subset.
[SCREENSHOT: org-wizard-discover.png — member account list with checkboxes]
You can always add more member accounts later by re-running the wizard or adding them as standalone connections.
Step 3 — Configure capabilities
For each selected member account, configure which optional capabilities it should have:
| Capability | Description |
|---|---|
| Delegated billing account | Nominate one account to query Cost Explorer on behalf of the organisation. This is useful if your Cost Explorer data is consolidated in a specific billing account rather than the management account. |
| CloudTrail access | Enable CloudTrail read access for specific member accounts. If you enabled organisation-wide CloudTrail in Step 1, member accounts inherit it automatically. |
[SCREENSHOT: org-wizard-configure.png — delegated billing & CloudTrail options per account]
Step 4 — Review policies
The wizard generates IAM policies tailored to each selected member account based on the capabilities you configured.
For each member account you will see:
- The trust policy — allowing the frugally.app AWS account to assume the role
- The execution policy — granting the specific permissions needed (resource discovery, start/stop actions, and any optional features)
You can view the policies in three formats:
| Format | Use case |
|---|---|
| JSON | Copy-paste into the AWS IAM console |
| CloudFormation | Deploy as a CloudFormation stack |
| Terraform | Add to your Terraform configuration |
[SCREENSHOT: org-wizard-policies.png — generated IAM policy JSON with copy/export buttons]
Create the IAM role in every selected member account using the exact role name and External ID shown in the wizard. Mismatched values will cause verification to fail.
The default IAM role name for member accounts is FrugallyAccessRole. You can customise this, but it must match what you enter in the wizard.
Creating the role in each member account
Repeat the following for each selected member account:
- Sign in to the member account's IAM console.
- Create role → Another AWS account → Account ID:
829513654501. - Check Require external ID → paste the External ID from the wizard.
- Attach the generated execution policy for that account.
- Name the role exactly as shown (default:
FrugallyAccessRole).
If you have many accounts, consider deploying the CloudFormation template as a StackSet to roll out the IAM role across all accounts at once.
Step 5 — Confirm and create
Review a summary of everything that will be created:
- The Organisation (linked to your management account)
- Each member Connection (with its account ID, role name, environment, and enabled features)
Confirm that the IAM roles are in place in all selected accounts, then click Confirm.
frugally.app will:
- Create the Organisation record
- Create a Connection for each selected member account (scope: Member)
- Verify each Connection by assuming its IAM role
[SCREENSHOT: org-wizard-confirm.png — summary of all connections to be created]
After confirmation, you are taken to the Connections list. Each Connection shows its health status.
After setup
Once your Organisation and member Connections are created:
- Check health status — Ensure all Connections show Connected. If any show Missing Permissions or Degraded, see the account health troubleshooting guide.
- Create Targets — Group your resources by service, region, and tags. See Creating Targets.
- Enable features — You can toggle CloudTrail, Cost Explorer, and CUR on or off for individual Connections or at the Organisation level at any time. See Features.
Resuming an incomplete wizard
If you close the wizard before completing it, your progress is saved for 7 days. When you re-open the wizard, frugally.app will detect your in-progress session and offer to resume from where you left off.
Sessions that are not completed within 7 days are automatically abandoned.
Adding more accounts later
To add member accounts that were not selected during the initial wizard run:
- Re-run the wizard — it will detect your existing Organisation and show only the accounts not yet connected.
- Add as standalone — if you prefer, you can add individual accounts as Standalone Connections. They will not be linked to the Organisation and will manage their own features independently.