Wow this is a pretty complicated topic. It seems like every organization has a different view of how the world works. Sometimes, on GitHub for instance, it is all tied to email names, you create an organization as a separate thing and then just have a list of emails names that are that organization.
In Facebook, it's sort of the reverse. Every real person has a real Facebook identity. But when you create a business, you don't use those identities at all, instead, there is a separate list of email names that are not real Facebook folks and there is a separate interface on business.facebook.com for managing them.
Amazon AWS has yet a third way and it has taken me a while to understand it because I just kind of stumbled into it. But here it is:
- First if you want a long standing organization, you have to create an Amazon identifier using that name. For instance
email@example.com a good one. This should be a non-personal account.
- From there, you go to
aws.amazon.comand create an account identity and you get a big long number. That account, you should not use and is called your root account. Some things you can only do in the root account, so beware and keep the identity little used and safely stored in 1Password. It also pays to turn on 2FA and put in there too to prevent hacks.
- Then for each user, you need to enable IAM in and this is where you create your set of users, these are not email names, but just a bunch of users with simple names. Most of the time this is what you use.
- Then if you want to get in to the console directly, you use the magic url
1234567.signin.aws.amazon.comwhere you substitute your account number in.
- If you want to make it more friendly, you can suggest a friendly name like
mycorp.signin.aws.amazon.comyou do this in
console.aws.amazon.com/iamand look in the Dashboard section on the left. The first entry should be the customize sign-in link.
- While you are there look at the Security Status and make sure that you are green lit across everything