Bootstrap a New Account

Before Org Kickstart can be deployed, a few steps must be completed via ClickOps in your new AWS Management (Payer) account. Terraform cannot perform these actions automatically.

Root Account Tasks

Log into the root user of your new AWS “payer” account and complete the following:

1. Add MFA to root
2. Enable IAM access to billing
3. Go to Organizations and create an Organization
4. Go to AWS IAM Identity Center (SSO) and enable it
5. Add yourself as a user in Identity Center
6. Create a Permission Set named TempAdministratorAccess (4-hour session recommended)
7. Assign the Permission Set to the Payer/Management Account for your user
8. Activate trusted access for CloudFormation StackSets — click “Activate trusted access with AWS Organizations to use service-managed permissions” (must be done via console)

Log out of root and never use it again.

Note: As of January 2026, Terraform does not support the aws login capability. An IAM Identity Center or IAM User must be created to run Terraform.

On Your Machine

1. Check email and activate your IAM Identity Center account
2. Add MFA to your Identity Center account
3. Configure AWS credentials in your environment:

   aws configure sso
   # or
   export AWS_PROFILE=your-sso-profile
   

You are now ready to deploy Org Kickstart.

Next Steps

• Create your tfvars file — see the Reference for all variables and a full example
• Run terraform init and your first apply — see Getting Started