This question may seem noobish, but I am pulling my hair out with our AWS organization. We have 3 separate root accounts connected in a single organization with IAM accounts and policies. We can only see instances from the default root account in the EC2 list (yes I am looking in the correct region). We have shared full account access across all of the others accounts and accepted the invitations. Our billing works perfectly, and funnels from our main root account (and I can see billing of the other separate accounts fine). Even our highest level of admin (literally a grant permission to everything) cannot see instances launched from one of the separate root accounts.
Our goal is our admin group should see EC2 instances from all 3 root accounts in the organization without switching accounts or credentials.
I know this has to be possible, but I have spent at least 2 hours and have not gotten far. Any suggestions on how to achieve this?
@jarmod's answer provides a good overview of the terminology. I don't think it addresses your visibility problem.
Your assumptions appears to be that the master account of the organization should be able to directly see all resources of all accounts within the organization in its AWS console or via the API. That's not correct.
The resources in the accounts are generally still separated (allthough some things can be shared, but that's another matter), but you can change into these accounts by assuming a role in the accounts and then you're able to see the resources - this is what @jarmod is describing. After you changed into the accounts, you'll be able to see all resources within that respective account.
To learn more about organizations and their capabilities, here are some helpful links:
Resources within an AWS Account logically belong to that account and not to its organization.