diff --git a/aws-org/main.tf b/aws-org/main.tf
new file mode 100644
index 0000000..b0f4c3b
--- /dev/null
+++ b/aws-org/main.tf
@@ -0,0 +1,26 @@
+resource "aws_organizations_organization" "org" {
+  aws_service_access_principals = [
+    "cloudtrail.amazonaws.com",
+    "config.amazonaws.com",
+  ]
+
+  feature_set = "ALL"
+  enabled_policy_types = [
+    "TAG_POLICY",
+    "SERVICE_CONTROL_POLICY"
+  ]
+}
+
+resource "aws_organizations_policy" "taggig-policy" {
+  name = "tagging-policy"
+  type = "TAG_POLICY"
+
+  content = <<EOF
+{
+    "tags": {
+        "owner": {}
+    }
+}
+EOF
+}
+
diff --git a/iam/role.tf b/iam/role.tf
new file mode 100644
index 0000000..e0199aa
--- /dev/null
+++ b/iam/role.tf
@@ -0,0 +1,27 @@
+resource "aws_iam_role" "admin-role" {
+  name = "xpk-admin-role"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+
+  max_session_duration = 7200
+  tags = local.default-tags
+}
+
+resource "aws_iam_role_policy_attachment" "roaccess-attach" {
+  role       = aws_iam_role.admin-role.name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+