Please consider that I'm new to AWS administration.
I have full access to my organisation's AWS account. One of our website(developed in Drupal) is developed by a vendor who hosts it in their AWS account(dev/prod env.). They have a master account and separate accounts for each clients.
My organisation wants to migrate the entire infrastructure in-house in our own AWS environment, which does seem to be a great idea. Meanwhile, I've found AWS Organisations and I know I can invite vendor to join our organisation and then we can restrict their access(only development access) and mange the website and respective infrastructure ourselves. But this means we will have the control of their root account, which won't happen as they have other client accounts as well.
In this scenario, please suggest the best way to get full access and control to only our account?
For the sake of clarity, I'm going to refer to the specific AWS account that the vendor has for your AWS resources as your client account.
You have two options:
Have the vendor transfer just your client account to your AWS Organization.
Use an IAM cross account role to assume a role in your client account.
Either of these options could be setup to allow you to administer the AWS resources that the vendor has in your client account.
Option 1: If your company should pay the AWS bill for your client account then transferring the account from the vendor's AWS org to your AWS org is most likely the best choice. The vendor does not need to make their AWS master account part of your org, only detach your specific client account from their AWS org and then accept a request for it to join your AWS org.
Option 2: If the vendor should pay the AWS bill for your client account then a cross account role is most likely the best choice. In this scenario the vendor will remain the ultimate authority over your client account. The cross account role can be granted any set of permissions up to and including administrator access to your client account.
Caveat: Your vendor may have a complex account structure setup for purposes such as centralized logging across all of its client accounts. Additional considerations would need to be factored in if this is the case.