AWS Organizations

AWS Organizations is a service that enables centralized management of multiple AWS accounts.
It allows you to group, manage, and govern AWS accounts under a single structure.
This helps in cost control, security, compliance, and automation.

Key Features of AWS Organizations

Centralized Account Management

Manage multiple AWS accounts from a single master account.
Create and invite new AWS accounts under the organization.

Consolidated Billing

Single Payment: All accounts under an organization share a single bill.
Cost Allocation Tags: Track usage per account.
Savings Plans and Reserved Instances Sharing: Optimize costs across accounts.

Service Control Policies (SCPs)

Enforce security policies across multiple accounts.
Restrict access to specific AWS services or regions.
SCPs override IAM policies (for stricter governance).

Organizational Units (OUs)

Group accounts into hierarchical structures for better management.
SCPs can be applied at the OU level to control permissions.

Example:

Root

├── Security OU

│ ├── Audit Account

│ ├── Logging Account

├── Development OU

│ ├── Dev Account 1

│ ├── Dev Account 2

├── Production OU

│ ├── Prod Account 1

│ ├── Prod Account 2

Integration with AWS Services

Works with AWS Control Tower, AWS IAM, AWS Config, AWS CloudTrail for compliance and governance.
AWS Security Hub & GuardDuty integration for security management.

AWS Organizations Structure

Organization

An organization is a collection of AWS accounts that you can manage centrally and organize into a hierarchical, tree-like structure with a root at the top and organizational units nested under the root.
Each account can be directly in the root, or placed in one of the OUs in the hierarchy.

Root Account

An administrative root (root) is contained in the management account and is the starting point for organizing your AWS accounts.
The root is the top-most container in your organization’s hierarchy. Under this root, you can create organizational units (OUs) to logically group your accounts and organize these OUs into a hierarchy that best matches your needs.
If you apply a management policy to the root, it applies to all organizational units (OUs) and accounts, including the management account for the organization.
If you apply an authorization policy (for example, a service control policy (SCP)), to the root, it applies to all organizational units (OUs) and member accounts in the organization. It does not apply to the management account in the organization.

Organizational Units (OUs)

Sub-groups inside AWS Organizations for better governance.
SCPs applied to an OU affect all child accounts.

MANAGEMENT Account

A management account is the AWS account you use to create your organization.
The management account is the ultimate owner of the organization, having final control over security, infrastructure, and finance policies. This account has the role of a payer account and is responsible for paying all charges accrued by the accounts in its organization.
From the management account, you can do the following:

Create other accounts in your organization
Invite and manage invitations for other accounts to join your organization
Designate delegated administrator accounts
Remove accounts from your organization
Attach policies to entities such as roots, organizational units (OUs), or accounts within your organization
Enable integration with supported AWS services to provide service functionality across all of the accounts in the organization.

Member Accounts

AWS accounts that are part of the organization.
Can be created using AWS Organizations or invited manually.

Delegated administrator

It is recommend that you use the management account and its users and roles only for tasks that must be performed by that account.
It is recommend that you store your AWS resources in other member accounts in the organization and keep them out of the management account. This is because security features like Organizations service control policies (SCPs) do not restrict any users or roles in the management account.
Separating your resources from your management account can also help you understand the charges on your invoices.
From the organization's management account, you can designate one or more member accounts as a delegated administrator account to help you implement this recommendation.
There are two types of delegated administrators:
1. Delegated administrator for Organizations: From these accounts, you can manage organization policies and attach policies to entities (roots, OUs, or accounts) within the organization. The management account can control delegation permissions at granular levels.
2. Delegated administrator for an AWS service: From these accounts, you can manage AWS services that integrate with Organizations. The management account can register different member accounts as delegated administrators for different services as needed. These accounts have administrative permissions for a specific service, as well as permissions for Organizations read-only actions.

Organization policies

A policy is a "document" with one or more statements that define the controls that you want to apply to a group of AWS accounts.
AWS Organizations supports authorization policies and management policies.

Authorization policies

Authorization policies help you to centrally manage the security of AWS accounts across an organization.

Service control policy (SCP)

- A service control policy is a type of policy that offers central control over the maximum available permissions for IAM users and IAM roles in an organization.
- This means that SCPs specify principal-centric controls. SCPs create a permissions guardrail, or set limits on the maximum permissions available to principals in your member accounts. You use an SCP when you want to centrally enforce consistent access controls on principals in your organization.
- This can include specifying which services your IAM users and IAM roles can access, which resources they can access, or the conditions under which they can make requests (for example, from specific regions or networks).

Resource control policy (RCP)

- A resource control policy is a type of policy that offers central control over the maximum available permissions for resources in an organization.
- This means that RCPs specify resource-centric controls. RCPs create a permissions guardrail, or set limits, on the maximum permissions available for resources in your member accounts. Use an RCP when you want to centrally enforce consistent access controls across resources in your organization.
- This can include restricting access to your resources so that they can only be accessed by identities that belong to your organization, or specifying the conditions under which identities external to your organization can access your resources.

Management policies

Management policies help you centrally configure and manage AWS services and their features across an organization.

Declarative policy

A declarative policy is a type of policy that allows you to centrally declare and enforce desired configurations for a given AWS service at scale across an organization. Once attached, the configuration is always maintained when the service adds new features or APIs.

Backup policy

A backup policy is type of policy that allows you to centrally manage and apply backup plans to the AWS resources across an organization's accounts.

Tag policy

A tag policy is type of policy that allows you to standardize the tags attached to the AWS resources in an organization's accounts.

Chat applications policy

A chat applications policy is a type of policy that allows you to control access to an organization's accounts from chat applications such as Slack and Microsoft Teams.

AI services opt-out policy

An AI services opt-out policy is a type of policy that allows you to control data collection for AWS AI services for all the accounts in an organization.

How AWS Organizations Works?

1. Create an AWS Organization

The first account created becomes the management account.
Other AWS accounts can be invited or created under this organization.

2. Define Organizational Units (OUs)

Group similar accounts (e.g., Dev, Test, Prod).
Apply SCPs to enforce security policies.

3. Apply Service Control Policies (SCPs)

SCPs define what services/accounts can or cannot do.
Example SCP to block S3 deletion:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Deny",

"Action": "s3:DeleteBucket",

"Resource": "*"

}

]

}

4. Enable Consolidated Billing

Combine multiple AWS accounts into one bill.
Share Reserved Instances & Savings Plans for cost savings.

5. Monitor and Audit Accounts

Use AWS CloudTrail to track changes across accounts.
Enable AWS Config to check for compliance violations.

How to Set Up AWS Organizations?

Step 1: Create an AWS Organization

Log in to AWS Management Console.
Go to AWS Organizations service.
Click Create Organization.
Choose "Enable All Features" for full functionality.

Step 2: Create Organizational Units (OUs)

Click Create Organizational Unit.
Name it (e.g., Security, Development, Production).
Move member accounts into the OUs.

Step 3: Create a Service Control Policy (SCP)

Go to AWS Organizations > Policies.
Click Create Policy.
Define the policy (Example: Block RDS deletion):

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Deny",

"Action": "rds:DeleteDBInstance",

"Resource": "*"

}

]

}

Attach the SCP to an OU or Account.

Step 4: Enable Consolidated Billing

Go to Billing Dashboard in AWS Console.
Click Consolidated Billing.
Add AWS accounts to share billing.

Best Practices for AWS Organizations

Use Separate OUs for Security, Dev, Prod – Ensures better management.
Apply SCPs Cautiously – Test before applying to avoid blocking critical services.
Enable AWS CloudTrail & Config – Helps track changes and ensure compliance.
Use IAM Roles – Avoid using root accounts for everyday operations.
Monitor Costs with AWS Cost Explorer – Track spending across accounts.

Page updated

Google Sites

Report abuse