AWS Organizations

Learn how to manage multiple AWS accounts from a single point using AWS Organizations.

We'll cover the following

What is AWS Organizations?
AWS Organizations terminology
- Service Control Policies
How AWS Organizations work?
- Example: Managing multiple accounts
Best practices

As companies scale and expand, the need for efficient management and control over their digital infrastructure becomes increasingly important. This creates a need for isolation between different departments or business units within the organization. For that, companies create multiple AWS accounts, providing departments with dedicated environments to manage their resources independently. This solves the problem of isolated environments but poses the challenge of managing multiple AWS accounts. To make this management easier, AWS provides us with a management service called AWS Organizations.

Press + to interact

This helps manage accounts more easily by consolidating billing and allowing us to use a savings plan across all accounts. We can also share common resources within these OUs.

AWS Organizations terminology

Here are some key terminologies, concepts related to AWS Organizations:

Organizational Units (OUs): OUs are a way to group accounts together for administrative purposes. We can create OUs to organize our accounts hierarchically based on our organization's structure, such as by department, project, or environment (e.g., production, development).
Service Control Policies (SCPs): SCPs are a key feature of AWS Organizations that enable us to set permissions at the organization level. They help enforce compliance and security policies by restricting access to certain AWS services or actions.

Press + to interact

Root account: The root account contains all other accounts within the organization.. When we create an organization, AWS automatically creates a root account for us. Any SCPs applied at the root account are effective in all OUs.
Management account: The account that we use to create the organization is marked as the management account. This account is the payer account that is billed for all charges incurred by the accounts within the organization. It is used to create, invite, and remove other accounts from the organization. It can also be used to apply SCPs to root and other OUs.

Service Control Policies

SCPs act as guardrails to control what actions and services are allowed or denied across all accounts within the organization. The structure of SCPs is the same as the IAM policy. SCPs can be attached to OUs or individual AWS accounts within an AWS Organizations hierarchy.

When an SCP is attached to an OU, it affects all AWS accounts within that OU and any child OUs. However, SCPs are not applied retroactively; they only affect future actions and resources created within the affected accounts and OUs.
SCPs are applied hierarchically across an organization's OUs and accounts. When an SCP is attached to a parent OU, it automatically applies to all child OUs and accounts unless explicitly overridden. This inheritance model allows organizations to establish baseline security controls while granting flexibility for more specific controls at lower levels of the hierarchy.
SCPs are evaluated during access control decisions made by AWS services. When a request is made to perform an action within an AWS account, AWS evaluates the applicable SCPs along with other identity-based policies to determine whether the action is allowed or denied. SCPs take precedence over identity-based policies, meaning that even if an identity has explicit permissions granted through IAM policies, those permissions can be further restricted by SCPs.

How AWS Organizations work?

AWS Organizations operates by establishing a hierarchy of accounts within an organization and applying policies and controls at various levels to govern the behavior and actions of those accounts. At the core of AWS Organizations is a service control plane that manages the enforcement of policies across the organization's accounts.

When an AWS account is created and added to an organization, it becomes a member account within that organization. The member account inherits the policies and controls defined at higher levels of the organizational hierarchy, such as organizational units (OUs) or the root of the organization.

AWS Organizations uses a distributed architecture to propagate policies and controls across accounts within the organization. Policies, such as service control policies (SCPs) and tagging policies, are stored centrally and distributed to member accounts as needed. This allows for centralized management and enforcement of policies while ensuring low-latency access to resources within individual accounts.

Example: Managing multiple accounts

Consider the scenario where the following accounts:

Four accounts for developers
Two account for testing
An admin account
A management account

These are multiple accounts with different set of actions. Managing them individually will be quite difficult. So to ease the management, we'll create an organization. A better structure for our organization would be as follows:

We'll create an organization using the management account. We'll create OUs for each of these domains with appropriate SCPs attached with them. After that we'll invite these accounts and add them within their appropriate OU. The hierarchy of our organization in this case will look as follows:

Press + to interact

By adding these accounts under our organization, we'll now easily be able to streamline management, enforce standardized policies, and centralize billing and resource usage tracking for these accounts.

Best practices

Here are some best practices for using AWS Organizations effectively:

Establish a clear organizational structure: Design a logical hierarchy of OUs and accounts that reflects our company's structure and business needs. This will help streamline management and enforce policies more effectively.
Use SCPs properly: SCPs are powerful tools for controlling access to AWS services and resources. Use them to enforce security and compliance standards across our organization. However, be cautious not to overly restrict access, which could impede innovation and productivity.
Implement least privilege: Follow the principle of least privilege when assigning permissions to accounts and users within our organization. Only grant access to the resources and services necessary for individuals to perform their roles effectively.
Use tagging for resource AWS Organization: Implement a consistent tagging strategy across our AWS accounts to categorize and track resources effectively. Tags can be used to enforce policies, manage costs, and improve visibility into resource usage.
Regularly review and refine policies: Continuously review and refine our SCPs, IAM policies, and tagging strategies to adapt to changing business requirements and evolving security best practices. Regular audits and assessments can help identify gaps and areas for improvement.
Monitor and enforce compliance: Implement mechanisms to monitor compliance with organizational policies and standards. Leverage AWS Config, AWS Config Rules, and AWS Security Hub to automate compliance checks, detect violations, and remediate non-compliant resources.

By following these best practices, organizations can effectively leverage AWS Organizations to manage and govern their AWS environment securely, efficiently, and in alignment with business objectives.

Get hands-on with 1300+ tech skills courses.

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena