AWS Organizations Overview
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
AWS Organizations: Mastering Multi-Account Management
Introduction: The Necessity of Multi-Account Architectures
In the early days of cloud adoption, many organizations began their journey with a single AWS account. They treated this account like a physical server room, piling all their development, testing, and production workloads into a single space. As these organizations grew, they quickly realized that this "monolithic account" approach created significant security risks, billing confusion, and operational bottlenecks. If a developer accidentally deleted a production database while testing a script in the same account, the consequences were catastrophic.
AWS Organizations is the foundational service designed to solve these exact problems. It provides a way to centrally manage, govern, and scale multiple AWS accounts under a single administrative umbrella. By moving from a single-account model to a multi-account strategy, you gain the ability to isolate environments, apply granular security policies, and obtain clear visibility into your cloud spending. This lesson explores how AWS Organizations functions, why it is the standard for modern cloud architecture, and how to implement it effectively.
Understanding the Hierarchical Structure
At its core, AWS Organizations relies on a hierarchical structure that mirrors the organizational chart of a company. Understanding this structure is critical because it dictates how you apply policies and how you organize your resources.
The Management Account
The management account (formerly known as the root account) is the primary account that you use to create the organization. This account has special privileges: it is where you enable the organization, invite other accounts, and manage your billing. You should treat this account as a "control plane" only; you should never run production workloads or store application data within it. By keeping the management account strictly for administrative tasks, you reduce the blast radius of any potential security misconfiguration.
Organizational Units (OUs)
Organizational Units are containers that allow you to group accounts together. Think of OUs as folders in a file system. You can create a hierarchical structure, such as a "Production" OU, a "Sandbox" OU, or a "Workloads" OU. By grouping accounts into OUs, you can apply policies to the entire group at once. For example, you might create an OU for your development teams and apply a policy that prevents them from creating resources in regions where you do not have a business presence.
Member Accounts
Member accounts are the standard AWS accounts where your applications, databases, and services live. These accounts can be created directly within the organization or invited from outside the organization. When an account is part of an organization, it is subject to the policies defined by the organization, but it remains an autonomous entity with its own users, roles, and resources.
Callout: The "One-Account" Myth Many teams believe that having fewer accounts is easier to manage. In reality, modern cloud best practices dictate that having more accounts—specifically, one account per workload or environment—is significantly more secure and manageable. AWS Organizations makes this possible by providing a single point of control for hundreds or even thousands of accounts.
Core Features and Functionality
To manage an organization effectively, you need to understand the tools provided by the service. These features enable automation, security, and financial transparency.
Service Control Policies (SCPs)
Service Control Policies are the most powerful feature within AWS Organizations. They are JSON-based policies that define the maximum permissions for accounts within an organization. Unlike IAM policies, which grant permissions, SCPs act as a "guardrail." Even if an IAM user has "AdministratorAccess" inside a member account, an SCP can explicitly deny them the ability to delete logs or change security settings.
Example: Preventing Region Usage
If your organization only operates in the US-East-1 region, you can create an SCP that prevents any user in the member accounts from launching resources in other regions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyNonUSRegions",
"Effect": "Deny",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1"
]
}
}
}
]
}
Note: SCPs do not grant permissions. They only filter the permissions that are available to the identity. If an IAM user has no permissions, an SCP cannot add them. Always combine SCPs with robust IAM policies in your member accounts.
Consolidated Billing
Consolidated billing is one of the most immediate benefits of using AWS Organizations. Instead of receiving dozens of individual invoices for every account, the management account receives a single, unified bill. This allows you to view spending trends across the entire organization, allocate costs to specific business units, and take advantage of volume discounts, such as Reserved Instances or Savings Plans, which are applied across all accounts in the organization.
Integration with AWS Services
AWS Organizations is designed to work with other AWS services to provide a holistic management experience. Key integrations include:
- AWS CloudTrail: You can enable organization-wide logging, where all CloudTrail logs from member accounts are sent to a central, hardened S3 bucket in a dedicated security account.
- AWS Config: You can deploy configuration rules across all accounts to ensure compliance with security standards.
- AWS IAM Identity Center (formerly AWS SSO): This is the modern way to manage access. It allows you to define users once and grant them access to specific accounts based on their job role.
Implementing a Multi-Account Strategy
Setting up AWS Organizations requires careful planning. If you start without a strategy, you will eventually face a "cleanup" phase that is far more difficult than a well-planned initial setup.
Step-by-Step Implementation Guide
- Create the Organization: Log into your primary AWS account and navigate to the AWS Organizations console. Choose "Create Organization."
- Define the OU Structure: Before inviting accounts, design your OU structure. A common pattern is to have OUs for "Security," "Infrastructure," "Sandbox," and "Workloads."
- Enable All Features: Ensure that "All Features" mode is enabled. This allows you to use SCPs and other advanced management capabilities.
- Invite Existing Accounts: If you have existing accounts, send an invitation from the management account. The owner of the member account must accept the invitation.
- Create New Accounts Programmatically: Use the AWS CLI or SDK to create new accounts as needed. This ensures that every account is created with a standard set of tags and configurations.
Automating Account Creation (CLI)
Using the AWS CLI to create an account is more efficient and repeatable than using the console.
aws organizations create-account \
--email "[email protected]" \
--account-name "Development Account 1" \
--role-name "OrganizationAccountAccessRole"
After running this command, AWS creates a new account and automatically provisions an IAM role that allows the management account to assume control over the new environment.
Comparison of Account Management Models
| Feature | Single Account | Multi-Account (Organizations) |
|---|---|---|
| Blast Radius | High (Entire environment) | Low (Isolated per account) |
| Billing | Simple, but opaque | Detailed, per-account breakdown |
| Security | Difficult to enforce boundaries | SCPs enforce global guardrails |
| Scalability | Limited by IAM complexity | Highly scalable |
| Compliance | Audit heavy | Automated governance |
Best Practices and Industry Standards
To run a secure and efficient organization, you must adhere to several industry-recognized best practices. Neglecting these can lead to security vulnerabilities or "configuration drift."
1. The "Management Account" Rule
Never run workloads in the management account. This account should exist solely for the purpose of managing the organization. If the management account is compromised, the entire organization is at risk. Treat the management account credentials with the highest level of security, including hardware MFA devices and strictly limited access.
2. Standardize Your OU Structure
Create a consistent naming convention for your OUs. A common structure is:
- Core OU: Contains security, logging, and shared services accounts.
- Workload OU: Contains production, staging, and development accounts.
- Sandbox OU: Contains accounts where developers can experiment freely.
3. Use Automated Guardrails
Apply SCPs at the OU level as soon as possible. Start with "Deny" policies for sensitive actions, such as disabling CloudTrail or deleting S3 buckets that contain backups. By applying these at the root or OU level, you ensure that no user—even a malicious insider—can disable your security logging.
4. Centralize Logging and Security
Do not rely on local logs in member accounts. Use AWS Organizations to enable centralized logging. Direct all CloudTrail, VPC Flow Logs, and GuardDuty findings to a dedicated "Security" account. This ensures that even if an attacker gains access to a member account and attempts to delete their tracks, the evidence is already safely stored elsewhere.
5. IAM Identity Center for Access
Avoid creating IAM users inside individual accounts. This leads to "user sprawl" and makes it impossible to revoke access centrally. Instead, use AWS IAM Identity Center. Connect it to your existing corporate identity provider (like Okta, Azure AD, or Google Workspace) and manage access to AWS accounts based on user groups.
Warning: Never use the root user credentials of a member account once the account is added to the organization. Delete the access keys, enable MFA, and forget the password. Use the
OrganizationAccountAccessRoleto manage the account instead.
Common Pitfalls and How to Avoid Them
Even experienced architects make mistakes when managing AWS Organizations. Here are the most frequent issues and how to navigate them.
Pitfall 1: Over-Engineering SCPs
Many beginners try to write complex "Allow" SCPs. This is a mistake. SCPs are best used for "Deny" logic. If you try to manage permissions solely through SCPs, you will end up with unmanageable policies. Use IAM policies to grant permissions and SCPs to restrict them.
Pitfall 2: Ignoring Service Limits
AWS has service limits on the number of accounts you can have in an organization. While the default limit is usually sufficient, it is not infinite. If you plan to scale to hundreds of accounts, request a service quota increase early.
Pitfall 3: Not Tagging Accounts
When you have fifty accounts, it becomes impossible to know which team owns which account. Implement a tagging strategy from day one. Tag your accounts with metadata such as Owner, Environment, CostCenter, and ProjectCode. You can use these tags to automate billing reports and security audits.
Pitfall 4: Neglecting the "Root" Account
Some organizations treat their management account like a standard account, storing sensitive data or running production tasks. If this account is compromised, the attacker can delete all other accounts in the organization, effectively destroying your entire infrastructure. Keep it empty, keep it quiet, and keep it secure.
The Role of Infrastructure as Code (IaC)
In a multi-account environment, manual configuration is a recipe for disaster. If you try to manually configure settings in fifty different accounts, you will inevitably create drift, where configurations differ slightly across accounts. This is where Infrastructure as Code (IaC) becomes essential.
Using Terraform for Organizations
Terraform is the industry-standard tool for managing AWS Organizations. You can define your entire OU structure and account creation process in code.
resource "aws_organizations_organizational_unit" "production" {
name = "Production"
parent_id = aws_organizations_organization.main.roots[0].id
}
resource "aws_organizations_account" "app_prod" {
name = "App Production"
email = "[email protected]"
parent_id = aws_organizations_organizational_unit.production.id
}
By using Terraform, you ensure that every account is created with the same baseline security settings, network configurations, and tagging policies. If you need to change a global setting, you simply update the code and apply it across the entire organization.
Callout: IaC and Organizational Drift Configuration drift occurs when changes are made manually in the AWS Console rather than through your IaC pipeline. In a multi-account environment, drift is the primary cause of security vulnerabilities. Using a tool like Terraform or AWS CloudFormation StackSets allows you to enforce a "single source of truth" for your account configurations.
Advanced Strategies: Managing at Scale
As your organization grows, you will eventually reach a point where you are managing hundreds of accounts. At this level, you need to transition from manual management to automated lifecycle management.
Account Factory
If you are using AWS Control Tower, you have access to the "Account Factory." This is a pre-configured workflow that automates the provisioning of new accounts. When a developer needs a new account, they request it through a service catalog, and Control Tower automatically creates the account, applies the correct OUs, sets up logging, and attaches the necessary SCPs.
Automated Remediation
What happens when a developer violates an SCP? Ideally, they shouldn't be able to perform the action in the first place. However, for non-blocking issues—like an account missing a required tag—you can use AWS Config to trigger an automated remediation function. For example, if an account is created without a "CostCenter" tag, an AWS Lambda function can automatically tag it or, in extreme cases, suspend the account until the issue is fixed.
Centralized Networking
In a multi-account setup, networking can become complex. Use AWS Transit Gateway to connect your VPCs across different accounts to a central hub. This allows you to centralize your internet egress and inspection points, ensuring that all traffic from your member accounts passes through a centralized firewall before reaching the internet.
Summary: Key Takeaways for Success
Mastering AWS Organizations is a journey that starts with architectural planning and ends with automated governance. By following these principles, you can build a cloud environment that is secure, scalable, and easy to manage.
- Isolation is Security: The primary goal of a multi-account strategy is to isolate workloads. If one account is compromised, the impact is limited to that specific environment.
- Use SCPs for Guardrails: Never use SCPs to grant permissions. Use them as an extra layer of security to deny dangerous actions across the organization.
- Treat the Management Account as a Vault: Never store data or run code in your management account. It is the root of your organization and must be protected with the highest level of scrutiny.
- Automate Everything: Manual management does not scale. Use IaC tools like Terraform or services like AWS Control Tower to ensure consistency across your accounts.
- Centralize Governance: Use integrated services like CloudTrail and AWS Config to monitor all your accounts from a single location. This gives you the visibility needed to detect and respond to threats in real-time.
- Identity is the New Perimeter: Use IAM Identity Center to manage human access. Never rely on long-lived IAM user credentials within member accounts.
- Plan for Growth: Your OU structure should be flexible. Design it in a way that allows you to easily add new departments or business units without needing to re-architect your entire organization.
By embracing these practices, you move away from the chaos of a single, unmanaged account and toward a professional-grade cloud infrastructure that supports the needs of a modern, growing organization. Take the time to design your OU structure, implement your SCP guardrails, and automate your account lifecycle—your future self will thank you for the foresight.
Frequently Asked Questions (FAQ)
Q: Can I move an account from one OU to another? A: Yes, you can move accounts between OUs at any time. When you move an account, it will immediately inherit the SCPs of the new OU and lose the SCPs of the old one.
Q: Does AWS Organizations cost extra? A: No, AWS Organizations is a free service. You only pay for the resources used within the individual member accounts.
Q: What happens if I accidentally delete my management account? A: You cannot delete a management account. You must first remove all other accounts from the organization and then delete the organization itself. This is a built-in safety mechanism.
Q: Can I have nested OUs? A: Yes, AWS Organizations supports nested OUs. You can have an OU inside another OU, allowing for very granular policy application. For example, you might have a "Production" OU, and within that, an "Application-A" OU and an "Application-B" OU.
Q: How do I manage billing if I have different departments? A: You can use AWS Cost Categories or Cost Allocation Tags. By tagging your accounts or resources, you can break down the unified bill by business unit, project, or department in the AWS Cost Explorer.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons