AWS Organizations Security
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
AWS Organizations Security: A Comprehensive Guide
Introduction: Why Multi-Account Security Matters
As organizations grow, the complexity of managing cloud infrastructure increases exponentially. In the early days of cloud adoption, a single account approach might have sufficed for testing or small-scale deployments. However, as teams scale, security requirements evolve, and compliance mandates become more stringent, relying on a single AWS account becomes a significant risk. If a single account is compromised, the entire infrastructure, data, and intellectual property are exposed. This is where AWS Organizations becomes the foundational tool for modern cloud governance.
AWS Organizations allows you to centrally manage and govern your environment as you grow and scale your workloads on AWS. By using Organizations, you can programmatically create new accounts, allocate resources, group accounts into organizational units (OUs), and apply policies to these groups. Security in this context is not just about locking down an individual bucket; it is about establishing a "guardrail" system that ensures every account within your enterprise follows the same security baseline from the moment it is provisioned.
This lesson explores the technical architecture of AWS Organizations security, how to implement Service Control Policies (SCPs), the importance of account isolation, and the best practices for maintaining a secure multi-account environment. Understanding these concepts is critical for any cloud engineer or security architect tasked with building resilient, auditable, and secure environments.
1. The Architectural Foundation of AWS Organizations
At its core, AWS Organizations is a hierarchical tree structure. The top node is the "Management Account" (formerly known as the Master Account). This account holds the billing relationship and the organizational structure. Beneath the management account, you create Organizational Units (OUs), which serve as logical containers for your member accounts.
The Management Account
The management account is the most sensitive entity in your environment. It has the power to create accounts, move them between OUs, and apply policies that affect the entire organization. Because of this, the management account should never be used to run production workloads. Its sole purpose should be governance, billing, and centralized management. In a secure setup, you should limit access to the management account to a very small set of administrative identities, ideally protected by hardware-based multi-factor authentication (MFA).
Organizational Units (OUs)
OUs allow you to group accounts based on their function or security requirements. For example, you might have a "Production" OU, a "Sandbox" OU, and a "Security" OU. By grouping accounts, you can apply security policies at the OU level rather than the individual account level. This ensures that every account added to the "Production" OU automatically inherits the security guardrails defined for production workloads.
Callout: The Principle of Account Isolation In a multi-account strategy, security is achieved through isolation. By providing separate accounts for different projects or environments, you create a "blast radius" limitation. If a developer experimenting in a sandbox account accidentally misconfigures a security group, the impact is limited to that specific account, leaving your production infrastructure untouched. AWS Organizations is the mechanism that enforces this separation while maintaining central oversight.
2. Implementing Service Control Policies (SCPs)
Service Control Policies (SCPs) are the primary tool for security governance within AWS Organizations. An SCP is a JSON-formatted document that defines the maximum permissions allowed for the accounts within your organization. It is important to remember that SCPs do not grant permissions; rather, they filter them. Even if an IAM user has AdministratorAccess, they cannot perform an action if an SCP explicitly denies it.
How SCPs Work
When you attach an SCP to an OU, it applies to all accounts within that OU and any nested OUs. The policy acts as a set of guardrails. If an SCP denies s3:DeleteBucket, no user in that account—including the root user—can delete an S3 bucket, regardless of their IAM policy. This is powerful because it allows security teams to enforce compliance without having to manually inspect every IAM policy in every account.
Designing Effective SCPs
When writing SCPs, you should start with an "Allow-list" approach or a "Deny-list" approach. Most organizations use a combination, where they deny high-risk actions globally while allowing standard operations.
Example: Restricting Regions
One common security requirement is ensuring that resources are only deployed in specific geographic regions to comply with data residency laws. You can write an SCP that denies the ability to launch resources in any region other than those you have approved.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccessToNonApprovedRegions",
"Effect": "Deny",
"NotAction": [
"a4b:*",
"acm:*",
"aws-marketplace:*",
"aws-portal:*",
"billing:*",
"budgets:*",
"ce:*",
"cloudfront:*",
"cur:*",
"iam:*",
"organizations:*",
"route53:*",
"shield:*",
"support:*",
"trustedadvisor:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
Explanation of the code:
- The
NotActionblock lists global services that must function regardless of region (like IAM or Billing). - The
Conditionblock checks if theaws:RequestedRegionis one of the allowed regions. - If a user tries to create an EC2 instance in
eu-central-1, the policy evaluates toDenyand the request is blocked.
Warning: The "Deny" Trap Be extremely careful when applying SCPs to your management account or your security OU. If you accidentally deny
iam:CreateRoleoriam:PutRolePolicyin an account where you need to manage access, you can lock yourself out of your own infrastructure. Always test your SCPs in a dedicated "Sandbox" or "Testing" OU before applying them to production accounts.
3. Centralized Logging and Security Monitoring
Security in a multi-account environment is impossible without visibility. You need to know what is happening in every account, even if you aren't logged into them directly. AWS provides several services that integrate with Organizations to provide a "single pane of glass" for security.
AWS CloudTrail
CloudTrail records every API call made in your accounts. In a multi-account environment, you should enable an "Organization Trail." This automatically creates a trail in every account within your organization and delivers the logs to a centralized S3 bucket located in your security or logging account. This prevents an attacker from deleting logs in a compromised account, as they would not have permissions to modify the bucket in the central logging account.
AWS Config
AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources. By using "Config Rules," you can automatically detect non-compliant resources. For example, you can create a rule that triggers an alert if an S3 bucket is made public. When integrated with AWS Organizations, you can deploy these rules across all accounts from the management account.
Amazon GuardDuty
GuardDuty is a threat detection service that monitors for malicious or unauthorized behavior. You should designate a "Delegated Administrator" for GuardDuty within your organization. This account will have the authority to manage GuardDuty settings and view findings for all member accounts, allowing your security team to respond to threats without needing individual logins for every account.
4. Best Practices for Multi-Account Security
Building a secure environment requires more than just technical tools; it requires a disciplined approach to governance. Below are industry-standard best practices for managing AWS Organizations.
1. The "Sandbox" Pattern
Always provide developers with their own sandbox accounts. This allows them to experiment freely without risking the integrity of production workloads. Use AWS Control Tower or custom scripts to automate the creation of these accounts so that they come pre-configured with the standard security guardrails (like logging and IAM restrictions).
2. Least Privilege and IAM Identity Center
Avoid using long-term IAM user credentials. Instead, use AWS IAM Identity Center (formerly AWS SSO). IAM Identity Center integrates directly with your existing identity provider (like Okta, Azure AD, or Google Workspace) and allows users to assume roles in specific accounts based on their job function. This eliminates the need to manage thousands of IAM users across different accounts.
3. Account Factory and Automation
Manual account creation is prone to error and configuration drift. Use tools like AWS Control Tower or Terraform to define an "Account Factory." This ensures that every new account is provisioned with the same baseline:
- CloudTrail enabled.
- GuardDuty enabled.
- VPC flow logs configured.
- Security contact information populated.
4. Tagging Policies
Use AWS Organizations Tagging Policies to enforce consistent tagging across your organization. Tags are essential for security auditing, cost allocation, and resource ownership. An SCP can be used to ensure that a resource cannot be created unless it has the required "Owner" or "Project" tags.
Note: Tagging policies are not retroactive. Applying a policy will not automatically fix existing resources; it will only prevent the creation of new resources that do not comply with the tag requirements. You will need to run remediation scripts to tag existing resources.
5. Avoiding Common Pitfalls
Even with the best intentions, organizations often fall into common traps that compromise their security posture. Here are the most frequent mistakes and how to avoid them.
Pitfall 1: Over-reliance on the Root User
The root user of your management account is the "keys to the kingdom." It should be used only for tasks that cannot be performed by an IAM user, such as modifying billing information.
- Solution: Enable MFA on the root user, put the physical MFA device in a secure safe, and do not use the root user for daily operations.
Pitfall 2: Excessive Use of SCPs
While SCPs are powerful, they are difficult to troubleshoot. If you create a complex web of overlapping SCPs, it becomes hard to determine why an action is being denied.
- Solution: Keep SCPs simple. Use them for high-level guardrails (e.g., "deny all in non-US regions") rather than granular permission management. Leave granular permission management to IAM policies.
Pitfall 3: Ignoring "Security" Account Separation
Many companies put their security tools (like log aggregators or SIEM collectors) in the same account as their production workloads. If the production account is compromised, the security tools are also compromised.
- Solution: Create a dedicated "Security Tooling" account. This account should be the destination for all logs and findings, and its access should be restricted to the security operations center (SOC) team.
6. Comparison: SCPs vs. IAM Policies
Understanding the difference between SCPs and IAM policies is fundamental to AWS security. Use the table below as a quick reference.
| Feature | Service Control Policy (SCP) | IAM Policy |
|---|---|---|
| Scope | Organization, OU, or Account | User, Group, or Role |
| Function | Defines "Maximum Permissions" | Defines "Effective Permissions" |
| Enforcement | Deny overrides everything | Can be denied or allowed |
| Use Case | Guardrails and Compliance | Access control for specific tasks |
| Management | Centralized (Management Account) | Local to the specific account |
7. Step-by-Step: Enabling AWS Organizations and SCPs
If you are just starting out, follow these steps to establish your security foundation.
Step 1: Enable AWS Organizations
- Log in to the AWS Management Console as the root user.
- Navigate to the AWS Organizations service.
- Click Create organization.
- Once created, you will be the management account. You can now start inviting existing accounts or creating new ones.
Step 2: Enable All Features
To use SCPs, you must enable "All Features" in your organization.
- In the AWS Organizations dashboard, look for the Features section.
- Select Enable all features.
- You will receive an email verification request for every member account. Once confirmed, you have full control over the organizational guardrails.
Step 3: Create an Organizational Unit (OU)
- Go to the Accounts tab.
- Click Create new > Organizational Unit.
- Name it "Sandbox" or "Production."
- Move your existing accounts into this OU by selecting the account and clicking Move.
Step 4: Create and Attach an SCP
- Navigate to Policies in the sidebar.
- Select Service control policies.
- Click Create policy.
- Enter your JSON policy (such as the region restriction example provided earlier).
- Once saved, go back to the OUs tab, select your OU, and click Attach policy.
8. Advanced Governance: Using AWS Control Tower
While you can build everything manually using AWS Organizations, AWS Control Tower provides a "Landing Zone" that automates the setup of a secure, multi-account environment. It uses Organizations under the hood but adds a layer of abstraction that makes it easier to manage.
Control Tower provides:
- Guardrails: Pre-built SCPs and Config rules that are proven to work.
- Account Factory: A streamlined process for creating new accounts that are automatically configured with security settings.
- Dashboard: A visual overview of your organization's compliance status.
If you are managing more than five accounts, it is highly recommended to migrate your organizational structure to Control Tower. It reduces the operational burden of maintaining custom SCPs and ensures that your security baseline is always aligned with current AWS best practices.
9. Conclusion and Key Takeaways
Securing a multi-account environment is not a one-time configuration; it is an ongoing process of governance, monitoring, and adaptation. By leveraging AWS Organizations, you create a structured hierarchy that allows you to apply security policies at scale.
Key Takeaways
- Isolation is Security: Never run production workloads in your management account. Use a multi-account strategy to limit the blast radius of potential security incidents.
- SCPs are Guardrails: Use Service Control Policies to define the boundaries of what is allowed in your organization. Remember that they filter permissions rather than granting them.
- Centralize Visibility: Use the Organization-level features of CloudTrail, GuardDuty, and Config to maintain a single source of truth for security logs and findings in a dedicated Security account.
- Automate Everything: Manual account creation is a security risk. Use AWS Control Tower or Infrastructure-as-Code (Terraform/CloudFormation) to ensure every account is born with the correct security baseline.
- Least Privilege via Identity Center: Move away from IAM users and towards identity federation using IAM Identity Center. This simplifies access management and improves your audit trail.
- Test Before Applying: Always test SCPs in a sandbox environment. A policy that seems correct on paper can cause significant outages if it accidentally blocks necessary services.
- Continuous Audit: Governance is not "set it and forget it." Regularly review your SCPs and Config rules to ensure they still align with your organization's security requirements as your cloud footprint changes.
By following these principles, you will transform your AWS environment from a collection of disparate accounts into a unified, secure, and governable infrastructure. This foundation is essential for any organization that intends to operate with confidence in the cloud.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons