AWS Organizations Deep Dive
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
AWS Organizations Deep Dive: Managing Multi-Account Environments
Introduction: Why Organizational Complexity Matters
As organizations grow, the need for logical separation between projects, environments, and teams becomes critical. In the early days of cloud adoption, many teams start with a single AWS account. This approach works well for small experiments or isolated prototypes. However, as your infrastructure footprint expands, a single account becomes a bottleneck. Security boundaries become blurred, billing becomes impossible to attribute to specific business units, and the risk of a misconfiguration affecting the entire company increases exponentially.
AWS Organizations provides the framework to solve these challenges by allowing you to manage multiple AWS accounts centrally. Instead of treating each account as a silo, you can group them into a hierarchy, apply consistent security policies across the board, and consolidate billing. This lesson explores how to design, implement, and maintain a multi-account environment that scales with your organization’s needs. By the end of this module, you will understand how to transition from a monolithic account structure to a structured, secure, and manageable multi-account ecosystem.
The Core Concepts of AWS Organizations
At its heart, AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. It is not just a billing tool; it is a governance and security framework. To understand how it functions, we need to look at its fundamental building blocks: the Management Account, Member Accounts, Organizational Units (OUs), and Service Control Policies (SCPs).
The Management Account
The management account is the primary account that you use to create the organization. It is the "root" of the structure and possesses the highest level of authority. This account is responsible for paying all charges incurred by the member accounts in the organization. Because of its power, the management account should be used primarily for administrative tasks related to the organization itself, such as inviting new accounts, moving accounts between OUs, and managing policies. You should avoid running production workloads or storing sensitive data directly in the management account.
Member Accounts
Member accounts are the individual AWS accounts that exist within your organization. These accounts can be created directly within the organization or invited from outside. Each member account operates independently in terms of resources, but they are subject to the policies defined at the organizational level. This allows you to delegate administrative access to specific teams while maintaining a safety net of guardrails that prevent unauthorized actions.
Organizational Units (OUs)
OUs are logical containers that allow you to group accounts together for management purposes. Think of OUs as folders in a file system. You might have an OU for "Production," another for "Staging," and a separate one for "Sandbox." By grouping accounts into OUs, you can apply policies to the entire group at once. If you decide to update a security policy, you apply it to the OU, and every account within that OU inherits the policy automatically.
Callout: OUs vs. Accounts It is important to distinguish between accounts and OUs. An account is where your resources (EC2 instances, S3 buckets, RDS databases) live. An OU is a management construct. An account can only belong to one OU at a time, but an OU can contain many accounts and can even contain nested OUs, allowing for a deep, hierarchical structure that mirrors your company's departments or environments.
Designing Your Hierarchy: Best Practices
Designing the right structure for your organization is the most important step in this process. A common mistake is to create a flat structure where all accounts sit at the same level. While this seems simple initially, it makes it difficult to apply different levels of restriction to different types of environments.
The Recommended Foundation
Industry standards suggest a multi-layered approach. You should start with a root, and then create top-level OUs for different purposes. A common, effective pattern includes:
- Security OU: Contains accounts related to security tooling, such as a dedicated account for log archives (CloudTrail and Config logs) and a security auditing account.
- Infrastructure OU: Holds accounts for shared services, such as networking (Transit Gateway, Direct Connect) and identity management.
- Workloads OU: This is where your actual application accounts live. You might further divide this into "Production," "Staging," and "Development" OUs.
- Sandbox OU: A place for developers to experiment. You can apply more permissive policies here while still keeping the accounts isolated from production data.
- Suspended OU: A holding area for accounts that are no longer in use but have not yet been deleted. This allows you to apply a "Deny All" policy to these accounts immediately.
Note: Always keep your "Suspended" OU clean. When an account is moved into this OU, it should have a Service Control Policy attached that denies all actions, effectively putting the account into a "dead" state without immediate deletion, which is useful for audit trails.
Implementing Service Control Policies (SCPs)
Service Control Policies are the "guardrails" of your organization. They are JSON-based policies that define the maximum permissions that an account can have. It is crucial to understand that SCPs do not grant permissions; they only restrict them. If an IAM user in a member account has full administrative access, but an SCP attached to their OU denies the ability to delete S3 buckets, the user will be unable to delete the buckets.
How SCPs Work
When you attach an SCP to an OU, it applies to all accounts within that OU and any nested OUs. The effective permissions of an IAM entity (user or role) are the intersection of the IAM policy and the SCPs in the hierarchy. If either the IAM policy or the SCP denies an action, the action is denied.
Practical Example: Restricting Regions
A common requirement for compliance is to ensure that resources are only created in specific regions. You can write an SCP that denies the ability to perform any action if the region is not one of your approved ones.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictRegions",
"Effect": "Deny",
"NotAction": [
"a4b:*",
"acm:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"cur:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"organizations:*",
"route53:*",
"shield:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"xray:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
Explanation of the Policy
- Effect: Deny: We are explicitly blocking actions.
- NotAction: This is a list of services that are global or administrative in nature. We exclude these because they do not operate in a specific region and blocking them would break the account's basic functionality.
- Condition: We check the
aws:RequestedRegionkey. If the region is notus-east-1orus-west-2, theDenyeffect triggers.
Warning: Be extremely careful when testing SCPs. If you apply a restrictive SCP to the Root of your organization, you could accidentally lock yourself out of all accounts, including the management account. Always test your SCPs in a dedicated "Test" OU with a single, non-production account before rolling them out to the rest of the organization.
Managing Accounts: The Lifecycle
Managing the lifecycle of an account—from creation to decommissioning—is a core part of AWS Organizations. Instead of manually creating accounts through the AWS console, you should automate the process.
Automated Account Vending
Using AWS Control Tower or custom scripts with the organizations:CreateAccount API, you can ensure that every new account is created with a standard set of configurations. This includes:
- Creation: The account is created within the correct OU.
- Naming Convention: The account is assigned a standardized name (e.g.,
prod-web-app-01). - Baseline Configuration: Security tools are enabled, IAM roles for cross-account access are created, and default logging is configured.
Step-by-Step Account Creation Workflow
- Identify the need: A new team needs a new environment.
- Define the OU: Determine where this account belongs in your hierarchy.
- Execute the API: Use the AWS CLI or SDK to trigger the creation.
aws organizations create-account --email [email protected] --account-name "NewTeamAccount" - Wait for completion: Monitor the status of the account creation using
describe-create-account-status. - Post-provisioning: Once created, move the account to the target OU using
move-account.
Security Best Practices in Multi-Account Environments
Managing security in a multi-account environment requires a shift in mindset. You cannot rely on a single firewall or a single set of credentials. Instead, you must adopt a "defense in depth" strategy.
Identity and Access Management (IAM)
Do not create IAM users in every individual account. That leads to "credential sprawl," where managing access for a single developer becomes an administrative nightmare. Instead, use AWS IAM Identity Center (formerly AWS SSO). With Identity Center, you define your users and groups in one central place (your corporate directory or the internal Identity Center store) and assign them permissions across multiple accounts.
Centralized Logging
Centralization is the key to visibility. You should configure all accounts to ship their CloudTrail logs, VPC Flow Logs, and Config snapshots to a dedicated "Log Archive" account. By doing this, you ensure that even if an attacker gains administrative access to a member account and tries to delete logs, they cannot touch the centralized logs in the secure account.
Guardrails
Control Tower provides "Guardrails," which are pre-packaged sets of SCPs and Config rules. Using these is highly recommended for most organizations. They are categorized into:
- Preventive Guardrails: These are SCPs that stop an action before it happens (e.g., "Prevent public access to S3 buckets").
- Detective Guardrails: These are AWS Config rules that monitor your environment and alert you when a configuration drifts from your desired state (e.g., "Detect if an EBS volume is unencrypted").
Callout: Preventive vs. Detective Preventive guardrails are your first line of defense. They stop bad things from happening. Detective guardrails are your safety net. They don't stop the action, but they provide a notification so you can remediate the issue. A robust environment uses both.
Comparing Organizational Strategies
When setting up your structure, you might wonder how to balance flexibility with control. The following table compares different approaches to account management.
| Feature | Single Account | Multi-Account (Unstructured) | Multi-Account (Structured) |
|---|---|---|---|
| Security Isolation | None | Low | High |
| Billing Visibility | High | Low | High |
| Governance | Manual | Hard to Enforce | Automated/Policy-Driven |
| Scalability | Low | Medium | High |
| Complexity | Low | High | Moderate |
Common Pitfalls and How to Avoid Them
1. The "Management Account" Trap
Many teams use the Management account for production workloads. This is a significant security risk. If a developer with access to the management account makes a mistake, they can inadvertently delete the entire organization or modify billing settings.
- Solution: Treat the management account as a "break-glass" account only. Use it for organization-level management and nothing else.
2. Over-Complicating the OU Hierarchy
Some organizations try to map their OU structure exactly to their HR organizational chart. This fails because teams change, and the cloud structure becomes rigid and hard to manage.
- Solution: Build your OU structure based on technical and functional boundaries (e.g., environment, security requirements, compliance needs) rather than department names.
3. Forgetting Service Quotas
When you create many accounts, you might hit service quotas (like the number of VPCs or EC2 instances) across your organization.
- Solution: Use AWS Service Quotas to monitor your usage across all accounts and request limit increases proactively.
4. Ignoring Cross-Account Access
If you don't set up proper cross-account roles, your security team will struggle to audit the environment.
- Solution: Establish a standardized "SecurityAudit" role in every account that is assumed by your central security tooling.
Advanced Topic: Automating with Infrastructure as Code (IaC)
Manually managing OUs and SCPs is fine for small organizations, but it becomes error-prone as you scale. You should manage your AWS Organization using Infrastructure as Code (IaC) tools like Terraform or AWS CloudFormation.
Example: Defining an OU in Terraform
Using Terraform, you can define your structure clearly in code, which provides a single source of truth for your organizational design.
resource "aws_organizations_organizational_unit" "production" {
name = "Production"
parent_id = aws_organizations_organization.main.roots[0].id
}
resource "aws_organizations_policy_attachment" "production_policy" {
policy_id = aws_organizations_policy.restrict_regions.id
target_id = aws_organizations_organizational_unit.production.id
}
By using code to manage your organization, you gain:
- Version Control: You can see exactly who changed a policy and when.
- Peer Review: You can require code reviews for any changes to your organizational structure.
- Reproducibility: If you need to spin up a new environment, you can do it with a single command.
The Role of AWS Control Tower
While AWS Organizations is the underlying service, AWS Control Tower is the "opinionated" layer on top of it. It automates the setup of a "Landing Zone," which is the foundation of a multi-account environment.
Control Tower handles:
- Provisioning the Organization.
- Setting up the Log Archive and Audit accounts.
- Enabling AWS Identity Center for SSO.
- Deploying the initial set of guardrails.
For most organizations, especially those starting fresh, using Control Tower is the best practice. It saves weeks of manual configuration and ensures that your environment is built according to well-architected principles from day one.
Troubleshooting Common Issues
Even with a perfect design, you will encounter issues. Here is how to handle the most common ones:
"Access Denied" Errors
If a user is getting "Access Denied" even though they have an IAM policy granting access, check the SCPs. The SCP is likely the culprit. You can use the IAM Policy Simulator to test access, but remember that the simulator does not always account for SCPs. Always check the Organizations console to see which policies are attached to the account's parent OUs.
Account Moving Issues
You cannot move an account if it has certain services enabled (like GuardDuty or Macie) that are integrated with the organization.
- Solution: Disable the organization-wide integration for those services, move the account, and then re-enable the integration.
Billing Confusion
Sometimes, charges don't appear where you expect them.
- Solution: Use Cost Categories and Cost Allocation Tags. Tag your resources consistently across all accounts, and use the Billing dashboard to group costs by these tags. This allows you to see the cost of a "Project" even if that project spans multiple accounts.
FAQ: Common Questions
Q: Can I put an account in two OUs? A: No, an account can only belong to one OU. If you have an account that needs to be in two places, you need to rethink your hierarchy.
Q: What happens if I delete the Management account? A: You cannot delete the management account without deleting the entire organization. If you want to leave the organization, you must move all member accounts out first, then delete the organization.
Q: How many accounts can I have in an organization? A: The default limit is usually 10, but you can request an increase from AWS Support. There is no technical limit to how many accounts you can have, but there is a practical limit to how many you can effectively manage.
Q: Do I need to pay for AWS Organizations? A: No, AWS Organizations is free. You only pay for the resources used within the member accounts.
Key Takeaways
As we conclude this deep dive into AWS Organizations, keep these fundamental principles in mind. They will serve as the foundation for your multi-account success:
- Hierarchy Matters: Invest time in designing a logical OU structure. It is the framework upon which all your security and governance will be built.
- Guardrails are Essential: Use SCPs to enforce your compliance requirements. Start with broad, non-destructive policies and move toward more granular restrictions as you mature.
- Automate Everything: Manual account creation and policy management are the enemies of consistency. Use IaC and tools like Control Tower to ensure that your environment remains predictable.
- Centralize Governance: Use a dedicated security account for logs and audits. This ensures that your security data is tamper-proof and easily accessible for analysis.
- Simplify Identity: Never manage IAM users in individual accounts. Use a centralized identity provider like AWS IAM Identity Center to manage access to all accounts through a single portal.
- Test Before You Deploy: SCPs are powerful and can easily break your environment. Always test your policies in a sandbox OU before applying them to your production OUs.
- Maintain Hygiene: Regularly audit your OUs and accounts. Close unused accounts and ensure that every account has a clear owner and purpose.
By following these practices, you transform AWS Organizations from a simple administrative tool into a powerful engine for organizational agility and security. You move from "managing accounts" to "managing an ecosystem," allowing your teams to innovate rapidly while maintaining the strict safety and compliance standards required by modern business.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons