AWS Organizations
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Mastering AWS Organizations: Building Secure and Scalable Cloud Architectures
Introduction: The Foundation of Multi-Account Strategy
In the early days of cloud adoption, many organizations started with a single AWS account. As their projects grew, they quickly discovered that managing development, testing, staging, and production environments within one account was not only chaotic but inherently risky. The blast radius of a configuration error or a compromised credential could affect everything simultaneously. Today, the industry standard for managing large-scale cloud footprints is the multi-account strategy. AWS Organizations is the service that makes this strategy possible, providing a centralized way to manage your accounts, apply security policies, and consolidate billing.
Understanding AWS Organizations is fundamental for any cloud architect or security engineer. It is not just about organizing folders for your accounts; it is about establishing a governance framework that ensures compliance, security, and operational efficiency across your entire enterprise. Without a solid organizational structure, you will likely encounter "account sprawl," where you lose visibility into what is running where, who has access, and how much it is costing you. This lesson explores the architecture, implementation, and best practices of AWS Organizations, guiding you through the process of building a secure, multi-account environment.
Understanding the Hierarchical Structure
At its core, AWS Organizations is a hierarchical structure. You start with a Management Account, which acts as the root of the organization. From there, you build a tree-like structure composed of Organizational Units (OUs) and member accounts. This structure allows you to group accounts based on business functions, security requirements, or lifecycle stages.
The Management Account
The Management Account is the administrative heart of your organization. It is the account you use to create the organization, invite other accounts to join, and apply organization-wide policies. Crucially, the management account should not be used to host production workloads or applications. Its sole purpose is governance. By keeping workloads out of the management account, you minimize the risk associated with administrative tasks and ensure that a breach in an application does not grant access to the root of your organization.
Organizational Units (OUs)
OUs are logical containers that allow you to group accounts. For instance, you might have an OU for "Production," another for "Sandbox," and a third for "Security." By applying policies to an OU, you automatically apply them to all accounts within that OU and any nested OUs. This inheritance model is the key to scaling your governance. If your security policy requires that all production resources be encrypted, you can apply an SCP (Service Control Policy) at the Production OU level, and it will cascade down to every account inside.
Member Accounts
Member accounts are the individual AWS accounts where your actual resources—like EC2 instances, S3 buckets, and Lambda functions—live. These accounts are created within the organization or invited to join it. Once an account is part of an organization, it is subject to the policies defined by the management account. This allows you to enforce guardrails regardless of which team or developer is managing a specific account.
Callout: Account vs. OU It is common for beginners to confuse accounts and OUs. Think of an account as a "box" where you store your digital assets. Think of an OU as a "filing cabinet" that holds multiple boxes. You apply rules to the cabinet (the OU), and all the boxes inside (the accounts) automatically inherit those rules.
Service Control Policies (SCPs): The Security Guardrails
Service Control Policies, or SCPs, are the most powerful feature within AWS Organizations. They define the maximum permissions that an account or OU can have. It is important to realize that SCPs do not grant permissions; they only restrict them. Even if an IAM user in a member account has the "AdministratorAccess" policy, they cannot perform an action if an SCP has explicitly denied it.
How SCPs Interact with IAM
When a user tries to perform an action, AWS checks both the IAM policies attached to the user and the SCPs applied to the account. For an action to be allowed, it must be permitted by the IAM policy and not be denied by any SCPs in the hierarchy. This "Deny-by-Default" approach ensures that even if a developer accidentally creates an overly permissive IAM role, the SCP acts as a safety net.
Practical Example: Restricting Regions
A common requirement in many regulated industries is to ensure that all cloud resources are deployed only in specific geographic regions to comply with data residency laws. You can create an SCP that denies the ability to launch resources in any region other than "us-east-1."
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictRegion",
"Effect": "Deny",
"NotAction": [
"iam:*",
"support:*",
"organizations:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}
In this example, the policy denies any action that is not related to IAM, support, or organizations if the request is not directed at the us-east-1 region. This is a powerful, enterprise-wide guardrail that prevents developers from accidentally spinning up infrastructure in the wrong part of the world.
Note: Always test your SCPs in a dedicated "Sandbox" OU before applying them to your production environment. A poorly written SCP can inadvertently shut down critical infrastructure, leading to significant downtime.
Implementing a Multi-Account Structure: Step-by-Step
Setting up an organization requires careful planning. Do not simply create accounts as you go; define your structure first. Here is a recommended workflow for establishing your organization.
Step 1: Create the Organization
Log in to your designated Management Account. Navigate to the AWS Organizations console and select "Create organization." This will automatically designate the current account as the management account.
Step 2: Define your OU Structure
A common, battle-tested structure looks like this:
- Root
- Security OU: Contains the "Log Archive" and "Security Tooling" accounts.
- Infrastructure OU: Contains "Shared Services" (like CI/CD pipelines or networking hubs).
- Workloads OU:
- Production OU: Contains production accounts.
- Development OU: Contains development/testing accounts.
- Suspended OU: Contains accounts that have been decommissioned but not yet deleted.
Step 3: Enable All Features
When creating the organization, ensure you select "All Features" rather than "Consolidated Billing." Enabling all features allows you to use SCPs, RAM (Resource Access Manager) integration, and other advanced governance tools.
Step 4: Create Accounts via AWS Organizations
Instead of creating accounts through the main AWS sign-up page, create them directly from the Organizations console. This ensures they are automatically added to the organization and placed into the correct OU. When you create an account this way, AWS automatically creates an IAM role named OrganizationAccountAccessRole that allows the management account to assume administrative privileges in the new account.
Best Practices for Secure Federation
While AWS Organizations handles the structure, you still need to manage how users log in. Never use the root user of your accounts for daily tasks. Instead, use a centralized Identity Provider (IdP) and integrate it with AWS IAM Identity Center (formerly AWS SSO).
Centralized Identity Management
By using IAM Identity Center, you can connect your existing corporate directory (like Active Directory, Okta, or Google Workspace) to your AWS Organization. Users log in once using their corporate credentials and are then presented with a portal showing all the AWS accounts they have access to.
The Principle of Least Privilege
Even with SSO, you must ensure that users only have the permissions they need. Instead of assigning "AdministratorAccess" to everyone, create permission sets that map to job functions. For instance, a "Developer" permission set might allow access to EC2 and S3 but deny access to IAM or CloudTrail.
Centralized Logging and Auditing
A core tenet of secure architecture is having a tamper-proof audit trail. Use AWS Organizations to enable CloudTrail in all accounts and configure it to deliver logs to a centralized S3 bucket located in your "Security" OU. This ensures that even if an attacker compromises a member account, they cannot delete the logs of their activities, as the S3 bucket permissions are controlled by the central security account.
Callout: Security Account Isolation The "Security" OU should have the most restrictive SCPs in your entire organization. By isolating security tools (like GuardDuty, Security Hub, and centralized logging) into their own accounts, you create a "bunker" that is separate from your application workloads. This prevents a compromised workload from affecting your ability to monitor and detect threats.
Common Pitfalls and How to Avoid Them
Even with a well-planned structure, teams often fall into traps that compromise their security posture.
Pitfall 1: The "Management Account Trap"
Many organizations continue to run databases, web servers, or third-party integrations inside the management account. This is a major security risk.
- Solution: Migrate all workloads out of the management account immediately. Use it only for billing and organization-level configuration.
Pitfall 2: Over-relying on SCPs
SCPs are great for broad guardrails, but they are not a replacement for fine-grained IAM policies. Trying to manage granular permissions via SCPs will result in massive, unmanageable policy documents.
- Solution: Use SCPs for high-level governance (e.g., "deny these regions," "prevent disabling CloudTrail") and use IAM policies for granular access control (e.g., "allow access to this specific S3 bucket").
Pitfall 3: Ignoring Account Lifecycle
Accounts are often created for a project, and then the project ends, but the account remains active and unmonitored. This "zombie account" is a prime target for attackers.
- Solution: Implement a formal account lifecycle process. When an account is no longer needed, move it to the "Suspended" OU, apply an SCP that denies all actions, and eventually delete the account using the AWS Organizations API.
Pitfall 4: Manual Account Configuration
Manually configuring each account (setting up CloudTrail, GuardDuty, VPCs) is error-prone and leads to configuration drift.
- Solution: Use Infrastructure as Code (IaC) tools like AWS Control Tower or Terraform to automate the deployment of new accounts. Control Tower, in particular, automates the setup of a landing zone that follows best practices by default.
Comparison Table: AWS Organizations Features
| Feature | Purpose | Benefit |
|---|---|---|
| Consolidated Billing | Aggregate costs into one invoice | Simplifies accounting and financial tracking |
| SCPs | Set maximum permission boundaries | Prevents unauthorized actions across accounts |
| IAM Identity Center | Centralize user authentication | Avoids managing individual IAM users per account |
| Resource Access Manager | Share resources across accounts | Reduces duplication of shared infrastructure (e.g., VPCs) |
| Control Tower | Automate account provisioning | Ensures consistent compliance via "Guardrails" |
Advanced Topic: Managing Shared Infrastructure
In a multi-account environment, you often need to share resources. For example, you might want to share a central networking hub (a Transit Gateway) or a shared database across multiple accounts. AWS Organizations integrates with AWS Resource Access Manager (RAM) to make this safe and efficient.
Using RAM with Organizations
Instead of creating a new Transit Gateway in every single account, you can create one in a "Shared Network" account and share it with your other OUs using RAM. Because this is integrated with Organizations, you can choose to share the resource with the entire organization or just specific OUs.
Example: Sharing a Subnet
If you have a set of private subnets that have connectivity to your on-premises data center, you can share these subnets with your development accounts. This allows your developers to launch instances into the shared network without needing to manage complex VPN or Direct Connect configurations themselves.
# Example command to share a resource using the AWS CLI
aws ram create-resource-share \
--name "SharedSubnetShare" \
--resource-arns arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0123456789abcdef0 \
--principals arn:aws:organizations::123456789012:organization/o-example123
This ensures that the networking team maintains control over the configuration, while the application teams get the connectivity they need without the security overhead.
The Role of AWS Control Tower
While you can build everything manually, AWS offers a service called Control Tower that simplifies the process significantly. Control Tower builds on top of AWS Organizations to provide a "Landing Zone." It automatically creates the OU structure, sets up centralized logging, and applies a set of "pre-packaged" guardrails.
Why use Control Tower?
- Speed: You can deploy a multi-account environment in minutes rather than weeks.
- Compliance: It comes with built-in rules for common compliance frameworks like HIPAA, PCI-DSS, and SOC2.
- Visibility: It provides a dashboard that shows you which accounts are compliant and which have drifted from your defined standards.
If you are just starting your journey into multi-account architecture, I highly recommend exploring Control Tower. It provides the "opinionated" best practices that save you from having to invent your own governance model from scratch.
Final Best Practices Checklist
To ensure your AWS Organizations setup is successful and secure, adhere to these industry-standard practices:
- Implement MFA on the Management Account: The management account is the "keys to the kingdom." Ensure the root user has a hardware MFA device attached and locked in a safe.
- Automate Account Creation: Use Control Tower or custom scripts to ensure every new account starts with the same baseline security configuration.
- Use Descriptive OU Names: Keep your hierarchy readable.
Prod,Dev,Sandbox,Security, andSharedare common, clear naming conventions. - Review SCPs Regularly: As AWS releases new services, review your SCPs to ensure they are not inadvertently blocking new functionality that your teams need.
- Enable CloudTrail Organization Trails: Ensure that your logging is enabled at the organization level so that you have a unified view of all API activity.
- Monitor Costs by Account: Use Cost Explorer with the "Linked Account" dimension to identify which accounts are driving your cloud spend.
- Maintain a "Break-Glass" Strategy: Always have a way to access your accounts even if your primary Identity Provider goes down. Keep at least two emergency IAM users with MFA in the management account, but store their credentials in a highly secure, offline location.
Frequently Asked Questions
Can I move an account from one OU to another?
Yes, you can move accounts between OUs at any time. However, be aware that when you move an account, it immediately inherits the SCPs of the new OU and loses the SCPs of the old OU. Always check the policies of the destination OU before moving an account.
How many accounts can I have in an organization?
By default, you can have 10 accounts in an organization. However, this is a soft limit. You can request a quota increase through the AWS Support Center to accommodate hundreds or even thousands of accounts.
Does AWS Organizations cost extra?
No, AWS Organizations is a free service. You only pay for the resources you create within the accounts that are part of your organization.
Can I use an existing AWS account as a member account?
Yes, you can invite an existing AWS account to join your organization. Once the invitation is accepted, the account becomes a member account, and the management account gains the ability to apply policies to it.
Conclusion: The Path Forward
Building a secure and scalable AWS environment requires moving beyond the mindset of individual accounts and embracing the power of centralized governance. AWS Organizations provides the framework to enforce security, manage costs, and simplify identity management at scale. By leveraging SCPs, organizing your accounts into logical OUs, and integrating with centralized identity providers, you create a robust environment that can grow with your business.
Remember that architecture is not a "set it and forget it" task. As your organization evolves, so too will your requirements for security and governance. Regularly audit your structure, refine your SCPs, and ensure that your teams are following the established patterns for account lifecycle management. By investing the time to get the foundation right, you empower your developers to innovate faster while ensuring that your organization remains secure, compliant, and cost-effective.
Key Takeaways
- Adopt a Multi-Account Strategy: Move away from single-account environments to minimize blast radius and improve security governance.
- Use OUs for Hierarchical Control: Group accounts into functional units (e.g., Production, Sandbox, Security) to apply policies at scale.
- Treat SCPs as Guardrails: Use Service Control Policies to enforce "deny-by-default" security rules that cannot be overridden by local IAM users.
- Centralize Identity and Logging: Use IAM Identity Center and centralized CloudTrail logging to maintain control and visibility across your entire organization.
- Automate Everything: Use tools like Control Tower or Infrastructure as Code to ensure that your account provisioning process is repeatable, consistent, and secure.
- Protect the Management Account: Keep the management account strictly for administration, and never host production workloads inside it.
- Manage the Account Lifecycle: Establish a process for decommissioning unused accounts to prevent security risks and unnecessary costs.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons