AWS Organizations
Multi-account management — Organizational Units, Service Control Policies, consolidated billing, and AWS Control Tower for governance at scale.
Overview
AWS Organizations is a multi-account management service — it centrally governs and consolidates billing for multiple AWS accounts, enforces security guardrails with Service Control Policies (SCPs), and organises accounts into a hierarchical structure.
A well-designed multi-account strategy is the foundation of enterprise AWS architecture. Organizations enables separation of workloads, environments, and teams while maintaining centralised governance.
Core Concepts
| Concept | Description |
|---|---|
| Organization | The top-level entity that contains all member accounts and policies |
| Management Account | The account that creates and manages the organization; cannot be restricted by SCPs |
| Member Account | Any account joined or created within the organization |
| Organizational Unit (OU) | A container for accounts within the organization; supports nesting up to 5 levels |
| Service Control Policy (SCP) | A policy that sets permission guardrails on OUs or accounts (allow/deny lists) |
| Consolidated Billing | All accounts share a single payment method; aggregate usage for volume discounts |
| Delegated Administrator | A member account authorised to manage specific AWS services on behalf of the organization |
| AWS Control Tower | An orchestration layer that automates multi-account setup with best-practice guardrails |
Organization Structure
Organization Root
├── Management Account (cannot be SCP-restricted)
├── OU: Security
│ ├── Log Archive Account
│ └── Security Tooling Account
├── OU: Infrastructure
│ ├── Shared Services Account
│ └── Networking Account
├── OU: Workloads
│ ├── OU: Production
│ │ ├── App A Prod Account
│ │ └── App B Prod Account
│ └── OU: Development
│ ├── App A Dev Account
│ └── App B Dev Account
└── OU: Sandbox
└── Experimentation AccountService Control Policies (SCPs)
SCPs define the maximum permissions available to accounts — they do not grant permissions, only restrict them.
| Characteristic | Description |
|---|---|
| Effect | Allow or Deny (deny is recommended for guardrails) |
| Inheritance | SCPs cascade from parent OUs to child OUs and accounts |
| Management Account | Not affected by SCPs (can do anything regardless) |
| Default | FullAWSAccess SCP attached to root — must remain attached or replace with custom |
| Evaluation | Intersection of all SCPs from root to the account must Allow the action |
SCP Examples
Deny region usage (restrict workloads to specific regions):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyNonApprovedRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["us-east-1", "eu-west-1"]
}
}
}
]
}Prevent disabling CloudTrail:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCloudTrailDisable",
"Effect": "Deny",
"Action": ["cloudtrail:StopLogging", "cloudtrail:DeleteTrail"],
"Resource": "*"
}
]
}Exam Trap: SCPs do not grant permissions — they only restrict them. An account still needs IAM policies to allow actions. SCPs set the ceiling; IAM policies set the actual permissions within that ceiling.
Consolidated Billing
| Feature | Description |
|---|---|
| Single payer | One bill for all accounts in the organization |
| Volume discounts | Aggregate usage across accounts qualifies for tiered pricing |
| Reserved Instance sharing | RIs and Savings Plans automatically apply across accounts |
| Cost allocation tags | Tag resources to track costs per project, team, or environment |
SAA/SAP Tip: Reserved Instances and Savings Plans purchased in one account automatically apply to matching usage in other accounts within the organization. This enables centralised purchasing for maximum discount coverage.
AWS Control Tower
Control Tower automates multi-account governance using Organizations as the foundation.
| Component | Description |
|---|---|
| Landing Zone | A pre-configured multi-account environment following best practices |
| Guardrails | Preventive (SCPs) and detective (AWS Config rules) policies |
| Account Factory | Automated provisioning of new accounts with baseline configuration |
| Dashboard | Centralised view of compliance status across all accounts |
SAA/SAP Tip: When the exam mentions "automate multi-account setup with guardrails" or "landing zone," the answer is AWS Control Tower. It uses Organizations + SCPs + AWS Config + CloudFormation StackSets under the hood.
Common Use Cases
- Environment isolation — Separate production, development, and staging into different accounts and OUs.
- Security guardrails — Deny access to unapproved regions or prevent disabling security services with SCPs.
- Centralised logging — Dedicate a Log Archive account for CloudTrail, Config, and VPC Flow Logs from all accounts.
- Cost management — Consolidated billing with volume discounts; share Reserved Instances across accounts.
- Compliance — Enforce mandatory security controls (encryption, logging) at the organization level.
- Self-service account provisioning — Account Factory in Control Tower for standardised new account creation.
SAA/SAP Exam Tips
SAA/SAP Tip: For "restrict all accounts from using specific regions" or "prevent any account from disabling encryption," the answer is an SCP applied at the OU or organization root level.
Exam Trap: The management account is exempt from SCPs. Security-sensitive workloads should never run in the management account. Use it only for organizational management and billing.
SAA/SAP Tip: For sharing resources across accounts (VPC subnets, Transit Gateway, License Manager), use AWS Resource Access Manager (RAM) in conjunction with Organizations.
Cross-Cloud Equivalents
| Provider | Service / Solution | Notes |
|---|---|---|
| AWS | AWS Organizations | Baseline |
| Azure | Azure Management Groups + Subscriptions | Similar hierarchy; Azure Policy for guardrails |
| GCP | Google Cloud Resource Manager (Organization → Folders → Projects) | Org Policies for guardrails |
| On-Premises | Active Directory OUs + Group Policy | Hierarchical policy inheritance |
Pricing Model
| Dimension | Unit | Notes |
|---|---|---|
| AWS Organizations | Free | No charge for the service itself |
| AWS Control Tower | Free | No charge; underlying services (Config, CloudTrail) have their own costs |
Related Services / See Also
- AWS IAM — identity and access management within each account
- AWS Config — detective guardrails via conformance packs
- AWS CloudTrail — centralised API audit logging across accounts
- AWS RAM — share resources across accounts in the organization
Amazon Macie
Sensitive data discovery — automated scanning of S3 buckets for PII, PHI, financial data, and other sensitive content using machine learning.
AWS Secrets Manager
Managed secrets storage — automatic rotation, RDS integration, cross-account sharing, and comparison with SSM Parameter Store.