2. DEFINITION
AWS organizations is an
account management
service that enables to
consolidate multiple aws
accounts into an
organization that has
been previously
created.
-AKA
MANAGEMENT/MASTE
R ACCOUNT
• Identity Access Management (IAM policies): You can
have better control over the roles and access you want
to provide to your employees. You can create IAM
groups and assign the roles required to perform a
particular function. This will ensure better governance in
your AWS account
• Role-based Access Control: RBAC is a neutral access
control system in an enterprise. RBAC can facilitate the
administration of security policies of thousands of users
at a time.
• Cost management: Consolidated billing is the best cost
management technique. You can manage and audit
your expenses of all the accounts from one dashboard.
In case you’re looking for further information about AWS
costs, here’s a blog that talks about how AWS
pricing works.
• Effectively manage different cloud resources, servers,
and storage.
3. COMPONENTS
OF AWS
ORGANIZATION
S
• Master Account: This can be your root account
designated for managing your AWS infrastructure. It is
the central account where your services are billed from.
The Master Account is also the central management and
governance hub.
• Organizational Units (OU): This is a set of AWS
accounts logically grouped within an organization. This
can be best seen as a container of accounts within your
root account. Multiple OUs can also be created under a
single OU, making it a tree line structure.
• Security Control Policy (SCPs): This document
describes controls to be applied to a selected set of
accounts. The policy defines the services and actions
that users or a role can perform.
4. AWS ORGANIZATIONS USE CASES
Global service
• Allows to manage
multiple AWS
accounts
• The main account
is the master
account – you can’t
change it
• Other accounts are
member accounts
• Member accounts
can only be part of
one organization
• Consolidated
Billing across all
accounts - single
payment method
• Pricing benefits
from aggregated
usage (volume
discount for EC2,
S3…)
• API is available to
automate AWS
account creation
5. MULTI ACCOUNT STRATEGIES
• Create accounts per department, per cost
center, per dev / test / prod, based on
regulatory restrictions (using SCP), for
better resource isolation (ex: VPC), to have
separate per-account service limits,
isolated account for logging
• • Multi Account vs One Account Multi VPC
• • Use tagging standards for billing
purposes
• • Enable CloudTrail on all accounts, send
logs to central S3 account
• • Send CloudWatch Logs to central
logging account
• • Establish Cross Account Roles for Admin
purposes
6.
7.
8. SERVICE
CONTROL
POLICIES
(SCP)
• Whitelist or blacklist IAM actions
• • Applied at the OU or Account level
• • Does not apply to the Master Account
• • SCP is applied to all the Users and Roles of the
Account, including Root user
• • The SCP does not affect service-linked roles
• • Service-linked roles enable other AWS services to
integrate with AWS Organizations
• and can't be restricted by SCPs.
• • SCP must have an explicit Allow (does not allow
anything by default)
• • Use cases:
• • Restrict access to certain services (for example: can’t
use EMR)
• • Enforce PCI compliance by explicitly disabling services
11. AWS
ORGANIZATION –
MOVING
ACCOUNTS
To migrate accounts from one organization to another
1. Remove the member account from the old organization
2. Send an invite to the new organization
3. Accept the invite to the new organization from the member account
If you want the master account of the old organization to also join the new
organization, do the following:
1. Remove the member accounts from the organizations using procedure above
2. Delete the old organization
3. Repeat the process above to invite the old masteraccount to the new org