Hello Every One, in this blog I would like to explain what are AWS organizations and how this is used to manage bunch of AWS accounts.
What is AWS Organization
AWS Organizations is a service that helps you manage multiple AWS accounts under one central management account.
How this works…
Imagine you are running a company with different teams:
Dev Team
Testing Team
Production Team
Each team has a separate AWS accounts for security and cost management purpose. With AWS Organizations, you can:
✅ Group these individual AWS accounts for Development, Testing, and Production as Organizational Units.
✅ Apply strict Service control policies (SCPs) to prevent unauthorized actions.
✅ Enable single billing to pay for all accounts together.
What is the use of grouping multiple AWS accounts to an organization .
Let’s say that, there are multiple AWS accounts under a development and users in all these accounts must need same permissions. To avoid applying same set of permissions to all users in all these accounts we use organizations.
✅ Centralized Management – Manage all your AWS accounts from one place.
✅ Consolidated Billing – Combine all AWS bills into a single payment.
✅ Service Control Policies (SCPs) – Apply security and access restrictions across accounts.
✅ Account Grouping with OUs – Organize accounts into Organizational Units (OUs) for better control.
✅ Automated Account Creation – Create and assign accounts programmatically.
How to Create Organizations
It is simple to create organizations using console.
When you click on create organization under your organizational structure by default root and master account will be present.
When you click add account , you can invite an existing aws account to an organization or even create new account through this organization no billing is required as AWS uses same billing account for this member account as well.
When you try to remove this member account from the organization , you need to logon to the member account and you have to exit from the organization.
But when you create aws account from the organization and when you try to remove, it requires you to set up billing info as this account depend on the management account for billing.
Organizational Units
Now you can group multiple similar kind of aws accounts and this is what we call organizational units.
A policy called service control policy similar to IAM Policy when applied to a organizational unit , permissions flow from the OU to all the accounts/OUs under it. Again these policies can be overwritten .
Service Control Policy and Resource Control Policy
Service control policy is for users/roles and resource control policy is for resources in the account.
Service Control Policy
If this policy is applied to any OU then all the users or roles in a account under the OU will be able to access objects in the cloud-newbie bucket.
Resource Control Policy
If this is applied to any OU then, KGF user in all the accounts under the OU can access the cloud newbie bucket in their accounts.
That’s it , a quick intro about AWS Organizations and Service Control Policies and Resource Control Policy.
Thanks for reading. Have a great day.🎉🎉🎉