Hello Every One, in this blog I would like to explain what are AWS organizations and how this is used to manage bunch of AWS accounts.
What is AWS Organization
AWS Organizations is a service that helps you manage multiple AWS accounts under one central management account.
How this works…
Imagine you are running a company with different teams:
Dev Team
Testing Team
Production Team
Each team has a separate AWS accounts for security and cost management purpose. With AWS Organizations, you can:
✅ Group these individual AWS accounts for Development, Testing, and Production as Organizational Units.
✅ Apply strict Service control policies (SCPs) to prevent unauthorized actions.
✅ Enable single billing to pay for all accounts together.
What is the use of grouping multiple AWS accounts to an organization .
Let’s say that, there are multiple AWS accounts under a development and users in all these accounts must need same permissions. To avoid applying same set of permissions to all users in all these accounts we use organizations.
✅ Centralized Management – Manage all your AWS accounts from one place.
✅ Consolidated Billing – Combine all AWS bills into a single payment.
✅ Service Control Policies (SCPs) – Apply security and access restrictions across accounts.
✅ Account Grouping with OUs – Organize accounts into Organizational Units (OUs) for better control.
✅ Automated Account Creation – Create and assign accounts programmatically.
How to Create Organizations
It is simple to create organizations using console.
When you click on create organization under your organizational structure by default root and master account will be present.
When you click add account , you can invite an existing aws account to an organization or even create new account through this organization no billing is required as AWS uses same billing account for this member account as well.
When you try to remove this member account from the organization , you need to logon to the member account and you have to exit from the organization.
But when you create aws account from the organization and when you try to remove, it requires you to set up billing info as this account depend on the management account for billing.
Organizational Units
Now you can group multiple similar kind of aws accounts and this is what we call organizational units.
A policy called service control policy similar to IAM Policy when applied to a organizational unit , permissions flow from the OU to all the accounts/OUs under it. Again these policies can be overwritten .
Service Control Policy and Resource Control Policy
Service control policy is for users/roles and resource control policy is for resources in the account.
Service Control Policy
SCPs don't grant permissions on their own. They define the maximum permissions that can be allowed in an account or Organizational Unit (OU). Even if an SCP explicitly allows all S3 access on a bucket, the users or roles still need corresponding IAM policies to actually perform actions.
Individual IAM policies attached to users, groups, or roles are what grant the actual permissions. An SCP sets the upper limit. If an IAM policy attempts to grant permissions that exceed what the SCP allows, those actions will be blocked.
SCPs help ensure that all accounts within an OU adhere to your organization’s security or compliance guidelines. For example, even if someone inadvertently grants too many permissions via an IAM policy, the SCP will enforce a boundary.
Resource Control Policy
This Policy denies every one to get object and list bucket permissions on cloud newbie bucket.
If this applied on any account/OU then on this bucket these operations are not allowed.
Only deny is allowed in effect and only * is allowed in principal.
That’s it , a quick intro about AWS Organizations and Service Control Policies and Resource Control Policy.
Thanks for reading. Have a great day.🎉🎉🎉