Organizations

Solution Architect Associate

Security Specialty

AWS Documentation

• AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an Organization
• Available in two feature sets, consolidated billing and all features
• It is vital to setup a logging account. Typically collects logs in S3 through CloudTrail
• In conslidated billing, you have a paying account and you link all other accounts to your paying account
• Organizations replaces consolidated billing. You organize accounts into organization units (OUs)
  • You can now apply policies to OUs, or to a root account
• The paying account in consolidated billing is independent and cannot access resources in other accounts.
• Limited to 20 linked accounts
• With conslidated billing, you get discounts for volume usage across the accounts. The more you consume the less you spend
• AWS Organizations allows you to
  • Centrally manage policies across accounts
  • Control access to AWS services
  • Automate AWS Account creation and management
  • Consolidate billing across multiple AWS accounts
• You can combine and use reserved instances across accounts

Service Control Policies

• Policies that allow you to set limits on what users can do across accounts
• Uses the same structure as a typical IAM policy
• These policies override anything applied at the account level
• These policies are the only way to restrict what the root account can do
• Allow statements don’t do what you think. It sets up boundaries for what policies you can be granted, not giving you those permissions
  • They can take things away but cannot grant

< Previous: Config Next: Systems Manager >