AWS Explained
    Management & Governance
    📊Management & Governance

    AWS Organizations

    Centrally manage and govern multiple AWS accounts

    Organizations is like a corporate structure for your AWS accounts. Instead of managing 50 separate AWS accounts independently (each with its own billing, security policies, and users), Organizations lets you group them into a hierarchy with a master account at the top. You can apply policies across all accounts: 'no one can launch instances outside us-east-1' or 'all S3 buckets must be encrypted.' You get consolidated billing (one bill for all accounts), volume discounts, and centralized governance. It's like having a parent company that sets rules for all subsidiaries while letting them operate independently within those guardrails.

    Organizations creates a hierarchy of accounts with organizational units (OUs) for grouping. The management account (root) has full control; member accounts can be invited or created. Service Control Policies (SCPs) are permission boundaries applied to OUs or accounts; they don't grant permissions, they limit what IAM users/roles can do.

    Key Capabilities

    Key features: consolidated billing (volume discounts, reserved instance sharing), AWS Control Tower integration (automated account setup), and tag policies (enforce tagging standards).

    Gotchas & Constraints

    Gotcha #1: SCPs affect all users including root, so be careful not to lock yourself out. Gotcha #2: SCPs don't apply to the management account; use a separate account for workloads. Constraints: Default 10 accounts per organization (adjustable up to 50,000), maximum 5 levels of OUs, and SCP size limited to 5,120 characters.

    A company has 100 AWS accounts: 20 for production, 30 for development, 30 for testing, and 20 for individual teams. Managing them separately is chaos: inconsistent security policies, no cost visibility, and duplicated effort. They create an AWS Organization with OUs: Production, Development, Testing, and Teams. They apply SCPs: Production OU requires MFA for all actions, blocks public S3 buckets, and restricts regions to us-east-1 and eu-west-1. Development OU allows all regions but blocks expensive instance types. They enable consolidated billing. Total monthly spend is $500,000, qualifying for volume discounts that save $50,000/year. Reserved Instances purchased in one account are shared across all accounts automatically. They use AWS Control Tower to automate new account creation; new accounts get baseline security (CloudTrail, Config, GuardDuty) automatically.

    The Result

    centralized governance, 10% cost savings, and consistent security across all accounts.

    Official AWS Documentation