Skip to content
4. AWS Organizations and Control Tower
AWS Organizations is an management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organization.
AWS Organizations is a no-cost service. It provides features that help streamline account management, enhance security, and optimize costs across multiple AWS accounts.

Feature Sets

AWS Organizations is available in two feature sets:
Consolidated Billing:
Provides a single payment method for all AWS accounts in your organization.
Allows you to view combined charges and usage across accounts.
Takes advantage of aggregated usage for volume discounts.
The default limit is 20 linked accounts, which can be increased by request.
All Features:
Includes all the functionalities of consolidated billing.
Adds support for Service Control Policies (SCPs) to restrict AWS service actions.
Supports organizational units (OUs) for hierarchical account management.
Allows tag policies to enforce tagging rules across your organization.
Enables centralized management of AWS services across accounts.

Consolidated Billing

Consolidated billing is a powerful feature of AWS Organizations that helps manage costs and simplify billing across multiple accounts:
Single Payment Method: Set up one payment method for all accounts in your organization.
Combined View of Charges: See a consolidated view of charges incurred by all accounts.
Volume Discounts: Benefit from aggregated usage for services like Amazon EC2 and Amazon S3, which can lead to significant cost savings.
Unused Reserved Instances: Apply unused reserved EC2 instances across the organization to optimize resource utilization and cost.
Billing Alerts: Set up billing alerts on the paying account to monitor and manage expenses effectively across all linked accounts.

Policies and Hierarchies

AWS Organizations allows you to assign policies and manage permissions at different levels in your organizational hierarchy:
Service Control Policies (SCPs): Apply SCPs to users, accounts, or OUs to control access to AWS resources and services. SCPs help enforce compliance and security across your organization.
Organizational Units (OUs): Group accounts into OUs to apply policies and manage them more efficiently. OUs are useful for mirroring your company's structure within AWS.
Tag Policies: Enforce consistent tagging across accounts to improve resource management, cost tracking, and access control.

Key Features of AWS Organizations

Simplified Account Creation:
Programmatically create new accounts using AWS CLI, SDKs, or APIs.
Automate account creation processes to quickly expand your AWS environment.
Organizational Units (OUs):
Group accounts into OUs, which are logical groups that serve a single application or service.
Apply policies and manage accounts more effectively by grouping them.
Tag Policies:
Classify and track resources across your organization.
Enable attribute-based access control to enforce policies and manage permissions.
Delegated Administration:
Delegate administrative responsibilities for supported AWS services to specific accounts.
Allows users within those accounts to manage services on behalf of the organization.
Centralized Security Management:
Provide your security team with the necessary tools and access to manage security centrally.
Ensure consistent security policies across all accounts.
Amazon Single Sign-On (SSO): (AWS IAM Identity Center)
Integrate with your active directory to provide seamless access to AWS accounts and resources.
Customize permissions based on job roles and responsibilities.
Service Control Policies (SCPs):
Apply SCPs to users, accounts, or OUs to control access to AWS resources and services.
Enforce specific policies and restrictions across your organization.
AWS Resource Access Manager (RAM):
Share AWS resources within your organization.
Facilitate collaboration and resource sharing without duplication.
AWS CloudTrail Integration:
Activate CloudTrail across all accounts to log all activities in your cloud environment.
Ensure auditability and compliance by maintaining immutable logs.
Consolidated Billing:
Set up a single payment method for all accounts in your organization.
View combined charges and take advantage of volume discounts for services like Amazon EC2 and S3.
Track costs and usage across accounts using AWS Cost Explorer and AWS Compute Optimizer.

Benefits of Using AWS Organizations

Centralized Management:
Simplify the administration of multiple AWS accounts.
Apply consistent policies and controls across your organization.
Enhanced Security and Compliance:
Centralized security management ensures uniform application of security policies.
CloudTrail provides a centralized logging mechanism for all accounts.
Cost Management:
Consolidated billing helps you manage and track costs effectively.
Benefit from volume discounts and efficient usage of reserved instances.
Easily scale your environment by programmatically creating and managing accounts.
Use OUs to manage large numbers of accounts efficiently.
Automation and Flexibility:
Automate account creation and management processes using the AWS Organizations API.
Flexibly apply policies and manage permissions across different accounts and OUs.

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
) instead.