Skip to content
Gallery
4. AWS Organizations and Control Tower
AWS Organizations
AWS Control Tower
More
Share
Explore
AWS Organizations

icon picker
Best Practices and Migration

Use Organizational Units (OUs):
Group related accounts into OUs to apply consistent policies and simplify management.
Implement Service Control Policies (SCPs):
Define and enforce specific access policies across accounts to ensure security and compliance.
Utilize Tagging and Tag Policies:
Tag resources consistently across accounts for better management, cost tracking, and access control.
Enable AWS CloudTrail for All Accounts:
Ensure all accounts have CloudTrail enabled for audit logging and compliance.
Centralize Security Management:
Delegate security responsibilities to a central team to maintain uniform security policies.
Monitor and Optimize Costs:
Use AWS Cost Explorer and Compute Optimizer to monitor usage and optimize costs across all accounts.
Set up billing alerts to monitor and manage expenses effectively.
Leverage Amazon SSO:
Simplify user access management by integrating Amazon SSO with your active directory.

Best practices for the management account:

Use the management account only for tasks that require the management account.
Use a group email address for the management account’s root user.
Use a complex password for the management account’s root user.
Enable MFA for your root user credentials.
Add a phone number to the account contact information.
Review and keep track of who has access.
Document the processes for using the root user credentials.
Apply controls to monitor access to the root user credentials.

Migrating accounts between organizations

Accounts can be migrated between organizations.
You must have root or IAM access to both the member and management accounts.
Use the AWS Organizations console for just a few accounts.
Use the AWS Organizations API or AWS Command Line Interface (AWS CLI) if there are many accounts to migrate.
Billing history and billing reports for all accounts stay with the management account in an organization.
Before migration download any billing or report history for any member accounts that you want to keep.
When a member account leaves an organization, all charges incurred by the account are charged directly to the standalone account.
Even if the account move only takes a minute to process, it is likely that some charges will be incurred by the member account.

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.