{"id":48526,"date":"2025-02-18T05:41:10","date_gmt":"2025-02-18T05:41:10","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=48526"},"modified":"2026-02-21T07:26:04","modified_gmt":"2026-02-21T07:26:04","slug":"complete-guide-of-aws-organization-and-aws-access-portal","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/complete-guide-of-aws-organization-and-aws-access-portal\/","title":{"rendered":"Complete Guide of AWS Organization and AWS access portal"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large is-style-default\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/Screenshot-2025-02-18-at-2.48.10%E2%80%AFPM.png\"><img decoding=\"async\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/Screenshot-2025-02-18-at-2.48.10%E2%80%AFPM-1024x523.png\" alt=\"\" class=\"wp-image-48528\"><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">What is AWS Organization?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AWS Organizations: An Overview<\/strong><\/h3>\n\n\n\n<p><strong>AWS Organizations<\/strong> is a <strong>service<\/strong> that helps businesses <strong>centrally manage and govern<\/strong> multiple AWS accounts. It allows organizations to <strong>group accounts, apply policies, consolidate billing, and enforce security controls<\/strong> across all accounts.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Key Features of AWS Organizations<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Centralized Account Management<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Organize multiple AWS accounts under a <strong>single root account<\/strong>.<\/li>\n\n\n\n<li>Group accounts into <strong>Organizational Units (OUs)<\/strong> for better management.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2\ufe0f\u20e3 Consolidated Billing<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get a <strong>single bill<\/strong> for all AWS accounts.<\/li>\n\n\n\n<li>Share AWS <strong>Reserved Instances (RI) &amp; Savings Plans<\/strong> across accounts for cost savings.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3\ufe0f\u20e3 Service Control Policies (SCPs)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Apply <strong>security and compliance policies<\/strong> at the organization or account level.<\/li>\n\n\n\n<li>Restrict specific AWS services or regions for selected accounts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4\ufe0f\u20e3 AWS IAM Identity Center (SSO) Integration<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Manage user access <strong>centrally<\/strong> across all accounts with <strong>AWS IAM Identity Center (formerly AWS SSO)<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5\ufe0f\u20e3 Security &amp; Compliance<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce <strong>organization-wide security policies<\/strong>.<\/li>\n\n\n\n<li><strong>Centralize AWS CloudTrail logs<\/strong> for auditing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6\ufe0f\u20e3 Cross-Account Resource Sharing (RAM)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Share AWS resources (like <strong>VPC, Route53, Transit Gateway<\/strong>) across accounts.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 AWS Organizations Structure<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">\u251c\u2500\u2500 AWS Root Account\n    \u251c\u2500\u2500 Security OU\n    \u2502   \u251c\u2500\u2500 Logging Account\n    \u2502   \u251c\u2500\u2500 Audit Account\n    \u2502\n    \u251c\u2500\u2500 Workloads OU\n    \u2502   \u251c\u2500\u2500 Production Account\n    \u2502   \u251c\u2500\u2500 Staging Account\n    \u2502   \u251c\u2500\u2500 Testing (UAT) Account\n    \u2502\n    \u251c\u2500\u2500 Sandbox OU\n    \u2502   \u251c\u2500\u2500 Development Account\n<\/code><\/span><\/pre>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Root Account<\/strong>: The main account that manages AWS Organizations.<\/li>\n\n\n\n<li><strong>Organizational Units (OUs)<\/strong>: Logical groups of accounts (e.g., Prod, Stage, UAT).<\/li>\n\n\n\n<li><strong>Member Accounts<\/strong>: AWS accounts under the organization.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/Screenshot-2025-02-18-at-2.47.48%E2%80%AFPM-1024x670.png\" alt=\"\" class=\"wp-image-48529\"><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Benefits of AWS Organizations<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>Security &amp; Governance<\/strong> \u2192 Apply <strong>Service Control Policies (SCPs)<\/strong> across accounts.<br>\u2705 <strong>Cost Savings<\/strong> \u2192 Enable <strong>Consolidated Billing<\/strong> and optimize <strong>Reserved Instances<\/strong>.<br>\u2705 <strong>Operational Efficiency<\/strong> \u2192 Manage AWS resources centrally.<br>\u2705 <strong>Simplified User Access<\/strong> \u2192 Use <strong>AWS IAM Identity Center (SSO)<\/strong> for secure login.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 How to Set Up AWS Organizations<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 1: Enable AWS Organizations<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log in to AWS Management Console.<\/li>\n\n\n\n<li>Go to <strong>AWS Organizations<\/strong> \u2192 Click <strong>Create Organization<\/strong>.<\/li>\n\n\n\n<li>Select <strong>Enable All Features<\/strong> for full control.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 2: Create &amp; Structure AWS Accounts<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add new AWS accounts or <strong>invite existing accounts<\/strong>.<\/li>\n\n\n\n<li>Group accounts into <strong>Organizational Units (OUs)<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 3: Apply Security Policies<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Service Control Policies (SCPs)<\/strong> to enforce rules.<\/li>\n\n\n\n<li>Example: Restrict access to <strong>only specific AWS regions<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 4: Enable Consolidated Billing<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>Billing Dashboard<\/strong> \u2192 Enable <strong>Consolidated Billing<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 5: Configure IAM Identity Center (SSO)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Integrate <strong>AWS IAM Identity Center<\/strong> for managing user access.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83c\udfaf What are top 10 Use cases of AWS Organization?<\/strong><\/h2>\n\n\n\n<p>Based on the search results, while there isn&#8217;t a comprehensive list of 10 specific use cases for AWS Organizations, I can provide several key use cases that organizations commonly employ:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Account Management: Automate the creation and management of multiple AWS accounts, particularly useful for quickly launching new work environments or projects.<\/li>\n\n\n\n<li>Workload Categorization: Create separate groups to categorize different types of accounts, such as development and production environments.<\/li>\n\n\n\n<li>Resource Sharing: Easily share critical central resources across multiple accounts within the organization.<\/li>\n\n\n\n<li>Centralized Compliance: Implement Service Control Policies (SCPs) to enforce security and compliance standards across all accounts in the organization.<\/li>\n\n\n\n<li>Cost Management: Utilize consolidated billing to get a single bill for all AWS accounts in the organization, simplifying budgeting and cost allocation.<\/li>\n\n\n\n<li>Access Control: Manage IAM policies across multiple accounts, ensuring consistent access controls and the principle of least privilege.<\/li>\n\n\n\n<li>Auditing and Security: Implement centralized logging and monitoring across all accounts for better security oversight and auditing capabilities.<\/li>\n\n\n\n<li>Environment Isolation: Separate production, staging, and development environments into different accounts for improved security and resource management.<\/li>\n\n\n\n<li>Departmental Segregation: Organize accounts based on different departments or business units within a company.<\/li>\n\n\n\n<li>Multi-Region Management: Manage and govern AWS resources across multiple geographic regions from a central point.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Advantages of AWS Organization<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Advantages of AWS Organizations<\/strong> \ud83d\ude80<\/h2>\n\n\n\n<p>AWS Organizations offers several benefits for enterprises and businesses managing multiple AWS accounts. It simplifies account management, improves security, optimizes costs, and enhances governance.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 1. Centralized Multi-Account Management<\/strong><\/h2>\n\n\n\n<p>\u2705 Manage multiple AWS accounts under a single <strong>root account<\/strong>.<br>\u2705 Organize accounts into <strong>Organizational Units (OUs)<\/strong> based on workload (e.g., Prod, Dev, UAT).<br>\u2705 Control account creation and permissions from a central location.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 2. Security and Compliance<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>Service Control Policies (SCPs):<\/strong> Restrict AWS services, regions, or actions for specific accounts.<br>\u2705 <strong>Centralized Logging:<\/strong> Collect security and compliance logs using <strong>AWS CloudTrail<\/strong>.<br>\u2705 <strong>AWS Security Hub Integration:<\/strong> Monitor security across multiple AWS accounts.<br>\u2705 <strong>Data Protection:<\/strong> Implement strict security policies for sensitive environments (e.g., Production).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 3. Cost Savings and Consolidated Billing<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>Single Billing Account:<\/strong> View and manage all AWS costs in one place.<br>\u2705 <strong>Reserved Instance &amp; Savings Plan Sharing:<\/strong> Maximize cost efficiency across accounts.<br>\u2705 <strong>Cost Tracking by Account:<\/strong> Monitor AWS spending by <strong>Prod, Stage, UAT<\/strong>, etc.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 4. Enhanced User Access Control<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>AWS IAM Identity Center (SSO):<\/strong> Manage user access centrally.<br>\u2705 <strong>Role-Based Access:<\/strong> Assign different roles for developers, admins, and security teams.<br>\u2705 <strong>Federated Access:<\/strong> Integrate with <strong>Active Directory, Okta, or Azure AD<\/strong> for authentication.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 5. Simplified Resource Sharing<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>Cross-Account Resource Sharing:<\/strong> Share AWS services (e.g., <strong>VPC, Transit Gateway, Route 53<\/strong>) across accounts.<br>\u2705 <strong>AWS Resource Access Manager (RAM):<\/strong> Enable seamless access without duplicating resources.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 6. Scalability &amp; Automation<\/strong><\/h2>\n\n\n\n<p>\u2705 Automate <strong>account creation, configuration, and governance<\/strong> using AWS <strong>Control Tower<\/strong>.<br>\u2705 Easily onboard <strong>new teams, business units, or projects<\/strong> without security risks.<br>\u2705 Standardize deployments using <strong>Infrastructure as Code (IaC)<\/strong> (e.g., Terraform, CloudFormation).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 7. Governance &amp; Policy Enforcement<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>Prevent unauthorized changes<\/strong> with SCPs.<br>\u2705 <strong>Tag Policies:<\/strong> Ensure proper resource tagging for cost tracking.<br>\u2705 <strong>Prevent accidental deletion of critical resources<\/strong> in Production.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 8. Isolation of Workloads<\/strong><\/h2>\n\n\n\n<p>\u2705 Keep <strong>Production, Staging, and UAT<\/strong> workloads separate.<br>\u2705 Prevent accidental modifications to <strong>Production<\/strong> environments.<br>\u2705 Apply <strong>different IAM policies per environment<\/strong> to enhance security.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83c\udfaf Final Verdict: Why Use AWS Organizations?<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>Centralized control<\/strong> over multiple AWS accounts.<br>\u2705 <strong>Improved security<\/strong> with policy-based restrictions.<br>\u2705 <strong>Better cost management<\/strong> with consolidated billing.<br>\u2705 <strong>Seamless user and resource management<\/strong> using IAM Identity Center.<br>\u2705 <strong>Greater scalability and governance<\/strong> for enterprises.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is AWS access portal and its use cases?<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/02\/Screenshot-2025-02-18-at-2.48.01%E2%80%AFPM-1024x741.png\" alt=\"\" class=\"wp-image-48531\"><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AWS Access Portal: Overview &amp; Use Cases<\/strong><\/h3>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\ud83d\udd39 What is AWS Access Portal?<\/strong><\/h3>\n\n\n\n<p>The <strong>AWS Access Portal<\/strong> is a <strong>web-based login interface<\/strong> that allows users to securely access <strong>multiple AWS accounts and applications<\/strong> through <strong>AWS IAM Identity Center (formerly AWS SSO)<\/strong>. It simplifies identity and access management by providing <strong>Single Sign-On (SSO)<\/strong> for AWS environments and third-party applications.<\/p>\n\n\n\n<p>\u2705 <strong>Key Function:<\/strong> Centralized access management for AWS accounts, reducing the need for multiple IAM users and credentials.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Key Features of AWS Access Portal<\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Single Sign-On (SSO)<\/strong>\n<ul class=\"wp-block-list\">\n<li>Users log in once to access multiple AWS accounts and applications.<\/li>\n\n\n\n<li>No need to remember multiple passwords for different AWS accounts.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Centralized AWS Account Access<\/strong>\n<ul class=\"wp-block-list\">\n<li>Admins can manage access to <strong>Prod, Staging, UAT, and Dev<\/strong> accounts.<\/li>\n\n\n\n<li>Users can seamlessly switch between AWS accounts and roles.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Integration with External Identity Providers (IdPs)<\/strong>\n<ul class=\"wp-block-list\">\n<li>Works with <strong>Azure AD, Okta, Google Workspace, Microsoft Active Directory<\/strong>, etc.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Multi-Factor Authentication (MFA)<\/strong>\n<ul class=\"wp-block-list\">\n<li>Enhances security with <strong>OTP-based authentication<\/strong> or an authenticator app.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Access to AWS CLI &amp; SDKs<\/strong>\n<ul class=\"wp-block-list\">\n<li>Users can retrieve <strong>temporary credentials<\/strong> to access AWS services via CLI.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Audit &amp; Compliance Logging<\/strong>\n<ul class=\"wp-block-list\">\n<li>Tracks user activity through <strong>AWS CloudTrail<\/strong> for monitoring and compliance.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Use Cases of AWS Access Portal<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Multi-Account AWS Access Management<\/strong><\/h3>\n\n\n\n<p>\u2705 Ideal for enterprises with multiple AWS accounts (<strong>Prod, UAT, Staging<\/strong>)<br>\u2705 Enables easy <strong>switching between AWS accounts &amp; roles<\/strong> via a web portal<br>\u2705 Reduces the need for managing multiple IAM users &amp; passwords<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2\ufe0f\u20e3 Secure Workforce Authentication<\/strong><\/h3>\n\n\n\n<p>\u2705 Employees can log in using their corporate credentials (<strong>SSO integration<\/strong>)<br>\u2705 Supports <strong>Multi-Factor Authentication (MFA)<\/strong> for extra security<br>\u2705 Access AWS <strong>Management Console, CLI, and SDKs<\/strong> seamlessly<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3\ufe0f\u20e3 Integration with External Identity Providers<\/strong><\/h3>\n\n\n\n<p>\u2705 Works with <strong>Azure AD, Okta, Google Workspace, and Active Directory<\/strong><br>\u2705 Allows enterprises to use <strong>existing user directories<\/strong> for AWS authentication<br>\u2705 Reduces manual account creation &amp; password resets<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4\ufe0f\u20e3 Secure &amp; Granular Role-Based Access Control (RBAC)<\/strong><\/h3>\n\n\n\n<p>\u2705 Assign different permissions for <strong>Developers, Admins, Security Teams<\/strong><br>\u2705 Example: <strong>Developers<\/strong> get access to <strong>UAT &amp; Staging<\/strong>, but not <strong>Prod<\/strong><br>\u2705 Uses <strong>IAM Identity Center roles<\/strong> instead of individual IAM users<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5\ufe0f\u20e3 Secure API &amp; CLI Access for Developers<\/strong><\/h3>\n\n\n\n<p>\u2705 Developers can retrieve <strong>temporary AWS credentials<\/strong> from the Access Portal<br>\u2705 Helps avoid storing long-term credentials in scripts or applications<br>\u2705 Improves security posture by reducing the risk of credential leaks<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6\ufe0f\u20e3 Improved Governance &amp; Compliance<\/strong><\/h3>\n\n\n\n<p>\u2705 <strong>Audit &amp; track user access<\/strong> using <strong>AWS CloudTrail<\/strong><br>\u2705 Enforce policies such as <strong>geo-restrictions &amp; service control policies (SCPs)<\/strong><br>\u2705 Helps meet security compliance standards like <strong>ISO, SOC, and GDPR<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Final Thoughts<\/strong><\/h2>\n\n\n\n<p>\ud83d\udd25 <strong>AWS Access Portal is a must-have<\/strong> for organizations managing multiple AWS accounts! \ud83d\udd25<br>\u2705 <strong>Simplifies user authentication<\/strong> with SSO &amp; MFA<br>\u2705 <strong>Reduces security risks<\/strong> by eliminating long-term IAM credentials<br>\u2705 <strong>Enhances governance<\/strong> with centralized access &amp; logging<\/p>\n\n\n\n<h1 class=\"wp-block-heading\"><strong><strong>AWS Access Portal vs. AWS Organizations: Key Differences<\/strong><\/strong><\/h1>\n\n\n\n<p>AWS <strong>Access Portal<\/strong> and <strong>AWS Organizations<\/strong> serve different purposes in <strong>AWS account and access management<\/strong>. Here\u2019s a detailed comparison:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Feature<\/strong><\/th><th><strong>AWS Access Portal<\/strong><\/th><th><strong>AWS Organizations<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>Definition<\/strong><\/td><td>A <strong>web-based interface<\/strong> that allows users to access multiple AWS accounts using <strong>AWS IAM Identity Center (SSO)<\/strong>.<\/td><td>A <strong>multi-account management service<\/strong> that allows organizations to create and manage multiple AWS accounts centrally.<\/td><\/tr><tr><td><strong>Purpose<\/strong><\/td><td><strong>Provides secure access<\/strong> to multiple AWS accounts via <strong>single sign-on (SSO)<\/strong>.<\/td><td><strong>Manages multiple AWS accounts<\/strong> under a single organization for billing, security, and governance.<\/td><\/tr><tr><td><strong>Primary Functionality<\/strong><\/td><td>Enables users to log in to AWS accounts without managing multiple credentials.<\/td><td>Groups AWS accounts into <strong>Organizational Units (OUs)<\/strong> and applies <strong>Service Control Policies (SCPs)<\/strong> for governance.<\/td><\/tr><tr><td><strong>How It Works<\/strong><\/td><td>Users log in via a <strong>custom Access Portal URL<\/strong> and select their AWS account and role.<\/td><td>Admins use AWS Organizations to <strong>create, manage, and secure AWS accounts<\/strong> under a hierarchy.<\/td><\/tr><tr><td><strong>User Authentication<\/strong><\/td><td>Uses <strong>AWS IAM Identity Center (formerly AWS SSO)<\/strong> or external IdPs like Okta, Azure AD, Google Workspace.<\/td><td>Uses <strong>IAM roles, SCPs, and policies<\/strong> for access control across accounts.<\/td><\/tr><tr><td><strong>Security &amp; Policies<\/strong><\/td><td><strong>Role-based access control (RBAC)<\/strong> per AWS account. Supports <strong>Multi-Factor Authentication (MFA)<\/strong>.<\/td><td>Uses <strong>Service Control Policies (SCPs)<\/strong> to enforce security at the organization level.<\/td><\/tr><tr><td><strong>Resource Sharing<\/strong><\/td><td><strong>Does not manage resources<\/strong>; it only provides access to AWS accounts and applications.<\/td><td>Enables <strong>cross-account resource sharing<\/strong> (VPC, Route 53, Transit Gateway, etc.).<\/td><\/tr><tr><td><strong>Billing &amp; Cost Management<\/strong><\/td><td>Does <strong>not handle billing<\/strong>; users access AWS accounts with assigned permissions.<\/td><td>Supports <strong>Consolidated Billing<\/strong>, <strong>cost tracking<\/strong>, and <strong>RI\/Savings Plan sharing<\/strong> across AWS accounts.<\/td><\/tr><tr><td><strong>Governance &amp; Compliance<\/strong><\/td><td>Logs user activities via <strong>AWS CloudTrail<\/strong> and enforces <strong>MFA for security<\/strong>.<\/td><td>Centralized <strong>account management, governance, and policy enforcement<\/strong> across all AWS accounts.<\/td><\/tr><tr><td><strong>Best Use Cases<\/strong><\/td><td>&#8211; Secure login for multiple AWS accounts<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single Sign-On (SSO) across environments<\/li>\n\n\n\n<li>Reducing IAM user credential management | &#8211; Managing multiple AWS accounts (Prod, UAT, Stage, Dev)<\/li>\n\n\n\n<li>Centralized security &amp; policy enforcement<\/li>\n\n\n\n<li>Cost optimization with <strong>Consolidated Billing<\/strong> |<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83c\udfaf Which One Should You Use?<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>Use AWS Access Portal<\/strong> if you want a <strong>secure, easy-to-use login system<\/strong> for multiple AWS accounts.<br>\u2705 <strong>Use AWS Organizations<\/strong> if you need <strong>multi-account management, governance, and cost optimization<\/strong>.<br>\u2705 <strong>Best Practice:<\/strong> Use <strong>AWS Organizations<\/strong> to manage accounts and <strong>AWS Access Portal<\/strong> to simplify user access.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step-by-Step Guide to Setting Up AWS Access Portal for Your Company<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step-by-Step Guide to Setting Up AWS Access Portal for Your Company<\/strong><\/h3>\n\n\n\n<p>As an <strong>IT Admin<\/strong>, setting up the <strong>AWS Access Portal<\/strong> for the first time involves enabling <strong>AWS IAM Identity Center (formerly AWS SSO)<\/strong> and configuring it to manage access across multiple AWS accounts (<strong>Prod, UAT, Staging, etc.<\/strong>).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udccc Prerequisites<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You must have <strong>Administrator<\/strong> permissions for your AWS Organization.<\/li>\n\n\n\n<li>Your AWS accounts (Prod, UAT, Staging) should be part of an <strong>AWS Organization<\/strong>.<\/li>\n\n\n\n<li>If using an <strong>External Identity Provider (IdP)<\/strong> (e.g., Okta, Azure AD, Google Workspace), ensure it&#8217;s properly configured.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 1: Enable AWS IAM Identity Center<\/strong><\/h2>\n\n\n\n<p>AWS IAM Identity Center is the core service used to manage user access across multiple AWS accounts.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Log in to AWS Management Console<\/strong>\n<ul class=\"wp-block-list\">\n<li>Go to the <strong>AWS IAM Identity Center<\/strong> (SSO) Console:<br>\ud83d\udc49 <a href=\"https:\/\/console.aws.amazon.com\/singlesignon\/\" target=\"_blank\" rel=\"noopener\">AWS IAM Identity Center<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Enable IAM Identity Center<\/strong>\n<ul class=\"wp-block-list\">\n<li>Click <strong>Enable IAM Identity Center<\/strong> (if not already enabled).<\/li>\n\n\n\n<li>Choose <strong>AWS Organizations<\/strong> as the directory type.<\/li>\n\n\n\n<li>Confirm the setup.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 2: Configure AWS IAM Identity Center for Multi-Account Access<\/strong><\/h2>\n\n\n\n<p>Now, you need to connect your AWS accounts (Prod, UAT, Staging) to IAM Identity Center.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Go to IAM Identity Center Dashboard<\/strong>\n<ul class=\"wp-block-list\">\n<li>Navigate to <strong>Accounts<\/strong> \u2192 Click <strong>AWS Accounts<\/strong>.<\/li>\n\n\n\n<li>You will see a list of AWS accounts under your <strong>AWS Organization<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Assign Users and Groups to AWS Accounts<\/strong>\n<ul class=\"wp-block-list\">\n<li>Click <strong>Assign Users<\/strong> \u2192 Select the AWS Account (e.g., Prod, UAT, Staging).<\/li>\n\n\n\n<li>Choose a <strong>User or Group<\/strong> (e.g., Developers, Admins, Ops Teams).<\/li>\n\n\n\n<li>Assign a <strong>Role<\/strong> (e.g., Administrator, ReadOnly, Developer, Custom Role).<\/li>\n\n\n\n<li>Click <strong>Confirm &amp; Assign<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Repeat<\/strong> for each AWS account (Prod, UAT, Staging).<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 3: Set Up User Authentication<\/strong><\/h2>\n\n\n\n<p>You can manage user authentication through AWS Identity Center <strong>or<\/strong> integrate an external IdP.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Option 1: Use AWS IAM Identity Center (Built-in Directory)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>Users &amp; Groups<\/strong> \u2192 Click <strong>Add User<\/strong>.<\/li>\n\n\n\n<li>Enter user details and assign them to Groups.<\/li>\n\n\n\n<li>Assign permissions based on their role in each AWS account.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Option 2: Integrate with External IdP (Okta, Azure AD, Google, etc.)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>Settings<\/strong> \u2192 <strong>Identity Source<\/strong>.<\/li>\n\n\n\n<li>Select <strong>External Identity Provider<\/strong>.<\/li>\n\n\n\n<li>Follow AWS\u2019s guide for SAML or SCIM-based integration with your IdP.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 4: Configure the AWS Access Portal URL<\/strong><\/h2>\n\n\n\n<p>AWS provides a dedicated <strong>Access Portal URL<\/strong> for your organization.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>IAM Identity Center<\/strong> \u2192 Click <strong>Settings<\/strong>.<\/li>\n\n\n\n<li>Under <strong>Access Portal<\/strong>, you\u2019ll find your company\u2019s login URL (e.g., <code>https:\/\/yourcompany.awsapps.com\/start<\/code>).<\/li>\n\n\n\n<li>Share this URL with users for accessing their assigned AWS accounts.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 5: Enable MFA for Security (Recommended)<\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>IAM Identity Center<\/strong> \u2192 Click <strong>Settings<\/strong> \u2192 <strong>Multi-Factor Authentication (MFA)<\/strong>.<\/li>\n\n\n\n<li>Enforce MFA for all users.<\/li>\n\n\n\n<li>Users must set up an <strong>Authenticator App<\/strong> (Google Authenticator, Authy) for logging in.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 6: Test &amp; Verify Access<\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Ask a user to <strong>log in<\/strong> to the <strong>AWS Access Portal<\/strong> using the provided URL.<\/li>\n\n\n\n<li>Check if they can switch between assigned AWS accounts (Prod, UAT, Staging).<\/li>\n\n\n\n<li>Validate role-based permissions by ensuring they can only access what\u2019s allowed.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 7: Monitor &amp; Audit Access<\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Enable AWS CloudTrail Logging<\/strong>\n<ul class=\"wp-block-list\">\n<li>Go to <strong>AWS CloudTrail<\/strong> \u2192 Create a new trail \u2192 Capture IAM Identity Center events.<\/li>\n\n\n\n<li>This helps track user activity for compliance.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Review User Access Logs<\/strong>\n<ul class=\"wp-block-list\">\n<li>Navigate to <strong>IAM Identity Center<\/strong> \u2192 Click <strong>Access Reports<\/strong>.<\/li>\n\n\n\n<li>Check who accessed AWS accounts and when.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83c\udfaf Final Outcome<\/strong><\/h2>\n\n\n\n<p>\u2705 Users can log in via the <strong>AWS Access Portal<\/strong>.<br>\u2705 They can access <strong>Prod, UAT, Staging accounts<\/strong> securely.<br>\u2705 Permissions are managed centrally via <strong>IAM Identity Center<\/strong>.<br>\u2705 MFA and logging are enabled for <strong>enhanced security<\/strong>.<\/p>\n\n\n\n<p>\ud83d\ude80 <strong>Your AWS Access Portal is now successfully set up!<\/strong> \ud83d\ude80<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step-by-Step Guide to Setting Up Multiple AWS Accounts Using AWS Organizations<\/h2>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>Step-by-Step Guide to Setting Up Multiple AWS Accounts Using AWS Organizations<\/strong><\/h1>\n\n\n\n<p>Setting up multiple AWS accounts using <strong>AWS Organizations<\/strong> is a <strong>best practice<\/strong> for managing environments like <strong>Production (Prod), Staging (Stage), User Acceptance Testing (UAT), and Development (Dev)<\/strong> efficiently. This guide will walk you through the process <strong>step-by-step<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 1: Enable AWS Organizations<\/strong><\/h2>\n\n\n\n<p><strong>AWS Organizations<\/strong> must be enabled in your <strong>management (root) account<\/strong> before you can create and manage multiple AWS accounts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Login to AWS Organizations Console<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to the <strong>AWS Management Console<\/strong> \u2192 <strong>AWS Organizations<\/strong>.<\/li>\n\n\n\n<li>Click <strong>&#8220;Create an Organization&#8221;<\/strong>.<\/li>\n\n\n\n<li>Choose <strong>&#8220;Enable all features&#8221;<\/strong> (recommended).<\/li>\n\n\n\n<li>Click <strong>&#8220;Confirm&#8221;<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2\ufe0f\u20e3 Verify the Root Account<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>AWS Organizations<\/strong> \u2192 <strong>Settings<\/strong>.<\/li>\n\n\n\n<li>Verify your <strong>root account email<\/strong> (an email will be sent for confirmation).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 2: Create Organizational Units (OUs)<\/strong><\/h2>\n\n\n\n<p>Organizational Units (OUs) allow <strong>grouping AWS accounts<\/strong> for better management and policy enforcement.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Create OUs for Different Environments<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to <strong>AWS Organizations<\/strong> \u2192 <strong>Organizational Units<\/strong>.<\/li>\n\n\n\n<li>Click <strong>&#8220;Create organizational unit&#8221;<\/strong> and enter names like: <code>\u251c\u2500\u2500 AWS Root Account \u251c\u2500\u2500 Security OU \u2502 \u251c\u2500\u2500 Logging Account \u2502 \u251c\u2500\u2500 Audit Account \u2502 \u251c\u2500\u2500 Workloads OU \u2502 \u251c\u2500\u2500 Production (Prod Account) \u2502 \u251c\u2500\u2500 Staging (Stage Account) \u2502 \u251c\u2500\u2500 Testing (UAT Account) \u2502 \u251c\u2500\u2500 Development (Dev Account)<\/code><\/li>\n\n\n\n<li>Click <strong>&#8220;Create&#8221;<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 3: Create New AWS Accounts<\/strong><\/h2>\n\n\n\n<p>Now, you can create new AWS accounts under these OUs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Create a New AWS Account<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>AWS Organizations<\/strong> \u2192 <strong>Accounts<\/strong>.<\/li>\n\n\n\n<li>Click <strong>&#8220;Create an AWS Account&#8221;<\/strong>.<\/li>\n\n\n\n<li>Enter the <strong>account name<\/strong> (e.g., &#8220;Prod Account&#8221;).<\/li>\n\n\n\n<li>Enter an <strong>email address<\/strong> (must be unique).<\/li>\n\n\n\n<li>Set up an <strong>IAM role<\/strong> (default is <code>OrganizationAccountAccessRole<\/code>).<\/li>\n\n\n\n<li>Click <strong>&#8220;Create AWS account&#8221;<\/strong>.<\/li>\n\n\n\n<li><strong>Repeat for Stage, UAT, and Dev accounts<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2\ufe0f\u20e3 Invite Existing AWS Accounts (Optional)<\/strong><\/h3>\n\n\n\n<p>If you already have AWS accounts that you want to add:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>AWS Organizations<\/strong> \u2192 <strong>Accounts<\/strong>.<\/li>\n\n\n\n<li>Click <strong>&#8220;Add an AWS account&#8221;<\/strong> \u2192 <strong>&#8220;Invite account&#8221;<\/strong>.<\/li>\n\n\n\n<li>Enter the <strong>account ID or email<\/strong> of the existing AWS account.<\/li>\n\n\n\n<li>Click <strong>&#8220;Invite&#8221;<\/strong>.<\/li>\n\n\n\n<li>The owner of the invited account must accept the invitation.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 4: Apply Service Control Policies (SCPs)<\/strong><\/h2>\n\n\n\n<p>Service Control Policies (SCPs) allow you to enforce security and compliance across AWS accounts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Create an SCP<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>AWS Organizations<\/strong> \u2192 <strong>Service Control Policies<\/strong>.<\/li>\n\n\n\n<li>Click <strong>&#8220;Create Policy&#8221;<\/strong>.<\/li>\n\n\n\n<li>Example SCP to <strong>restrict non-production accounts from using certain services<\/strong>: <code>{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Deny\", \"Action\": [ \"ec2:TerminateInstances\", \"s3:DeleteBucket\" ], \"Resource\": \"*\", \"Condition\": { \"StringLike\": { \"aws:PrincipalOrgPaths\": [ \"o-xxxxx\/r-xxxxx\/Workloads\/Development\", \"o-xxxxx\/r-xxxxx\/Workloads\/Testing\" ] } } } ] }<\/code><\/li>\n\n\n\n<li>Attach this SCP to <strong>Development and UAT accounts<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 5: Enable Consolidated Billing (Optional)<\/strong><\/h2>\n\n\n\n<p>Consolidated Billing helps track and <strong>reduce costs<\/strong> across multiple AWS accounts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Enable Consolidated Billing<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>AWS Organizations<\/strong> \u2192 <strong>Billing<\/strong>.<\/li>\n\n\n\n<li>Click <strong>&#8220;Enable Consolidated Billing&#8221;<\/strong>.<\/li>\n\n\n\n<li>Assign one account (usually root) as the <strong>payer account<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2\ufe0f\u20e3 Enable Cost Explorer &amp; Budgets<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>AWS Cost Management<\/strong> \u2192 <strong>Cost Explorer<\/strong>.<\/li>\n\n\n\n<li>Enable <strong>Cost &amp; Usage Reports<\/strong> for visibility into AWS spending.<\/li>\n\n\n\n<li>Set <strong>budgets<\/strong> to track spending by AWS account.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 6: Set Up IAM Identity Center (AWS SSO) for Centralized Access<\/strong><\/h2>\n\n\n\n<p>Instead of managing separate IAM users, you can use <strong>AWS IAM Identity Center (SSO)<\/strong> for access control.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Enable AWS IAM Identity Center<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>AWS IAM Identity Center<\/strong> (SSO).<\/li>\n\n\n\n<li>Click <strong>&#8220;Enable IAM Identity Center&#8221;<\/strong>.<\/li>\n\n\n\n<li>Choose <strong>AWS Organizations<\/strong> as the directory type.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2\ufe0f\u20e3 Assign User Access to AWS Accounts<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to <strong>IAM Identity Center<\/strong> \u2192 <strong>AWS Accounts<\/strong>.<\/li>\n\n\n\n<li>Select an AWS account (e.g., <strong>Prod<\/strong>).<\/li>\n\n\n\n<li>Assign <strong>users or groups<\/strong> from your IdP (Okta, Azure AD, Google).<\/li>\n\n\n\n<li>Define <strong>roles<\/strong>:\n<ul class=\"wp-block-list\">\n<li><strong>Admin<\/strong> \u2192 Full access.<\/li>\n\n\n\n<li><strong>Developer<\/strong> \u2192 Read\/write on UAT &amp; Stage.<\/li>\n\n\n\n<li><strong>ReadOnly<\/strong> \u2192 View-only access.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Step 7: Implement Security Best Practices<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Enable AWS CloudTrail for All Accounts<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In the <strong>Security OU<\/strong>, create a <strong>Logging Account<\/strong>.<\/li>\n\n\n\n<li>Enable <strong>AWS CloudTrail<\/strong> to track activity across <strong>Prod, Stage, and UAT<\/strong> accounts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2\ufe0f\u20e3 Enable AWS Config for Compliance<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use AWS Config to monitor <strong>security misconfigurations<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3\ufe0f\u20e3 Use AWS Security Hub<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get <strong>centralized security insights<\/strong> for all AWS accounts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4\ufe0f\u20e3 Implement VPC Peering or AWS Transit Gateway<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Connect networking between environments securely.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83c\udfaf Final Outcome<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>Multiple AWS accounts<\/strong> for <strong>Prod, Stage, UAT, and Dev<\/strong><br>\u2705 <strong>Security policies (SCPs) applied<\/strong> to restrict actions<br>\u2705 <strong>IAM Identity Center (SSO) enabled<\/strong> for user access management<br>\u2705 <strong>Billing centralized<\/strong> with <strong>Consolidated Billing<\/strong><br>\u2705 <strong>Security logging &amp; monitoring enabled<\/strong> across accounts<\/p>\n\n\n\n<p><strong>\ud83d\udd25 Your AWS Organization is now fully set up and secured! \ud83d\udd25<\/strong><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is AWS Organization? AWS Organizations: An Overview AWS Organizations is a service that helps businesses centrally manage and govern multiple AWS accounts. It allows organizations to group accounts, apply&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-48526","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=48526"}],"version-history":[{"count":4,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48526\/revisions"}],"predecessor-version":[{"id":58900,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48526\/revisions\/58900"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=48526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=48526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=48526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}