{"id":266,"date":"2026-04-13T10:20:44","date_gmt":"2026-04-13T10:20:44","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/aws-organizations-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance\/"},"modified":"2026-04-13T10:20:44","modified_gmt":"2026-04-13T10:20:44","slug":"aws-organizations-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/aws-organizations-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance\/","title":{"rendered":"AWS Organizations Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Management and governance"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Management and governance<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

AWS Organizations is an AWS Management and governance service that helps you centrally manage and govern multiple AWS accounts. It provides a structured way to group accounts, apply guardrails, and manage billing across an organization.<\/p>\n\n\n\n

In simple terms: AWS Organizations lets you build an \u201caccount hierarchy\u201d (like folders and subfolders) and enforce organization-wide rules<\/strong>\u2014so teams can move fast without breaking security, compliance, or cost boundaries.<\/p>\n\n\n\n

Technically, AWS Organizations is a global AWS control-plane service<\/strong> that creates an organization with a management account<\/strong>, member accounts<\/strong>, organizational units (OUs)<\/strong>, and policies<\/strong> (most notably Service Control Policies\u2014SCPs<\/strong>). It integrates closely with identity (IAM), logging (CloudTrail), security services (Security Hub, GuardDuty, etc.), and landing-zone solutions like AWS Control Tower<\/strong>.<\/p>\n\n\n\n

The main problem it solves is the \u201cmulti-account sprawl\u201d problem: when teams create many AWS accounts for isolation (which is a best practice), it becomes hard to manage access, governance, compliance, and billing consistently. AWS Organizations gives you a centralized governance layer for that multi-account environment.<\/p>\n\n\n\n

\n

Naming note (current terminology): AWS used to refer to the \u201cmaster account.\u201d The current term is management account<\/strong>. Member accounts are member accounts<\/strong> (not \u201cchild\u201d accounts). These are terminology updates, not a different service.<\/p>\n<\/blockquote>\n\n\n\n

2. What is AWS Organizations?<\/h2>\n\n\n\n

Official purpose (what it\u2019s for):<\/strong>\nAWS Organizations helps you centrally manage and govern<\/strong> your environment as you grow and scale on AWS. It enables consolidated billing, hierarchical grouping of accounts, and organization-wide policy controls.<\/p>\n\n\n\n

Core capabilities:<\/strong>\n– Create and manage multiple AWS accounts programmatically.\n– Organize accounts into a hierarchy using roots<\/strong> and organizational units (OUs)<\/strong>.\n– Apply organization-wide governance using policies<\/strong> (for example SCPs<\/strong>).\n– Enable and manage trusted access<\/strong> with other AWS services (so those services can operate across your organization).\n– Centralize billing through consolidated billing<\/strong> and support cost allocation approaches.<\/p>\n\n\n\n

Major components:<\/strong>\n– Organization<\/strong>: The top-level container.\n– Management account<\/strong>: The account that owns the organization and pays the bill under consolidated billing.\n– Member accounts<\/strong>: Accounts that are part of the organization.\n– Root<\/strong>: The top-most node in the hierarchy (you can have one root; OUs hang under it).\n– Organizational units (OUs)<\/strong>: Groupings of accounts used for governance and delegation.\n– Policies<\/strong>: Governance documents you attach to the root, OUs, or accounts. The most common are:\n – Service Control Policies (SCPs)<\/strong> to set maximum permissions boundaries for accounts\/OUs.\n – Other organization policy types may be available depending on your AWS environment and enabled features (verify current availability in the official docs).<\/p>\n\n\n\n

Service type:<\/strong>\nA management\/governance control-plane service<\/strong> (not a data-plane service). It doesn\u2019t run your workloads; it governs how accounts and permissions are structured.<\/p>\n\n\n\n

Scope (regional\/global):<\/strong>\nAWS Organizations is considered a global service<\/strong>. You can use it from the AWS Management Console and APIs without being tied to a single Region in the way compute services are. Many integrated services remain regional (for example, GuardDuty or CloudTrail trails have region-specific behavior), but the organization structure itself is global.<\/p>\n\n\n\n

How it fits into the AWS ecosystem:<\/strong>\n– Identity foundation:<\/strong> Works with IAM and (commonly) AWS IAM Identity Center<\/strong> (successor name for AWS Single Sign-On) for workforce identity in a multi-account structure.\n– Security foundation:<\/strong> Security services can be delegated administrators across the org (service-dependent).\n– Landing zones:<\/strong> AWS Control Tower<\/strong> uses AWS Organizations under the hood to set up and govern multi-account environments.\n– Logging and audit:<\/strong> AWS CloudTrail can be configured for organization-wide visibility (for example, organization trails\u2014verify current requirements in CloudTrail docs).<\/p>\n\n\n\n

Official docs entry point:\nhttps:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_introduction.html<\/p>\n\n\n\n

3. Why use AWS Organizations?<\/h2>\n\n\n\n

Business reasons<\/h3>\n\n\n\n
    \n
  • Clear cost ownership and chargeback:<\/strong> Separate accounts per team\/product\/environment and consolidate billing for centralized payment and discounts (where applicable).<\/li>\n
  • Faster onboarding:<\/strong> Create accounts from a controlled pipeline instead of ad-hoc \u201cwho owns what?\u201d processes.<\/li>\n
  • Risk reduction:<\/strong> Avoid \u201cone big account\u201d blast radius and reduce cross-team interference.<\/li>\n<\/ul>\n\n\n\n

    Technical reasons<\/h3>\n\n\n\n
      \n
    • Strong isolation boundary:<\/strong> An AWS account is a powerful isolation boundary for IAM, service quotas, and many resource scopes.<\/li>\n
    • Central policy management:<\/strong> Apply SCPs to enforce guardrails across many accounts without managing each account independently.<\/li>\n
    • Standardized structure:<\/strong> Build repeatable patterns for dev\/test\/prod, shared services, and security accounts.<\/li>\n<\/ul>\n\n\n\n

      Operational reasons<\/h3>\n\n\n\n
        \n
      • Consistent governance at scale:<\/strong> Apply rules once to an OU and have them inherit down the tree.<\/li>\n
      • Delegation patterns:<\/strong> Delegate administration of certain AWS services to specific accounts (service-dependent) without sharing the management account broadly.<\/li>\n
      • Automation-friendly:<\/strong> Use Organizations APIs\/CLI to integrate account provisioning into CI\/CD or service catalog workflows.<\/li>\n<\/ul>\n\n\n\n

        Security\/compliance reasons<\/h3>\n\n\n\n
          \n
        • Preventive controls:<\/strong> SCPs can enforce \u201cthis account can never do X,\u201d even if someone attaches an overly permissive IAM policy locally.<\/li>\n
        • Central auditability:<\/strong> Organizations changes are logged via AWS CloudTrail management events.<\/li>\n
        • Separation of duties:<\/strong> Security teams can operate security tooling in dedicated accounts while application teams operate in separate accounts.<\/li>\n<\/ul>\n\n\n\n

          Scalability\/performance reasons<\/h3>\n\n\n\n
            \n
          • AWS Organizations helps you scale governance; it\u2019s not about runtime performance of workloads. The key \u201cscaling\u201d is organizational: more accounts, more teams, more services, more policies.<\/li>\n<\/ul>\n\n\n\n

            When teams should choose it<\/h3>\n\n\n\n
              \n
            • You expect multiple accounts<\/strong> (now or soon).<\/li>\n
            • You need central governance<\/strong> (SCP guardrails, consistent structure).<\/li>\n
            • You want consolidated billing<\/strong> with multiple accounts.<\/li>\n
            • You plan to adopt AWS Control Tower<\/strong> or a landing-zone model.<\/li>\n<\/ul>\n\n\n\n

              When teams should not choose it (or should delay)<\/h3>\n\n\n\n
                \n
              • You truly only need one account<\/strong> and don\u2019t expect growth (rare for production).<\/li>\n
              • You can\u2019t accept the operational overhead of multi-account governance yet (though starting early usually reduces long-term pain).<\/li>\n
              • Your organization is constrained by policies requiring separate payers\/contracts that cannot be consolidated (this is uncommon but can happen\u2014verify with AWS Sales\/Support if relevant).<\/li>\n<\/ul>\n\n\n\n

                4. Where is AWS Organizations used?<\/h2>\n\n\n\n

                Industries<\/h3>\n\n\n\n
                  \n
                • Finance \/ fintech:<\/strong> Strong separation of duties and strict compliance needs.<\/li>\n
                • Healthcare:<\/strong> Data segregation and auditing.<\/li>\n
                • SaaS and tech:<\/strong> Multi-tenant architectures, internal platform teams, rapid environment creation.<\/li>\n
                • Retail \/ e-commerce:<\/strong> Multiple workloads and teams with clear cost ownership.<\/li>\n
                • Public sector:<\/strong> Strong governance and workload separation.<\/li>\n<\/ul>\n\n\n\n

                  Team types<\/h3>\n\n\n\n
                    \n
                  • Platform engineering teams building internal cloud platforms.<\/li>\n
                  • DevOps\/SRE teams standardizing environments.<\/li>\n
                  • Security engineering \/ GRC teams enforcing preventive controls.<\/li>\n
                  • FinOps teams implementing chargeback and spend governance.<\/li>\n<\/ul>\n\n\n\n

                    Workloads and architectures<\/h3>\n\n\n\n
                      \n
                    • Multi-environment setups:<\/strong> Separate accounts for dev\/test\/stage\/prod.<\/li>\n
                    • Shared services model:<\/strong> Dedicated accounts for networking, CI\/CD tooling, logging, and security tooling.<\/li>\n
                    • Business-unit segmentation:<\/strong> Each BU gets an OU and multiple accounts.<\/li>\n
                    • M&A \/ multi-entity organizations:<\/strong> Separate subsidiaries in separate OUs with consistent guardrails.<\/li>\n<\/ul>\n\n\n\n

                      Real-world deployment contexts<\/h3>\n\n\n\n
                        \n
                      • Production:<\/strong> Almost always used for real governance (SCPs, separation of duties, delegated admins).<\/li>\n
                      • Dev\/test:<\/strong> Commonly used to provision ephemeral accounts or sandbox accounts with strict guardrails.<\/li>\n<\/ul>\n\n\n\n

                        5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                        Below are realistic scenarios where AWS Organizations is the right tool.<\/p>\n\n\n\n

                        1) Consolidated billing for many accounts<\/h3>\n\n\n\n
                          \n
                        • Problem:<\/strong> Multiple AWS accounts create fragmented bills and duplicated admin effort.<\/li>\n
                        • Why AWS Organizations fits:<\/strong> Consolidated billing brings accounts under one payer and provides consolidated cost visibility.<\/li>\n
                        • Example:<\/strong> A company has 12 product teams with separate AWS accounts; Finance wants a single payer and consolidated reporting.<\/li>\n<\/ul>\n\n\n\n

                          2) Organizational unit (OU) structure for environment separation<\/h3>\n\n\n\n
                            \n
                          • Problem:<\/strong> Dev and prod resources are mixed and risky.<\/li>\n
                          • Why it fits:<\/strong> You can create OUs like Dev<\/code>, Test<\/code>, Prod<\/code> and apply different governance policies.<\/li>\n
                          • Example:<\/strong> Apply stricter SCPs to Prod<\/code> while allowing broader experimentation in Dev<\/code>.<\/li>\n<\/ul>\n\n\n\n

                            3) Preventive security guardrails with Service Control Policies (SCPs)<\/h3>\n\n\n\n
                              \n
                            • Problem:<\/strong> A team accidentally grants admin access and creates risky public resources.<\/li>\n
                            • Why it fits:<\/strong> SCPs define the maximum allowed permissions<\/strong>, limiting what IAM policies can do.<\/li>\n
                            • Example:<\/strong> Deny disabling CloudTrail or deny creating internet gateways in sensitive accounts.<\/li>\n<\/ul>\n\n\n\n

                              4) Dedicated security tooling accounts (security OU)<\/h3>\n\n\n\n
                                \n
                              • Problem:<\/strong> Security tools and audit logs are spread across app accounts.<\/li>\n
                              • Why it fits:<\/strong> A security OU can host centralized tooling accounts with delegated admin where supported.<\/li>\n
                              • Example:<\/strong> One account runs Security Hub\/GuardDuty admin; findings roll up org-wide.<\/li>\n<\/ul>\n\n\n\n

                                5) Centralized logging account<\/h3>\n\n\n\n
                                  \n
                                • Problem:<\/strong> Investigations are slow because logs are distributed and mutable.<\/li>\n
                                • Why it fits:<\/strong> Multi-account design allows a dedicated log archive account; Organizations supports org-wide patterns (with CloudTrail\/other tooling).<\/li>\n
                                • Example:<\/strong> Centralize CloudTrail logs and retain them with strict access controls.<\/li>\n<\/ul>\n\n\n\n

                                  6) Account vending \/ automated account provisioning<\/h3>\n\n\n\n
                                    \n
                                  • Problem:<\/strong> Creating new accounts is slow and inconsistent.<\/li>\n
                                  • Why it fits:<\/strong> Organizations APIs support programmatic account creation; Control Tower can standardize further.<\/li>\n
                                  • Example:<\/strong> An internal portal provisions new accounts into the right OU with baseline policies.<\/li>\n<\/ul>\n\n\n\n

                                    7) Delegated administration for AWS services<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Management account access is too sensitive to share widely.<\/li>\n
                                    • Why it fits:<\/strong> Many AWS services support delegated administrator<\/strong> so operations can happen in designated accounts.<\/li>\n
                                    • Example:<\/strong> Security team manages GuardDuty as delegated admin without daily use of the management account.<\/li>\n<\/ul>\n\n\n\n

                                      8) Sandbox OU with strict limits<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> Engineers need experimentation but risk cost or security incidents.<\/li>\n
                                      • Why it fits:<\/strong> Place sandbox accounts into a sandbox OU with SCPs that restrict expensive services or disallow risky configurations.<\/li>\n
                                      • Example:<\/strong> Deny provisioning of certain instance families or deny creation of internet-facing load balancers (policy design required).<\/li>\n<\/ul>\n\n\n\n

                                        9) M&A: keep acquired business isolated but governed<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> An acquired company needs autonomy but must meet corporate governance.<\/li>\n
                                        • Why it fits:<\/strong> Move their accounts into a subsidiary OU and apply baseline policies while allowing BU-specific policies.<\/li>\n
                                        • Example:<\/strong> Corporate enforces logging and region restrictions; BU controls everything else.<\/li>\n<\/ul>\n\n\n\n

                                          10) Standardize tag governance (where supported)<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> Cost allocation and inventory are unreliable due to inconsistent tags.<\/li>\n
                                          • Why it fits:<\/strong> Organizations supports tag governance patterns (policy support depends on AWS features enabled\u2014verify in official docs).<\/li>\n
                                          • Example:<\/strong> Enforce required tag keys like CostCenter<\/code> and Owner<\/code> for supported services.<\/li>\n<\/ul>\n\n\n\n

                                            11) Control where workloads can run (region guardrails)<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Data residency requirements prohibit non-approved Regions.<\/li>\n
                                            • Why it fits:<\/strong> SCPs can restrict API actions based on requested region (requires careful design).<\/li>\n
                                            • Example:<\/strong> Only allow us-east-1<\/code> for most services; keep global services functional.<\/li>\n<\/ul>\n\n\n\n

                                              12) Separate regulated workloads from general workloads<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> A PCI\/regulated workload needs strict separation from general product workloads.<\/li>\n
                                              • Why it fits:<\/strong> Different OUs\/accounts with tailored guardrails and logging\/monitoring patterns.<\/li>\n
                                              • Example:<\/strong> A PCI<\/code> OU with tight SCPs, restricted networking, and strong logging controls.<\/li>\n<\/ul>\n\n\n\n

                                                6. Core Features<\/h2>\n\n\n\n

                                                Feature 1: Organization and multi-account hierarchy (roots, OUs, accounts)<\/h3>\n\n\n\n
                                                  \n
                                                • What it does:<\/strong> Creates a hierarchical structure to group AWS accounts.<\/li>\n
                                                • Why it matters:<\/strong> Governance is easier when applied to groups rather than one account at a time.<\/li>\n
                                                • Practical benefit:<\/strong> Apply policies to an OU and have them inherited by all accounts within it.<\/li>\n
                                                • Caveats:<\/strong> OU design becomes foundational\u2014changing it later can be operationally disruptive if policies are tightly coupled.<\/li>\n<\/ul>\n\n\n\n

                                                  Feature 2: Consolidated billing<\/h3>\n\n\n\n
                                                    \n
                                                  • What it does:<\/strong> Consolidates charges from multiple member accounts into the management account\u2019s bill.<\/li>\n
                                                  • Why it matters:<\/strong> Simplifies payment and can enable consolidated cost views.<\/li>\n
                                                  • Practical benefit:<\/strong> One payer, multiple accounts, consolidated reporting.<\/li>\n
                                                  • Caveats:<\/strong> Billing consolidation is not the same as full cost allocation; you still need tagging, cost categories, and reporting discipline.<\/li>\n<\/ul>\n\n\n\n

                                                    Feature 3: Centralized account management (create\/invite\/remove accounts)<\/h3>\n\n\n\n
                                                      \n
                                                    • What it does:<\/strong> Lets you create new AWS accounts or invite existing accounts into the organization.<\/li>\n
                                                    • Why it matters:<\/strong> Standardizes account provisioning and ownership.<\/li>\n
                                                    • Practical benefit:<\/strong> Automate account vending, ensure accounts land in the right OU.<\/li>\n
                                                    • Caveats:<\/strong> Account creation has prerequisites (unique email, phone verification in some cases) and quotas. Account closure has its own lifecycle.<\/li>\n<\/ul>\n\n\n\n

                                                      Feature 4: Service Control Policies (SCPs)<\/h3>\n\n\n\n
                                                        \n
                                                      • What it does:<\/strong> SCPs set the maximum available permissions<\/strong> for accounts\/OUs. They do not grant permissions; they limit what IAM permissions can do.<\/li>\n
                                                      • Why it matters:<\/strong> Prevents entire classes of risky actions even if local IAM policies are overly permissive.<\/li>\n
                                                      • Practical benefit:<\/strong> Implement preventive guardrails (deny disabling logging, restrict Regions, block certain services).<\/li>\n
                                                      • Caveats:<\/strong> SCPs can lock you out of actions if misconfigured. Test in non-production OUs first. Also note that some permissions needed to manage the organization may behave differently; verify specifics in official docs.<\/li>\n<\/ul>\n\n\n\n

                                                        Feature 5: Policy inheritance and attachment model<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does:<\/strong> Policies can be attached to the root, OUs, or accounts and inherited down the tree.<\/li>\n
                                                        • Why it matters:<\/strong> Enables layered governance (baseline + environment-specific + workload-specific).<\/li>\n
                                                        • Practical benefit:<\/strong> A \u201cbaseline\u201d SCP at root and stricter SCPs at Prod<\/code> OU.<\/li>\n
                                                        • Caveats:<\/strong> Debugging effective permission becomes harder with multiple policies. You need a strong change process.<\/li>\n<\/ul>\n\n\n\n

                                                          Feature 6: Delegated administrator (service-dependent)<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does:<\/strong> Lets you designate a member account as an admin for certain AWS services across the organization.<\/li>\n
                                                          • Why it matters:<\/strong> Keeps the management account locked down while enabling central operations.<\/li>\n
                                                          • Practical benefit:<\/strong> Security tooling admin account can manage findings and configs across member accounts.<\/li>\n
                                                          • Caveats:<\/strong> Not every AWS service supports delegated admin. Each service has its own onboarding steps.<\/li>\n<\/ul>\n\n\n\n

                                                            Feature 7: Trusted access for AWS services (service integrations)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Allows supported AWS services to integrate with AWS Organizations and perform org-wide operations.<\/li>\n
                                                            • Why it matters:<\/strong> Enables centralized security, compliance, and operations tooling.<\/li>\n
                                                            • Practical benefit:<\/strong> Easier org-wide enablement\/management for supported services.<\/li>\n
                                                            • Caveats:<\/strong> Enabling trusted access is a governance decision; it expands a service\u2019s scope. Review security implications per service.<\/li>\n<\/ul>\n\n\n\n

                                                              Feature 8: Organization-level visibility and APIs<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> APIs to list accounts, OUs, policies, and organizational relationships.<\/li>\n
                                                              • Why it matters:<\/strong> Enables automation, inventory, and continuous governance.<\/li>\n
                                                              • Practical benefit:<\/strong> Build internal tooling that checks if every account is in the right OU with the right guardrails.<\/li>\n
                                                              • Caveats:<\/strong> Like many control-plane APIs, changes may be eventually consistent; design automation to handle retries.<\/li>\n<\/ul>\n\n\n\n

                                                                Feature 9: Policy types beyond SCPs (availability varies\u2014verify)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> AWS Organizations supports multiple policy types (SCPs are the most common). Other policy types exist for specific governance domains.<\/li>\n
                                                                • Why it matters:<\/strong> Allows governance beyond just permissions boundaries, depending on your needs and what AWS currently supports.<\/li>\n
                                                                • Practical benefit:<\/strong> Centralize certain governance configurations across accounts.<\/li>\n
                                                                • Caveats:<\/strong> Policy type support and service coverage can change; always confirm in the AWS Organizations User Guide.<\/li>\n<\/ul>\n\n\n\n

                                                                  Reference:\nhttps:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_manage_policies.html<\/p>\n\n\n\n

                                                                  7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                  High-level service architecture<\/h3>\n\n\n\n

                                                                  AWS Organizations is a control plane<\/strong> that maintains:\n– An organization directory<\/strong> (accounts, OUs, roots)\n– A policy engine<\/strong> for organization policies (especially SCP evaluation)\n– Integration points<\/strong> with other AWS services using trusted access and delegated admin patterns<\/p>\n\n\n\n

                                                                  When a principal (user\/role) in a member account calls an AWS API, AWS evaluates permissions roughly like this:\n1. Identity-based policies<\/strong> (IAM user\/role policies)\n2. Resource-based policies<\/strong> (where applicable)\n3. Permission boundaries \/ session policies<\/strong> (where applicable)\n4. Organizations SCPs<\/strong> (as an additional \u201cfilter\u201d that can deny actions)\n5. Other AWS authorization logic<\/strong> (service-specific)<\/p>\n\n\n\n

                                                                  Important: SCPs do not grant<\/strong> permissions. Even if an SCP allows something, IAM still must allow it.<\/p>\n\n\n\n

                                                                  Request\/data\/control flow<\/h3>\n\n\n\n
                                                                    \n
                                                                  • Control flow:<\/strong> You create OUs, accounts, and attach policies from the management account (or authorized delegated administrators for certain actions).<\/li>\n
                                                                  • Workload\/API flow:<\/strong> Member accounts run workloads normally. AWS Organizations policies influence authorization decisions for those accounts.<\/li>\n
                                                                  • Audit flow:<\/strong> Organizations API activity is logged in CloudTrail (management events). Org-wide logging patterns are typically implemented with CloudTrail, Config, and security services.<\/li>\n<\/ul>\n\n\n\n

                                                                    Key integrations<\/h3>\n\n\n\n
                                                                      \n
                                                                    • AWS Control Tower:<\/strong> Uses Organizations for account factory, OUs, and guardrails (SCP-based and detective controls).<\/li>\n
                                                                    • AWS IAM Identity Center:<\/strong> Commonly used with Organizations for centralized workforce access to multiple accounts.<\/li>\n
                                                                    • AWS CloudTrail:<\/strong> Logs Organizations API actions; org-wide trails can support centralized logging patterns (see CloudTrail docs).<\/li>\n
                                                                    • AWS security services:<\/strong> Many support org integrations and delegated admin (GuardDuty, Security Hub, Inspector, Macie\u2014verify per service).<\/li>\n
                                                                    • AWS Billing\/Cost tools:<\/strong> Consolidated billing is foundational for Cost Explorer and other billing visibility features.<\/li>\n<\/ul>\n\n\n\n

                                                                      Dependency services<\/h3>\n\n\n\n

                                                                      AWS Organizations itself has no data-plane dependencies for your workloads, but multi-account best practices commonly include:\n– Central logging (S3, CloudTrail, CloudWatch Logs)\n– Central security tooling (Security Hub, GuardDuty, IAM Identity Center)\n– Networking patterns (shared VPCs, Transit Gateway) implemented across accounts<\/p>\n\n\n\n

                                                                      Security\/authentication model<\/h3>\n\n\n\n
                                                                        \n
                                                                      • Authentication:<\/strong> Standard AWS authentication (IAM users\/roles, federated identities).<\/li>\n
                                                                      • Authorization:<\/strong> Organizations API access is controlled by IAM permissions in the management account. SCPs then affect what member accounts can do in their own accounts.<\/li>\n
                                                                      • Separation of duties:<\/strong> Keep the management account highly restricted; use delegated admin accounts and break-glass procedures.<\/li>\n<\/ul>\n\n\n\n

                                                                        Networking model<\/h3>\n\n\n\n

                                                                        AWS Organizations is a control-plane service accessed over AWS public endpoints. No VPC endpoint is typically required (verify current endpoint options in official docs if your environment restricts outbound internet).<\/p>\n\n\n\n

                                                                        Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                          \n
                                                                        • Enable CloudTrail for management events and ensure Organizations events are captured.<\/li>\n
                                                                        • Consider organization-wide logging and security baselines (often via Control Tower).<\/li>\n
                                                                        • Track policy changes via change management and CI\/CD for policy documents.<\/li>\n<\/ul>\n\n\n\n

                                                                          Simple architecture diagram<\/h4>\n\n\n\n
                                                                          flowchart TB\n  A[Management account<br\/>AWS Organizations] --> B[Root]\n  B --> C[OU: Security]\n  B --> D[OU: Workloads]\n  D --> E[Account: Dev]\n  D --> F[Account: Prod]\n  A --> G[SCPs \/ Org Policies]\n  G --> D\n  G --> C\n<\/code><\/pre>\n\n\n\n
                                                                          Production-style architecture diagram<\/h4>\n\n\n\n
                                                                          flowchart LR\n  subgraph Org[AWS Organization]\n    MA[Management account<br\/>Billing + Org admin]\n    R[Root]\n    OU1[OU: Security]\n    OU2[OU: Shared Services]\n    OU3[OU: Workloads]\n    A1[Log Archive account]\n    A2[Security Tooling account<br\/>Delegated admin where supported]\n    A3[Networking account]\n    P1[Prod app account]\n    D1[Dev app account]\n  end\n\n  MA --> R\n  R --> OU1\n  R --> OU2\n  R --> OU3\n  OU1 --> A1\n  OU1 --> A2\n  OU2 --> A3\n  OU3 --> P1\n  OU3 --> D1\n\n  SCP[SCP baseline + OU-specific SCPs] --> R\n  SCP --> OU1\n  SCP --> OU3\n\n  CT[CloudTrail \/ Audit] --- MA\n  CT --- A1\n  SH[Security services<br\/>(e.g., Security Hub\/GuardDuty)] --- A2\n  ID[AWS IAM Identity Center] --- MA\n  ID --- P1\n  ID --- D1\n<\/code><\/pre>\n\n\n\n
                                                                          8. Prerequisites<\/h2>\n\n\n\n
                                                                          Account\/tenancy requirements<\/h3>\n\n\n\n
                                                                            \n
                                                                          • An AWS account that will become the management account<\/strong> for AWS Organizations.<\/li>\n
                                                                          • A valid payment method for the management account (billing must be enabled).<\/li>\n
                                                                          • If creating new member accounts: unique email addresses per account.<\/li>\n<\/ul>\n\n\n\n
                                                                            Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                            You need IAM permissions in the management account to:\n– Create and manage an organization (Organizations APIs)\n– Create OUs, attach policies, and (optionally) create accounts\n– Create\/assume roles for cross-account verification steps in this lab<\/p>\n\n\n\n
                                                                            AWS-managed IAM policies often used for learning\/labs (review before use):\n– AWSOrganizationsFullAccess<\/code> (broad)\n– Additional permissions for IAM and STS actions used in the lab (for example, assuming roles)<\/p>\n\n\n\n
                                                                            In production, prefer least privilege and separate roles for:\n– Org admins\n– Billing admins\n– Security admins\n– Account provisioning pipeline<\/p>\n\n\n\n
                                                                            Billing requirements<\/h3>\n\n\n\n
                                                                              \n
                                                                            • AWS Organizations itself is typically no additional charge<\/strong>, but member accounts can incur costs when services are used.<\/li>\n<\/ul>\n\n\n\n
                                                                              CLI\/SDK\/tools needed<\/h3>\n\n\n\n
                                                                                \n
                                                                              • AWS CLI v2 installed and configured on your workstation, or use AWS CloudShell<\/strong>.<\/li>\n
                                                                              • AWS CLI install: https:\/\/docs.aws.amazon.com\/cli\/latest\/userguide\/getting-started-install.html<\/li>\n
                                                                              • Permissions to run aws organizations<\/code> commands.<\/li>\n<\/ul>\n\n\n\n
                                                                                Region availability<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • AWS Organizations is a global service<\/strong>, but AWS Management Console still asks you to pick a Region; the org features are not Region-bound in the same way as compute\/storage.<\/li>\n<\/ul>\n\n\n\n
                                                                                  Quotas\/limits<\/h3>\n\n\n\n
                                                                                  AWS Organizations has service quotas (examples include limits for number of accounts, OUs, SCP size, etc.). Do not rely on memory\u2014check the current quotas here:\nhttps:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_reference_limits.html<\/p>\n\n\n\n
                                                                                  Prerequisite services (optional but common)<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • AWS CloudTrail for audit logging<\/li>\n
                                                                                  • AWS IAM Identity Center for workforce SSO across accounts<\/li>\n
                                                                                  • AWS Control Tower for landing zone automation (optional)<\/li>\n<\/ul>\n\n\n\n
                                                                                    9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                    Current pricing model (accurate, non-fabricated)<\/h3>\n\n\n\n
                                                                                    AWS Organizations is generally offered at no additional charge<\/strong>. You pay for the AWS resources and services you use in each account (and for any integrated services you enable).<\/p>\n\n\n\n
                                                                                    Verify on the official pricing page (or Organizations product page links):\n– AWS Organizations product page: https:\/\/aws.amazon.com\/organizations\/\n– AWS Pricing Calculator: https:\/\/calculator.aws\/#\/<\/p>\n\n\n\n
                                                                                    \n
                                                                                    If pricing or special features change over time, verify the current model in official AWS pricing documentation.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                    Pricing dimensions<\/h3>\n\n\n\n
                                                                                    While AWS Organizations itself is typically free, your total cost is driven by:\n– Number of accounts (indirectly increases:\n  – Logging costs (CloudTrail, S3 storage)\n  – Security service costs (GuardDuty, Security Hub, etc.)\n  – Compliance tooling costs (Config, etc.)\n– Policy-driven architecture decisions:\n  – Centralized logging (S3, CloudWatch Logs, KMS)\n  – Cross-account networking (Transit Gateway, VPC sharing, etc.)\n– Automation and operations:\n  – CI\/CD pipelines, configuration management, inventory tooling<\/p>\n\n\n\n
                                                                                    Free tier<\/h3>\n\n\n\n
                                                                                    AWS Organizations is not commonly described with a \u201cfree tier\u201d because it\u2019s generally not billed directly. Your member accounts may use the AWS Free Tier for certain services depending on eligibility.<\/p>\n\n\n\n
                                                                                    Hidden or indirect costs<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • CloudTrail:<\/strong> Organization-wide logging increases event volume and storage.<\/li>\n
                                                                                    • AWS Config:<\/strong> Multi-account compliance at scale can become a notable cost driver.<\/li>\n
                                                                                    • Security services:<\/strong> Enabling org-wide threat detection across accounts increases per-account\/per-Region charges.<\/li>\n
                                                                                    • KMS:<\/strong> Encrypting centralized logs can add KMS request costs.<\/li>\n
                                                                                    • Data transfer:<\/strong> Centralized logging and cross-account architectures can create inter-Region or inter-AZ transfer costs (depending on design).<\/li>\n<\/ul>\n\n\n\n
                                                                                      Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                      AWS Organizations doesn\u2019t move your workload data. But the operating model it enables (central logs, central security, shared services) can cause:\n– Cross-account and cross-Region log delivery costs\n– VPC networking and routing costs (TGW, NAT, inter-Region peering, etc.)<\/p>\n\n\n\n
                                                                                      How to optimize cost<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Start with a minimal account set<\/strong> (for example: management, security, logging, shared services, workloads).<\/li>\n
                                                                                      • Use SCPs to reduce accidental spend<\/strong> (for example, blocking certain expensive services in sandbox).<\/li>\n
                                                                                      • Centralize logs, but apply lifecycle policies and retention aligned to compliance.<\/li>\n
                                                                                      • Use cost allocation tags and cost categories consistently from the start.<\/li>\n<\/ul>\n\n\n\n
                                                                                        Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n
                                                                                        A learning setup can be near-zero incremental cost if you:\n– Create OUs and SCPs only (no workload resources)\n– Avoid enabling paid security services org-wide\n– Avoid storing logs for long periods<\/p>\n\n\n\n
                                                                                        Costs appear when you create billable resources (EC2, NAT Gateways, extensive CloudTrail data events, Config rules, etc.).<\/p>\n\n\n\n
                                                                                        Example production cost considerations<\/h3>\n\n\n\n
                                                                                        In production, your cost model typically includes:\n– Central logging storage + KMS encryption + lifecycle\n– Security tooling across accounts\/Regions\n– CI\/CD and shared services accounts\n– Networking hub\/spoke and egress controls<\/p>\n\n\n\n
                                                                                        Because pricing is Region- and usage-dependent, use the AWS Pricing Calculator<\/strong> and service pricing pages for each integrated service.<\/p>\n\n\n\n
                                                                                        10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                        Objective<\/h3>\n\n\n\n
                                                                                        Create a basic multi-account governance structure with AWS Organizations:\n1. Confirm or create an organization.\n2. Create an OU structure.\n3. Create a member account (or use an existing one).\n4. Create and attach an SCP that restricts API calls to a single allowed Region (carefully designed).\n5. Validate the SCP by attempting actions in allowed vs disallowed Regions.\n6. Clean up.<\/p>\n\n\n\n
                                                                                        This lab focuses on AWS Organizations itself (Management and governance). It avoids expensive resources and keeps risk low, but SCPs can break access<\/strong> if misapplied\u2014follow the steps exactly and test on a non-production account.<\/p>\n\n\n\n
                                                                                        Lab Overview<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Environment:<\/strong> One management account + one member account.<\/li>\n
                                                                                        • Tools:<\/strong> AWS CLI v2 (CloudShell is fine).<\/li>\n
                                                                                        • Outcome:<\/strong> You will have:<\/li>\n
                                                                                        • An OU called Workloads-Lab<\/code><\/li>\n
                                                                                        • A member account placed into that OU<\/li>\n
                                                                                        • An SCP attached to that OU that denies actions in non-approved Regions (with safeguards)<\/li>\n<\/ul>\n\n\n\n
                                                                                          \n
                                                                                          Important: Region-restriction SCPs are subtle. This lab uses StringNotEqualsIfExists<\/code> to avoid denying global services when the Region context key is absent. Always verify against official IAM condition key behavior.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                          \n\n\n\n
                                                                                          Step 1: Configure AWS CLI and confirm identity<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          1. \n
                                                                                            Open AWS CloudShell<\/strong> in the management account, or use your local terminal with AWS CLI configured.<\/p>\n<\/li>\n
                                                                                          2. \n
                                                                                            Confirm who you are:<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                            aws sts get-caller-identity\n<\/code><\/pre>\n\n\n\n
                                                                                            Expected outcome:<\/strong> You see the Account<\/code> ID of your management account identity and an ARN for your IAM user\/role.<\/p>\n\n\n\n
                                                                                            \n\n\n\n
                                                                                            Step 2: Check if AWS Organizations is already enabled<\/h3>\n\n\n\n
                                                                                            Run:<\/p>\n\n\n\n
                                                                                            aws organizations describe-organization\n<\/code><\/pre>\n\n\n\n
                                                                                            Expected outcome:<\/strong>\n– If you already have an organization, you\u2019ll see details including the organization ID (like o-xxxxxxxxxx<\/code>) and feature set.\n– If you get an error such as AWSOrganizationsNotInUseException<\/code>, then you don\u2019t have an org yet.<\/p>\n\n\n\n
                                                                                            If you don\u2019t have an org, create one:<\/p>\n\n\n\n
                                                                                            aws organizations create-organization --feature-set ALL\n<\/code><\/pre>\n\n\n\n
                                                                                            Expected outcome:<\/strong> The organization is created with ALL<\/strong> features enabled.<\/p>\n\n\n\n
                                                                                            \n
                                                                                            Notes:\n– AWS Organizations has two primary modes: consolidated billing only vs \u201cAll features.\u201d Most governance features (like SCPs) require All features<\/strong>.\n– If you are adopting AWS Control Tower, it also expects an AWS Organizations foundation.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                            Verify:<\/p>\n\n\n\n
                                                                                            aws organizations describe-organization\n<\/code><\/pre>\n\n\n\n
                                                                                            \n\n\n\n
                                                                                            Step 3: Create an OU for the lab<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            1. Get the Root ID:<\/li>\n<\/ol>\n\n\n\n
                                                                                              aws organizations list-roots\n<\/code><\/pre>\n\n\n\n
                                                                                              Copy the Id<\/code> value (example: r-xxxx<\/code>).<\/p>\n\n\n\n
                                                                                                \n
                                                                                              1. Create an OU named Workloads-Lab<\/code> under the root:<\/li>\n<\/ol>\n\n\n\n
                                                                                                ROOT_ID=\"r-xxxx\"   # replace with your root id\naws organizations create-organizational-unit \\\n  --parent-id \"$ROOT_ID\" \\\n  --name \"Workloads-Lab\"\n<\/code><\/pre>\n\n\n\n
                                                                                                Expected outcome:<\/strong> You get an OU object with an Id<\/code> like ou-xxxx-yyyyyyyy<\/code>.<\/p>\n\n\n\n
                                                                                                  \n
                                                                                                1. Store the OU ID for later:<\/li>\n<\/ol>\n\n\n\n
                                                                                                  OU_ID=\"ou-xxxx-yyyyyyyy\"  # replace with your OU id\n<\/code><\/pre>\n\n\n\n
                                                                                                  Verify:<\/p>\n\n\n\n
                                                                                                  aws organizations list-organizational-units-for-parent --parent-id \"$ROOT_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 4: Create (or attach) a member account<\/h3>\n\n\n\n
                                                                                                  You have two options:<\/p>\n\n\n\n
                                                                                                  Option A (recommended for a real test): Create a new member account<\/h4>\n\n\n\n
                                                                                                  Creating accounts is realistic but can take time and requires a unique email address.<\/p>\n\n\n\n
                                                                                                  aws organizations create-account \\\n  --email \"unique-email@example.com\" \\\n  --account-name \"org-lab-member-1\" \\\n  --role-name \"OrganizationAccountAccessRole\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> You get a CreateAccountStatus<\/code> with an Id<\/code>.<\/p>\n\n\n\n
                                                                                                  Account creation is asynchronous. Poll until it succeeds:<\/p>\n\n\n\n
                                                                                                  STATUS_ID=\"car-xxxxxxx\"  # replace with the returned status Id\naws organizations describe-create-account-status --create-account-request-id \"$STATUS_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  When status becomes SUCCEEDED<\/code>, note the new AccountId<\/code>.<\/p>\n\n\n\n
                                                                                                  List accounts to confirm:<\/p>\n\n\n\n
                                                                                                  aws organizations list-accounts\n<\/code><\/pre>\n\n\n\n
                                                                                                  Option B: Invite an existing AWS account into the org<\/h4>\n\n\n\n
                                                                                                  If you already have a separate AWS account you control, you can invite it:<\/p>\n\n\n\n
                                                                                                  aws organizations invite-account-to-organization \\\n  --target '{\"Type\":\"ACCOUNT\",\"Id\":\"123456789012\"}' \\\n  --notes \"Org lab invite\"\n<\/code><\/pre>\n\n\n\n
                                                                                                  Expected outcome:<\/strong> An invitation is sent. You must accept it from the invited account (console or CLI).\nAcceptance is performed in the invited account (verify steps in official docs):\nhttps:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_manage_accounts_invites.html<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 5: Move the member account into the OU<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  1. Identify the member account ID (from Step 4). Set variables:<\/li>\n<\/ol>\n\n\n\n
                                                                                                    MEMBER_ACCOUNT_ID=\"123456789012\"  # replace\n<\/code><\/pre>\n\n\n\n
                                                                                                      \n
                                                                                                    1. Determine the current parent of that account (often the root):<\/li>\n<\/ol>\n\n\n\n
                                                                                                      aws organizations list-parents --child-id \"$MEMBER_ACCOUNT_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                      Set:<\/p>\n\n\n\n
                                                                                                      CURRENT_PARENT_ID=\"r-xxxx\"  # replace with the returned parent Id\n<\/code><\/pre>\n\n\n\n
                                                                                                        \n
                                                                                                      1. Move account into Workloads-Lab<\/code> OU:<\/li>\n<\/ol>\n\n\n\n
                                                                                                        aws organizations move-account \\\n  --account-id \"$MEMBER_ACCOUNT_ID\" \\\n  --source-parent-id \"$CURRENT_PARENT_ID\" \\\n  --destination-parent-id \"$OU_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome:<\/strong> No output on success.<\/p>\n\n\n\n
                                                                                                        Verify:<\/p>\n\n\n\n
                                                                                                        aws organizations list-accounts-for-parent --parent-id \"$OU_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        Step 6: Create an SCP that restricts Regions (lab-safe pattern)<\/h3>\n\n\n\n
                                                                                                        This SCP denies actions when the requested region is not us-east-1<\/code>. It uses StringNotEqualsIfExists<\/code> to reduce impact on global services.<\/p>\n\n\n\n
                                                                                                          \n
                                                                                                        1. Create a policy document file deny-non-us-east-1.json<\/code>:<\/li>\n<\/ol>\n\n\n\n
                                                                                                          cat > deny-non-us-east-1.json << 'EOF'\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"DenyRequestsOutsideUsEast1\",\n      \"Effect\": \"Deny\",\n      \"Action\": \"*\",\n      \"Resource\": \"*\",\n      \"Condition\": {\n        \"StringNotEqualsIfExists\": {\n          \"aws:RequestedRegion\": \"us-east-1\"\n        }\n      }\n    }\n  ]\n}\nEOF\n<\/code><\/pre>\n\n\n\n
                                                                                                            \n
                                                                                                          1. Create the SCP in AWS Organizations:<\/li>\n<\/ol>\n\n\n\n
                                                                                                            aws organizations create-policy \\\n  --name \"DenyNonUsEast1Lab\" \\\n  --description \"LAB: Deny API actions outside us-east-1 using RequestedRegion condition\" \\\n  --type \"SERVICE_CONTROL_POLICY\" \\\n  --content file:\/\/deny-non-us-east-1.json\n<\/code><\/pre>\n\n\n\n
                                                                                                            Expected outcome:<\/strong> Output includes a policy Id<\/code> like p-xxxxxxx<\/code>.<\/p>\n\n\n\n
                                                                                                            Set:<\/p>\n\n\n\n
                                                                                                            SCP_ID=\"p-xxxxxxx\"  # replace\n<\/code><\/pre>\n\n\n\n
                                                                                                            \n\n\n\n
                                                                                                            Step 7: Attach the SCP to the lab OU<\/h3>\n\n\n\n
                                                                                                            Attach:<\/p>\n\n\n\n
                                                                                                            aws organizations attach-policy --policy-id \"$SCP_ID\" --target-id \"$OU_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                            Expected outcome:<\/strong> No output on success.<\/p>\n\n\n\n
                                                                                                            Verify attachment:<\/p>\n\n\n\n
                                                                                                            aws organizations list-policies-for-target --target-id \"$OU_ID\" --filter SERVICE_CONTROL_POLICY\n<\/code><\/pre>\n\n\n\n
                                                                                                            \n\n\n\n
                                                                                                            Step 8: Validate by assuming into the member account and testing Regions<\/h3>\n\n\n\n
                                                                                                            To test the SCP effect, assume the cross-account role in the member account (created by Organizations account creation flow if you used Option A; for existing accounts, ensure a role exists and trust is configured).<\/p>\n\n\n\n
                                                                                                              \n
                                                                                                            1. Assume role:<\/li>\n<\/ol>\n\n\n\n
                                                                                                              ROLE_ARN=\"arn:aws:iam::${MEMBER_ACCOUNT_ID}:role\/OrganizationAccountAccessRole\"\n\naws sts assume-role \\\n  --role-arn \"$ROLE_ARN\" \\\n  --role-session-name \"org-scp-lab\"\n<\/code><\/pre>\n\n\n\n
                                                                                                              Copy the returned AccessKeyId<\/code>, SecretAccessKey<\/code>, and SessionToken<\/code>.<\/p>\n\n\n\n
                                                                                                                \n
                                                                                                              1. Export temporary credentials (in the same shell):<\/li>\n<\/ol>\n\n\n\n
                                                                                                                export AWS_ACCESS_KEY_ID=\"ASIA...\"\nexport AWS_SECRET_ACCESS_KEY=\"...\"\nexport AWS_SESSION_TOKEN=\"...\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                  \n
                                                                                                                1. Test an allowed Region action (example: list S3 buckets is global-ish; for a clearer region test, create a bucket in us-east-1 vs us-west-2).\nFirst, try creating an S3 bucket in us-east-1<\/strong> (allowed). Bucket names must be globally unique\u2014change the suffix:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                  BUCKET_ALLOWED=\"org-scp-lab-allowed-$(date +%s)\"\naws s3api create-bucket \\\n  --bucket \"$BUCKET_ALLOWED\" \\\n  --region us-east-1\n<\/code><\/pre>\n\n\n\n
                                                                                                                  Expected outcome:<\/strong> Bucket creation succeeds.<\/p>\n\n\n\n
                                                                                                                    \n
                                                                                                                  1. Now try creating a bucket in us-west-2<\/strong> (should be denied by SCP). Again, use a unique name:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                    BUCKET_DENIED=\"org-scp-lab-denied-$(date +%s)\"\naws s3api create-bucket \\\n  --bucket \"$BUCKET_DENIED\" \\\n  --region us-west-2 \\\n  --create-bucket-configuration LocationConstraint=us-west-2\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> The request fails with an explicit deny<\/strong>. The error often indicates an authorization failure due to an explicit deny (from Organizations\/SCP evaluation).<\/p>\n\n\n\n
                                                                                                                    \n
                                                                                                                    If you don\u2019t see an explicit deny, confirm:\n– The account is in the correct OU\n– The SCP is attached to that OU\n– The organization is using \u201cAll features\u201d\n– Your request really targets us-west-2<\/code><\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Validation<\/h3>\n\n\n\n
                                                                                                                    Use these checks back in the management account context (remove the temporary creds or open a new shell).<\/p>\n\n\n\n
                                                                                                                      \n
                                                                                                                    1. Confirm the account\u2019s parent OU:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                      aws organizations list-parents --child-id \"$MEMBER_ACCOUNT_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                        \n
                                                                                                                      1. Confirm SCPs attached to the OU:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                        aws organizations list-policies-for-target --target-id \"$OU_ID\" --filter SERVICE_CONTROL_POLICY\n<\/code><\/pre>\n\n\n\n
                                                                                                                          \n
                                                                                                                        1. Confirm the SCP content (fetch and review):<\/li>\n<\/ol>\n\n\n\n
                                                                                                                          aws organizations describe-policy --policy-id \"$SCP_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                          You should see the JSON policy content you created.<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Troubleshooting<\/h3>\n\n\n\n
                                                                                                                          Common issues and realistic fixes:<\/p>\n\n\n\n
                                                                                                                            \n
                                                                                                                          1. \n
                                                                                                                            AWSOrganizationsNotInUseException<\/code><\/strong>\n– Cause:<\/strong> Organization not created yet.\n– Fix:<\/strong> Run create-organization --feature-set ALL<\/code> in the management account.<\/p>\n<\/li>\n
                                                                                                                          2. \n
                                                                                                                            SCP seems to have no effect<\/strong>\n– Cause:<\/strong> The org might not have \u201cAll features,\u201d the account isn\u2019t in the target OU, or the policy isn\u2019t attached.\n– Fix:<\/strong> Verify feature set with describe-organization<\/code>, confirm OU placement with list-parents<\/code>, and confirm attachment with list-policies-for-target<\/code>.<\/p>\n<\/li>\n
                                                                                                                          3. \n
                                                                                                                            AssumeRole fails (AccessDenied<\/code>)<\/strong>\n– Cause:<\/strong> The role may not exist in the member account, or trust\/permissions aren\u2019t correct.\n– Fix:<\/strong> If you created the account via Organizations and specified --role-name OrganizationAccountAccessRole<\/code>, it should exist. For invited accounts, create a cross-account role in the member account and allow the management account principal to assume it.<\/p>\n<\/li>\n
                                                                                                                          4. \n
                                                                                                                            Bucket creation fails in us-east-1<\/strong>\n– Cause:<\/strong> Bucket name not unique or S3 policy restrictions.\n– Fix:<\/strong> Use a unique name; ensure you\u2019re using correct regional parameters.<\/p>\n<\/li>\n
                                                                                                                          5. \n
                                                                                                                            You accidentally blocked needed actions with SCP<\/strong>\n– Cause:<\/strong> SCP denies too broadly.\n– Fix:<\/strong> Detach the SCP from the OU from the management account, or move the account out of that OU. Always test on non-prod first.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                            \n\n\n\n
                                                                                                                            Cleanup<\/h3>\n\n\n\n
                                                                                                                            Cleanup is important to avoid confusion later.<\/p>\n\n\n\n
                                                                                                                              \n
                                                                                                                            1. If still assumed into the member role, unset temporary credentials:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                              unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN\n<\/code><\/pre>\n\n\n\n
                                                                                                                                \n
                                                                                                                              1. Delete the S3 bucket created in us-east-1 (if created):<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                aws s3api delete-bucket --bucket \"$BUCKET_ALLOWED\" --region us-east-1\n<\/code><\/pre>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                1. Detach the SCP:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                  aws organizations detach-policy --policy-id \"$SCP_ID\" --target-id \"$OU_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  1. Delete the SCP:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                    aws organizations delete-policy --policy-id \"$SCP_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    1. (Optional) Move the member account back to root if desired:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                      aws organizations move-account \\\n  --account-id \"$MEMBER_ACCOUNT_ID\" \\\n  --source-parent-id \"$OU_ID\" \\\n  --destination-parent-id \"$ROOT_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      1. Delete the OU (must be empty):<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                        aws organizations delete-organizational-unit --organizational-unit-id \"$OU_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        1. \n
                                                                                                                                          If you created a member account just for the lab:\n– You can remove it from the organization, but closing an AWS account<\/strong> is a separate process and has implications. Follow AWS official guidance for account closure and be cautious.<\/p>\n<\/li>\n
                                                                                                                                        2. \n
                                                                                                                                          If this entire organization was only for a lab and you want to delete it:\n– You must remove\/close member accounts so only the management account remains, then delete the organization (verify exact requirements in official docs):\nhttps:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_manage_org_delete.html<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                          11. Best Practices<\/h2>\n\n\n\n
                                                                                                                                          Architecture best practices<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Adopt a multi-account strategy early.<\/strong> Retrofitting governance into a single \u201cmega account\u201d is painful.<\/li>\n
                                                                                                                                          • Use a standard OU layout<\/strong> aligned to business and risk:<\/li>\n
                                                                                                                                          • Common pattern: Security<\/code>, SharedServices<\/code>, Workloads<\/code> with sub-OUs like Prod<\/code>, NonProd<\/code>, Sandbox<\/code>.<\/li>\n
                                                                                                                                          • Prefer separate accounts<\/strong> for:<\/li>\n
                                                                                                                                          • Logging (log archive)<\/li>\n
                                                                                                                                          • Security tooling<\/li>\n
                                                                                                                                          • Shared networking<\/li>\n
                                                                                                                                          • CI\/CD tooling<\/li>\n
                                                                                                                                          • Keep the management account special:<\/strong> Use it primarily for organization management and billing, not for hosting workloads.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Use AWS IAM Identity Center<\/strong> (where appropriate) for workforce access across accounts; avoid long-lived IAM users.<\/li>\n
                                                                                                                                            • Least privilege for Organizations administration:<\/strong> Separate roles for:<\/li>\n
                                                                                                                                            • Organization admins<\/li>\n
                                                                                                                                            • Account provisioning operators<\/li>\n
                                                                                                                                            • Security policy admins<\/li>\n
                                                                                                                                            • Use SCPs as guardrails, not as your whole IAM strategy.<\/strong><\/li>\n
                                                                                                                                            • Test SCPs in a sandbox OU first.<\/strong> SCP mistakes can block business operations.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Cost best practices<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Use multiple accounts to improve cost attribution<\/strong>.<\/li>\n
                                                                                                                                              • Apply consistent tagging strategies and cost categories (outside Organizations itself).<\/li>\n
                                                                                                                                              • Create sandbox accounts and use SCPs to reduce accidental high-cost provisioning (careful design required).<\/li>\n
                                                                                                                                              • Centralize expensive tooling thoughtfully; evaluate per-account enablement costs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Performance best practices<\/h3>\n\n\n\n
                                                                                                                                                AWS Organizations is not a workload performance service. The key \u201cperformance\u201d best practice is operational scalability<\/strong>:\n– Use automation (CLI\/SDK\/IaC) for repetitive organization tasks.\n– Avoid manual, one-off policy changes in production.<\/p>\n\n\n\n
                                                                                                                                                Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Treat org governance changes like production changes: reviews, approvals, rollback plans.<\/li>\n
                                                                                                                                                • Use break-glass access patterns for emergencies (separate accounts\/roles, strong MFA, auditing).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Operations best practices<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Enable CloudTrail and log all Organizations changes.<\/li>\n
                                                                                                                                                  • Document OU\/policy intent clearly (policy descriptions, internal docs).<\/li>\n
                                                                                                                                                  • Keep a policy repository (version control) for SCP JSON documents.<\/li>\n
                                                                                                                                                  • Use delegated admins for supported services instead of broad access to the management account.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Name OUs and accounts consistently:<\/li>\n
                                                                                                                                                    • prod-<app><\/code>, nonprod-<app><\/code>, shared-network<\/code>, security-tooling<\/code>, log-archive<\/code><\/li>\n
                                                                                                                                                    • Decide early whether OU structure maps to:<\/li>\n
                                                                                                                                                    • environments (prod\/non-prod), or<\/li>\n
                                                                                                                                                    • business units, or<\/li>\n
                                                                                                                                                    • risk tiers\n  Mixing all three without a plan can lead to confusion.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                                      Identity and access model<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Organizations administration is controlled by IAM permissions in the management account<\/strong>.<\/li>\n
                                                                                                                                                      • SCPs affect what principals in member accounts can do (and can enforce preventive controls).<\/li>\n
                                                                                                                                                      • Use role-based access and federation for human access; minimize long-lived credentials.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Encryption<\/h3>\n\n\n\n
                                                                                                                                                        AWS Organizations doesn\u2019t store your application data, so encryption topics mainly apply to what you build around it:\n– Encrypt centralized logs (S3 + KMS) in log archive accounts.\n– Encrypt security findings storage where applicable.<\/p>\n\n\n\n
                                                                                                                                                        Network exposure<\/h3>\n\n\n\n
                                                                                                                                                        Organizations is accessed through AWS APIs. Your main exposure is:\n– Who can call Organizations APIs?\n– Who can change SCPs\/OUs\/accounts?<\/p>\n\n\n\n
                                                                                                                                                        Restrict these actions heavily and require strong authentication.<\/p>\n\n\n\n
                                                                                                                                                        Secrets handling<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Don\u2019t embed account access keys in automation. Use:<\/li>\n
                                                                                                                                                        • STS assume-role with short-lived credentials<\/li>\n
                                                                                                                                                        • IAM Identity Center for human access<\/li>\n
                                                                                                                                                        • Store sensitive automation secrets in AWS Secrets Manager or similar services, not in code repositories.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • Ensure CloudTrail logs Organizations actions.<\/li>\n
                                                                                                                                                          • Consider centralizing CloudTrail logs in a dedicated log archive account.<\/li>\n
                                                                                                                                                          • Monitor for changes to:<\/li>\n
                                                                                                                                                          • SCP attachments<\/li>\n
                                                                                                                                                          • account movement between OUs<\/li>\n
                                                                                                                                                          • delegated admin registration<\/li>\n
                                                                                                                                                          • trusted access enablement<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                            Organizations helps implement preventive controls, but compliance requires broader controls:\n– Detective controls (Config, Security Hub, etc.)\n– Evidence retention (logs)\n– Separation of duties and access reviews<\/p>\n\n\n\n
                                                                                                                                                            Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • Using the management account for day-to-day workload operations.<\/li>\n
                                                                                                                                                            • Attaching overly broad \u201cdeny\u201d SCPs to the wrong OU.<\/li>\n
                                                                                                                                                            • No break-glass path for production incidents.<\/li>\n
                                                                                                                                                            • Enabling service integrations\/trusted access without security review.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Implement a landing zone (AWS Control Tower or an equivalent custom design) for consistent baselines.<\/li>\n
                                                                                                                                                              • Separate duties across accounts and roles:<\/li>\n
                                                                                                                                                              • Security OU<\/li>\n
                                                                                                                                                              • Logging account<\/li>\n
                                                                                                                                                              • Shared services\/networking account<\/li>\n
                                                                                                                                                              • Maintain policy-as-code for SCPs with peer review.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                                Use these as a checklist before production rollout.<\/p>\n\n\n\n
                                                                                                                                                                Known limitations \/ quotas<\/h3>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Limits exist for:<\/li>\n
                                                                                                                                                                • number of accounts per organization<\/li>\n
                                                                                                                                                                • number of OUs and nesting depth<\/li>\n
                                                                                                                                                                • number and size of policies (SCP size limits)<\/li>\n
                                                                                                                                                                • API request rates\nCheck official quotas: https:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_reference_limits.html<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  Regional constraints<\/h3>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  • AWS Organizations is global, but the services you govern are regional<\/strong>. SCP \u201cregion restrictions\u201d must be carefully designed and tested.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                    Pricing surprises (indirect)<\/h3>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • Organizations itself is usually free, but org-wide enablement<\/strong> of:<\/li>\n
                                                                                                                                                                    • CloudTrail data events<\/li>\n
                                                                                                                                                                    • AWS Config rules<\/li>\n
                                                                                                                                                                    • Security services\ncan scale costs quickly across accounts and Regions.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                      Compatibility issues<\/h3>\n\n\n\n
                                                                                                                                                                        \n
                                                                                                                                                                      • Some AWS services integrate with Organizations only when:<\/li>\n
                                                                                                                                                                      • \u201cAll features\u201d is enabled<\/li>\n
                                                                                                                                                                      • trusted access is enabled<\/li>\n
                                                                                                                                                                      • delegated admin is configured\nAlways follow the specific service\u2019s setup guide.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                        Operational gotchas<\/h3>\n\n\n\n
                                                                                                                                                                          \n
                                                                                                                                                                        • SCP debugging<\/strong> can be difficult when multiple SCPs are inherited. Keep policies modular and well documented.<\/li>\n
                                                                                                                                                                        • Account creation and moves may be eventually consistent<\/strong>\u2014automation should retry.<\/li>\n
                                                                                                                                                                        • Invited accounts require acceptance and may have constraints if they are already in another organization.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                          Migration challenges<\/h3>\n\n\n\n
                                                                                                                                                                            \n
                                                                                                                                                                          • Migrating from a single account to multi-account often requires:<\/li>\n
                                                                                                                                                                          • refactoring IAM and CI\/CD<\/li>\n
                                                                                                                                                                          • redesigning networking<\/li>\n
                                                                                                                                                                          • rethinking logging and incident response<\/li>\n
                                                                                                                                                                          • Migrating existing independent accounts into one organization requires:<\/li>\n
                                                                                                                                                                          • aligning guardrails<\/li>\n
                                                                                                                                                                          • reconciling billing ownership<\/li>\n
                                                                                                                                                                          • handling service-linked roles and delegated administration transitions<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                            Vendor-specific nuances<\/h3>\n\n\n\n
                                                                                                                                                                              \n
                                                                                                                                                                            • The management account has special significance; avoid relying on assumptions. Confirm behaviors (especially around SCP effects and billing responsibilities) in official docs for your exact setup.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                              14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                                              AWS Organizations is the native AWS solution for multi-account management and governance. Alternatives are typically:\n– Other AWS governance services that complement Organizations\n– Equivalent constructs in other cloud providers\n– Self-managed processes (manual accounts, scripts) that don\u2019t provide the same control-plane governance<\/p>\n\n\n\n
                                                                                                                                                                              Comparison table<\/h3>\n\n\n\n
                                                                                                                                                                              \n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                              Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                              AWS Organizations<\/strong><\/td>\nMulti-account governance and billing on AWS<\/td>\nNative integration, OU hierarchy, SCP guardrails, consolidated billing<\/td>\nRequires planning; SCP mistakes can be disruptive<\/td>\nAny serious multi-account AWS environment<\/td>\n<\/tr>\n
                                                                                                                                                                              AWS Control Tower<\/strong><\/td>\nLanding zone + guardrails + account factory<\/td>\nOpinionated best practices; automates org setup; guardrails<\/td>\nLess flexible than fully custom; adds operational model<\/td>\nYou want a standardized landing zone quickly<\/td>\n<\/tr>\n
                                                                                                                                                                              AWS IAM (single account)<\/strong><\/td>\nSmall single-account setups<\/td>\nSimple; fewer moving parts<\/td>\nDoesn\u2019t scale; weak isolation; no OU\/SCP layer<\/td>\nOnly for very small or temporary environments<\/td>\n<\/tr>\n
                                                                                                                                                                              AWS Resource Access Manager (RAM)<\/strong><\/td>\nSharing resources across AWS accounts<\/td>\nMakes multi-account sharing easier<\/td>\nNot a replacement for governance and billing<\/td>\nUse alongside Organizations for cross-account sharing<\/td>\n<\/tr>\n
                                                                                                                                                                              Azure Management Groups + Azure Policy<\/strong><\/td>\nAzure multi-subscription governance<\/td>\nStrong policy governance in Azure<\/td>\nDifferent cloud, different primitives<\/td>\nIf your platform is Microsoft Azure<\/td>\n<\/tr>\n
                                                                                                                                                                              Google Cloud Organization\/Folder\/Projects + Org Policy<\/strong><\/td>\nGCP governance<\/td>\nStrong org\/folder policies in GCP<\/td>\nDifferent cloud model<\/td>\nIf your platform is Google Cloud<\/td>\n<\/tr>\n
                                                                                                                                                                              Self-managed (manual multi-account)<\/strong><\/td>\nVery small setups avoiding centralized governance<\/td>\nLow initial complexity<\/td>\nLacks centralized controls, error-prone<\/td>\nOnly if you cannot use Organizations (rare)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                              15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                                              Enterprise example: regulated company with strict governance<\/h3>\n\n\n\n
                                                                                                                                                                                \n
                                                                                                                                                                              • Problem:<\/strong> A financial services enterprise has 200+ AWS accounts across multiple teams. They need strict preventive controls, centralized audit logging, and separation of duties for compliance.<\/li>\n
                                                                                                                                                                              • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                                              • AWS Organizations with OUs: Security<\/code>, SharedServices<\/code>, Workloads\/Prod<\/code>, Workloads\/NonProd<\/code>, Sandbox<\/code><\/li>\n
                                                                                                                                                                              • Dedicated accounts:
                                                                                                                                                                                  \n
                                                                                                                                                                                • log-archive<\/code> (central S3 for CloudTrail\/Config logs)<\/li>\n
                                                                                                                                                                                • security-tooling<\/code> (delegated admin for supported services)<\/li>\n
                                                                                                                                                                                • network-hub<\/code> (shared networking constructs)<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                                • SCPs:
                                                                                                                                                                                    \n
                                                                                                                                                                                  • Baseline at root: deny disabling essential logging\/security baselines (carefully designed)<\/li>\n
                                                                                                                                                                                  • Prod<\/code> OU: tighter restrictions (regions, approved services)<\/li>\n
                                                                                                                                                                                  • Sandbox<\/code> OU: cost\/risk containment guardrails<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                                  • Why AWS Organizations was chosen:<\/strong> It\u2019s the AWS-native governance layer that integrates with security and identity tooling and scales to hundreds of accounts.<\/li>\n
                                                                                                                                                                                  • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                                                  • Reduced risk of unauthorized actions through SCP guardrails<\/li>\n
                                                                                                                                                                                  • Clearer audit and incident response via centralized logging<\/li>\n
                                                                                                                                                                                  • Faster account provisioning with consistent baselines<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                    Startup\/small-team example: fast-growing SaaS with cost visibility needs<\/h3>\n\n\n\n
                                                                                                                                                                                      \n
                                                                                                                                                                                    • Problem:<\/strong> A startup started in one AWS account. As customers and teams grew, billing became confusing and permissions got messy.<\/li>\n
                                                                                                                                                                                    • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                                                    • AWS Organizations with OUs: Workloads<\/code>, Sandbox<\/code><\/li>\n
                                                                                                                                                                                    • Accounts:
                                                                                                                                                                                        \n
                                                                                                                                                                                      • prod<\/code> (production workloads)<\/li>\n
                                                                                                                                                                                      • nonprod<\/code> (dev\/test)<\/li>\n
                                                                                                                                                                                      • shared<\/code> (CI\/CD, container registry, shared tools)<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                                      • Minimal SCPs:
                                                                                                                                                                                          \n
                                                                                                                                                                                        • Deny a short list of risky actions in nonprod\/sandbox (tested)<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                                        • Why AWS Organizations was chosen:<\/strong> Multi-account provides isolation and cost ownership without building a custom governance system.<\/li>\n
                                                                                                                                                                                        • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                                                        • Clean separation between environments<\/li>\n
                                                                                                                                                                                        • Easier cost tracking per environment\/team<\/li>\n
                                                                                                                                                                                        • Reduced chance of dev changes impacting production<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                          16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                                                          1) Is AWS Organizations the same as AWS Control Tower?<\/strong>\nNo. AWS Organizations<\/strong> is the core multi-account governance\/billing service. AWS Control Tower<\/strong> builds on Organizations to provide an opinionated landing zone, guardrails, and account provisioning automation.<\/p>\n\n\n\n
                                                                                                                                                                                          2) Do SCPs grant permissions?<\/strong>\nNo. SCPs only limit<\/strong> what permissions can be used in an account. IAM policies still must allow the action.<\/p>\n\n\n\n
                                                                                                                                                                                          3) Can an SCP lock me out of an account?<\/strong>\nIt can block actions broadly and disrupt operations. Use careful testing, staged rollouts, and break-glass procedures.<\/p>\n\n\n\n
                                                                                                                                                                                          4) Is AWS Organizations regional?<\/strong>\nIt\u2019s generally treated as a global<\/strong> service, but the services you manage are regional and may behave differently by Region.<\/p>\n\n\n\n
                                                                                                                                                                                          5) Do I need multiple AWS accounts?<\/strong>\nNot strictly, but multi-account is a well-established AWS best practice for isolation, governance, and cost attribution.<\/p>\n\n\n\n
                                                                                                                                                                                          6) What\u2019s the \u201cmanagement account\u201d?<\/strong>\nThe account that owns the organization and is responsible for organization administration and consolidated billing.<\/p>\n\n\n\n
                                                                                                                                                                                          7) Can I change the management account later?<\/strong>\nChanging payer\/management arrangements is non-trivial and may have constraints. Verify current AWS-supported processes in official documentation if you need this.<\/p>\n\n\n\n
                                                                                                                                                                                          8) What\u2019s an OU used for?<\/strong>\nTo group accounts and apply policies (like SCPs) and governance consistently to that group.<\/p>\n\n\n\n
                                                                                                                                                                                          9) How do invited accounts work?<\/strong>\nYou can invite existing AWS accounts to join your organization. They must accept the invitation, and there are constraints if they\u2019re already in another organization.<\/p>\n\n\n\n
                                                                                                                                                                                          10) Is AWS Organizations free?<\/strong>\nAWS Organizations is typically no additional charge<\/strong>, but the services you enable and resources you run in member accounts are billed normally. Verify current pricing in official AWS sources.<\/p>\n\n\n\n
                                                                                                                                                                                          11) How does AWS Organizations relate to IAM Identity Center?<\/strong>\nOrganizations provides the multi-account structure; IAM Identity Center can provide centralized workforce access into those accounts.<\/p>\n\n\n\n
                                                                                                                                                                                          12) Should I run workloads in the management account?<\/strong>\nBest practice is generally no<\/strong>. Keep it for org administration and billing; use separate workload accounts.<\/p>\n\n\n\n
                                                                                                                                                                                          13) Can SCPs enforce tagging?<\/strong>\nSCPs are not a general-purpose \u201ctag enforcement engine.\u201d Tag governance depends on AWS capabilities and services. Organizations may support tag-related policies depending on current features\u2014verify in official docs.<\/p>\n\n\n\n
                                                                                                                                                                                          14) How do I audit changes to OUs and SCPs?<\/strong>\nUse AWS CloudTrail management event logs and centralize them for retention and monitoring.<\/p>\n\n\n\n
                                                                                                                                                                                          15) What\u2019s the fastest way to start with a secure multi-account setup?<\/strong>\nFor many teams, AWS Control Tower is the fastest standardized approach. If you need a custom landing zone, start with AWS Organizations plus a documented OU\/policy model and strong logging\/security baselines.<\/p>\n\n\n\n
                                                                                                                                                                                          17. Top Online Resources to Learn AWS Organizations<\/h2>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                                          Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                          Official documentation<\/td>\nAWS Organizations User Guide \u2013 Introduction<\/td>\nCore concepts, terminology, workflows<\/td>\n<\/tr>\n
                                                                                                                                                                                          Official documentation<\/td>\nAWS Organizations \u2013 Managing accounts<\/td>\nAccount creation\/invites\/moves in depth<\/td>\n<\/tr>\n
                                                                                                                                                                                          Official documentation<\/td>\nAWS Organizations \u2013 Policies and SCPs<\/td>\nAuthoritative SCP behavior and policy types<\/td>\n<\/tr>\n
                                                                                                                                                                                          Official reference<\/td>\nAWS Organizations service quotas\/limits<\/td>\nPrevent surprises when scaling<\/td>\n<\/tr>\n
                                                                                                                                                                                          Official product page<\/td>\nAWS Organizations product page<\/td>\nHigh-level capabilities and official entry points<\/td>\n<\/tr>\n
                                                                                                                                                                                          Official pricing<\/td>\nAWS Pricing Calculator<\/td>\nEstimate integrated service costs across accounts<\/td>\n<\/tr>\n
                                                                                                                                                                                          Official IAM docs<\/td>\nIAM JSON policy elements + condition keys<\/td>\nNeeded to write correct SCP patterns<\/td>\n<\/tr>\n
                                                                                                                                                                                          Architecture guidance<\/td>\nAWS Control Tower documentation<\/td>\nHow Organizations is used in landing zones<\/td>\n<\/tr>\n
                                                                                                                                                                                          Videos<\/td>\nAWS YouTube channel (search \u201cAWS Organizations\u201d and \u201cSCP\u201d)<\/td>\nWalkthroughs and best practices from AWS<\/td>\n<\/tr>\n
                                                                                                                                                                                          Community (reputable)<\/td>\nAWS Blogs (search Organizations, SCP, multi-account)<\/td>\nPractical patterns and design considerations<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                          Helpful official URLs (entry points):\n– AWS Organizations docs: https:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/\n– Organizations limits: https:\/\/docs.aws.amazon.com\/organizations\/latest\/userguide\/orgs_reference_limits.html\n– AWS Organizations product page: https:\/\/aws.amazon.com\/organizations\/\n– AWS Pricing Calculator: https:\/\/calculator.aws\/#\/\n– IAM policy reference: https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/reference_policies_elements.html<\/p>\n\n\n\n
                                                                                                                                                                                          18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n\n\n\n\n\n
                                                                                                                                                                                          Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                          DevOpsSchool.com<\/td>\nDevOps engineers, SREs, platform teams<\/td>\nAWS governance, DevOps, automation, cloud operations<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                          ScmGalaxy.com<\/td>\nBeginners to intermediate engineers<\/td>\nDevOps fundamentals, tooling, governance basics<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                          CLoudOpsNow.in<\/td>\nCloud operations teams<\/td>\nCloudOps, monitoring, governance operations<\/td>\nCheck website<\/td>\nhttps:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                                          SreSchool.com<\/td>\nSREs and reliability-focused engineers<\/td>\nReliability, operations, incident response patterns<\/td>\nCheck website<\/td>\nhttps:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                          AiOpsSchool.com<\/td>\nOps teams adopting AI Ops<\/td>\nAIOps concepts, automation in operations<\/td>\nCheck website<\/td>\nhttps:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                          19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n\n\n\n\n
                                                                                                                                                                                          Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                          RajeshKumar.xyz<\/td>\nDevOps\/cloud training content<\/td>\nEngineers seeking structured guidance<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                                                          devopstrainer.in<\/td>\nDevOps training<\/td>\nBeginners to advanced DevOps practitioners<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                                          devopsfreelancer.com<\/td>\nFreelance DevOps consulting\/training<\/td>\nTeams needing flexible coaching<\/td>\nhttps:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                          devopssupport.in<\/td>\nDevOps support and training<\/td>\nOps teams needing hands-on help<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                          20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n\n\n\n
                                                                                                                                                                                          Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                          cotocus.com<\/td>\nCloud\/DevOps consulting<\/td>\nMulti-account design, governance, automation<\/td>\nAWS Organizations OU\/SCP design; landing zone planning; account vending pipelines<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                          DevOpsSchool.com<\/td>\nDevOps and cloud consulting\/training<\/td>\nGovernance, DevOps transformation, platform engineering<\/td>\nImplement multi-account governance; CI\/CD + IAM patterns; operational readiness<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                          DEVOPSCONSULTING.IN<\/td>\nDevOps consulting<\/td>\nCloud operations, security basics, automation<\/td>\nCloud governance enablement; policy-as-code processes; observability setup<\/td>\nhttps:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                          21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                                                          What to learn before AWS Organizations<\/h3>\n\n\n\n
                                                                                                                                                                                            \n
                                                                                                                                                                                          • AWS fundamentals: IAM users\/roles\/policies, Regions\/AZs, VPC basics, CloudTrail basics<\/li>\n
                                                                                                                                                                                          • AWS account security basics: MFA, root account protections, least privilege<\/li>\n
                                                                                                                                                                                          • Basic billing concepts: consolidated billing vs cost allocation tags, Cost Explorer<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                            What to learn after AWS Organizations<\/h3>\n\n\n\n
                                                                                                                                                                                              \n
                                                                                                                                                                                            • AWS Control Tower<\/strong> (if you want a managed landing zone)<\/li>\n
                                                                                                                                                                                            • IAM Identity Center multi-account access patterns<\/li>\n
                                                                                                                                                                                            • Centralized logging architectures (CloudTrail org trails, S3 log archive patterns)<\/li>\n
                                                                                                                                                                                            • Multi-account security operations:<\/li>\n
                                                                                                                                                                                            • GuardDuty \/ Security Hub org administration (service-specific)<\/li>\n
                                                                                                                                                                                            • Incident response in a multi-account environment<\/li>\n
                                                                                                                                                                                            • Infrastructure as Code for governance:<\/li>\n
                                                                                                                                                                                            • SCP policy-as-code workflows<\/li>\n
                                                                                                                                                                                            • Account provisioning automation<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                              Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                                                                \n
                                                                                                                                                                                              • Cloud Platform Engineer<\/li>\n
                                                                                                                                                                                              • Cloud\/Solutions Architect<\/li>\n
                                                                                                                                                                                              • DevOps Engineer \/ SRE<\/li>\n
                                                                                                                                                                                              • Security Engineer \/ Cloud Security Architect<\/li>\n
                                                                                                                                                                                              • FinOps Analyst \/ Cloud Cost Manager<\/li>\n
                                                                                                                                                                                              • Cloud Operations Engineer<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                Certification path (AWS)<\/h3>\n\n\n\n
                                                                                                                                                                                                AWS Organizations appears as a concept across multiple AWS certification domains (governance, security, multi-account). A common progression:\n– AWS Certified Cloud Practitioner (foundations)\n– AWS Certified Solutions Architect \u2013 Associate\n– AWS Certified Security \u2013 Specialty (or equivalent, if current)\n– AWS Certified Solutions Architect \u2013 Professional<\/p>\n\n\n\n
                                                                                                                                                                                                Always verify the latest AWS certification roadmap and exam guides on the official AWS Training and Certification site.<\/p>\n\n\n\n
                                                                                                                                                                                                Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                                                  \n
                                                                                                                                                                                                • Build a small landing zone:<\/li>\n
                                                                                                                                                                                                • OUs for prod\/nonprod\/sandbox<\/li>\n
                                                                                                                                                                                                • SCP baseline and environment-specific SCPs<\/li>\n
                                                                                                                                                                                                • Central log archive account pattern (design-only or implement with CloudTrail + S3)<\/li>\n
                                                                                                                                                                                                • Implement \u201caccount vending\u201d:<\/li>\n
                                                                                                                                                                                                • Script account creation with AWS CLI and place accounts in correct OU<\/li>\n
                                                                                                                                                                                                • Add automated guardrails attachment<\/li>\n
                                                                                                                                                                                                • Create an SCP library:<\/li>\n
                                                                                                                                                                                                • region restriction (carefully)<\/li>\n
                                                                                                                                                                                                • deny disabling CloudTrail<\/li>\n
                                                                                                                                                                                                • deny leaving organization (where applicable\u2014verify exact controls)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                  22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                                                    \n
                                                                                                                                                                                                  • Account<\/strong>: An AWS account; a strong isolation boundary for resources, IAM, and many service limits.<\/li>\n
                                                                                                                                                                                                  • AWS Organizations<\/strong>: AWS service for multi-account management, governance, and consolidated billing.<\/li>\n
                                                                                                                                                                                                  • Management account<\/strong>: The account that owns the organization and pays the consolidated bill.<\/li>\n
                                                                                                                                                                                                  • Member account<\/strong>: Any account that belongs to an organization but is not the management account.<\/li>\n
                                                                                                                                                                                                  • Organization<\/strong>: The overall container for accounts, OUs, and policies.<\/li>\n
                                                                                                                                                                                                  • Root<\/strong>: The top-level node in the AWS Organizations hierarchy.<\/li>\n
                                                                                                                                                                                                  • OU (Organizational Unit)<\/strong>: A group of accounts used to apply and inherit policies.<\/li>\n
                                                                                                                                                                                                  • SCP (Service Control Policy)<\/strong>: A policy that limits the maximum permissions for accounts\/OUs in an organization.<\/li>\n
                                                                                                                                                                                                  • Policy attachment<\/strong>: The act of attaching a policy (like an SCP) to a root, OU, or account.<\/li>\n
                                                                                                                                                                                                  • Inheritance<\/strong>: Policies attached to a parent (root\/OU) apply to child OUs\/accounts.<\/li>\n
                                                                                                                                                                                                  • Delegated administrator<\/strong>: A member account authorized to administer certain AWS services across the organization (service-dependent).<\/li>\n
                                                                                                                                                                                                  • Trusted access<\/strong>: An integration setting that allows an AWS service to operate with AWS Organizations across accounts.<\/li>\n
                                                                                                                                                                                                  • Landing zone<\/strong>: A standardized multi-account baseline with governance, security, and networking patterns.<\/li>\n
                                                                                                                                                                                                  • Break-glass access<\/strong>: Emergency access procedure (highly controlled) for critical incidents.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                    23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                                                    AWS Organizations is the core AWS Management and governance<\/strong> service for managing multiple AWS accounts with a centralized hierarchy, consolidated billing, and governance controls like Service Control Policies (SCPs)<\/strong>. It matters because multi-account setups are a best practice for isolation, security, and scalable operations\u2014and without a governance layer, multi-account environments become difficult to control.<\/p>\n\n\n\n
                                                                                                                                                                                                    Cost-wise, AWS Organizations is typically no additional charge<\/strong>, but it enables patterns (central logging, org-wide security tooling) that can materially affect your bill. Security-wise, it\u2019s foundational: SCPs provide preventive guardrails, and delegated administration helps keep the management account tightly locked down.<\/p>\n\n\n\n
                                                                                                                                                                                                    Use AWS Organizations when you have (or expect) multiple AWS accounts and need consistent guardrails and billing governance. Your next learning step is usually either AWS Control Tower<\/strong> (for a managed landing zone) or a deeper focus on SCP design<\/strong>, identity federation\/IAM Identity Center<\/strong>, and centralized logging and security operations<\/strong> across the organization.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                                                    Management and governance<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,33],"tags":[],"class_list":["post-266","post","type-post","status-publish","format-standard","hentry","category-aws","category-management-and-governance"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=266"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/266\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}