AWS Organizations
By Amazon Web Services
AWS Organizations is an AWS account-management service that lets businesses centrally govern multiple AWS accounts under one management account, with consolidated billing and hierarchical policy controls.
Definition
AWS Organizations is an AWS account-management service that lets businesses centrally govern multiple AWS accounts under one management account, with consolidated billing and hierarchical policy controls.
Overview
As companies adopt AWS beyond a single team, they typically end up with many separate AWS accounts — one per team, environment, or product line — to isolate blast radius, billing, and access. AWS Organizations was built to manage that sprawl. It lets a management account create, invite, and group member accounts into a tree of organizational units (OUs), and apply policies at any level of that tree so they cascade down to every account beneath it. The two most important policy types are Service Control Policies (SCPs), which set the maximum permissions available in an account regardless of what IAM policies exist inside it, and Resource Control Policies, a newer mechanism for restricting access to specific resources. Beyond policy, Organizations enables consolidated billing, combining usage across all member accounts onto a single bill and letting volume discounts apply across the whole organization, and it lets an organization designate delegated administrator accounts for services like AWS Config, GuardDuty, or CloudTrail so security tooling can be managed centrally without granting full management-account access. AWS Organizations is the foundation most enterprises build their multi-account landing zone on, often provisioned through AWS Control Tower, which layers guardrails, account factories, and baseline configurations on top of an Organizations structure. It plays a role directly analogous to Azure Management Groups and Google Cloud's Resource Manager folders — all three let an enterprise apply governance top-down across many cloud accounts or projects rather than configuring each one individually.
Key Features
- Hierarchical organizational units (OUs) for grouping AWS accounts
- Service Control Policies (SCPs) that set permission guardrails inherited by all accounts in an OU
- Consolidated billing across all member accounts with shared volume discounts
- Delegated administrator accounts for centrally managing security and governance services
- Automated account creation via the AWS Organizations API or AWS Control Tower
- Tag policies and backup policies enforced organization-wide
- Integration with AWS IAM Identity Center for centralized single sign-on across accounts