100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cloud

AWS Organizations

By Amazon Web Services

IntermediateService11.5K learners

AWS Organizations is an AWS account-management service that lets businesses centrally govern multiple AWS accounts under one management account, with consolidated billing and hierarchical policy controls.

Definition

AWS Organizations is an AWS account-management service that lets businesses centrally govern multiple AWS accounts under one management account, with consolidated billing and hierarchical policy controls.

Overview

As companies adopt AWS beyond a single team, they typically end up with many separate AWS accounts — one per team, environment, or product line — to isolate blast radius, billing, and access. AWS Organizations was built to manage that sprawl. It lets a management account create, invite, and group member accounts into a tree of organizational units (OUs), and apply policies at any level of that tree so they cascade down to every account beneath it. The two most important policy types are Service Control Policies (SCPs), which set the maximum permissions available in an account regardless of what IAM policies exist inside it, and Resource Control Policies, a newer mechanism for restricting access to specific resources. Beyond policy, Organizations enables consolidated billing, combining usage across all member accounts onto a single bill and letting volume discounts apply across the whole organization, and it lets an organization designate delegated administrator accounts for services like AWS Config, GuardDuty, or CloudTrail so security tooling can be managed centrally without granting full management-account access. AWS Organizations is the foundation most enterprises build their multi-account landing zone on, often provisioned through AWS Control Tower, which layers guardrails, account factories, and baseline configurations on top of an Organizations structure. It plays a role directly analogous to Azure Management Groups and Google Cloud's Resource Manager folders — all three let an enterprise apply governance top-down across many cloud accounts or projects rather than configuring each one individually.

Key Features

  • Hierarchical organizational units (OUs) for grouping AWS accounts
  • Service Control Policies (SCPs) that set permission guardrails inherited by all accounts in an OU
  • Consolidated billing across all member accounts with shared volume discounts
  • Delegated administrator accounts for centrally managing security and governance services
  • Automated account creation via the AWS Organizations API or AWS Control Tower
  • Tag policies and backup policies enforced organization-wide
  • Integration with AWS IAM Identity Center for centralized single sign-on across accounts

Use Cases

Enforcing security and compliance guardrails across every AWS account in a company
Consolidating billing and cost allocation across many teams or business units
Isolating production, staging, and development workloads into separate accounts
Building a multi-account landing zone as the foundation for cloud governance
Centrally managing security tooling such as GuardDuty, Security Hub, and CloudTrail
Restricting which AWS regions or services individual teams are allowed to use

Alternatives

Frequently Asked Questions