AWS Organizations
- Global Service
- Allows to manage multiple AWS accounts
- The main account is the management account
- Other accounts are member accounts
- Member accounts can only be part of one organization
- Consolidated Billing across all accounts - single payment method
- Pricing benefits from aggregated usage (volume discount for EC2, S3, โฆ)
- Shared reserved instances and Savings Plans discounts across accounts
- API is available to automate AWS account creation
Organization Unit
- Root Organization Unit
- Management Account
- OU (PROD)
- OU (DEV)
Security: Service Control Policies (SCP)
- IAM policies applied to OU or Accounts to restrict Users and Roles
- They do not apply to the management account (full admin power)
- Must have an explicit allow (doesnโt allow anything by default)
References