Cyber Intelligence
Security and Compliance · 30% of exam

L6. AWS Organizations and Multi-Account Strategy

Video generating

Check back soon for the video lesson on AWS Organizations and Multi-Account Strategy

AWS Organizations enables centralized management of multiple AWS accounts. The Cloud Practitioner exam tests how Organizations, SCPs, consolidated billing, and AWS Control Tower work together.

AWS Organizations

AWS Organizations is a free service for centrally managing multiple AWS accounts. Key features: consolidated billing, Service Control Policies (SCPs), and organizational structure.

Key Concepts

Management account (formerly master account): the account that creates the Organization and has full control. It pays the consolidated bill and applies SCPs. Member accounts: all other accounts in the Organization. They can be in Organizational Units (OUs). Organizational Units (OUs): groups of accounts within the Organization. You can nest OUs up to 5 levels deep.

Service Control Policies (SCPs)

SCPs define the maximum permissions available to IAM entities in member accounts. They do NOT grant permissions; they set permission guardrails. Key facts:

  • SCPs applied at an OU level affect all accounts within that OU
  • SCPs affect all IAM users and roles in member accounts, including the account's root user
  • SCPs do NOT affect the management account
  • SCPs cannot be overridden by member account policies
Example SCP use cases:
  • Deny creation of resources outside specific Regions
  • Prevent disabling CloudTrail
  • Restrict which EC2 instance types can be launched

Consolidated Billing

All member account charges roll up to the management account. Benefits:

  • One bill for all AWS accounts
  • Volume discounts: usage aggregated across all accounts may qualify for lower pricing tiers
  • Reserved Instance sharing: RI discounts can apply across accounts in the same Organization

AWS Control Tower

AWS Control Tower sets up a well-architected multi-account environment (a "landing zone") with pre-configured guardrails (preventive and detective controls). Built on top of: Organizations, AWS Config, CloudTrail, Service Catalog. Guardrails:

  • Preventive: use SCPs to prevent actions (e.g., disallow public S3 buckets)
  • Detective: use AWS Config rules to detect non-compliance and report it

AWS IAM Identity Center (formerly SSO)

Centralized single sign-on for multiple AWS accounts and business applications. Users authenticate once and get access to all their assigned accounts and apps.

ConceptPurpose
AWS OrganizationsManage multiple accounts centrally
SCPsGuardrails on member account permissions
Consolidated BillingSingle bill, volume discounts
Control TowerAutomated landing zone setup
IAM Identity CenterSSO across accounts and applications
Exam tip: SCPs restrict what member accounts CAN do; they don't grant permissions. The management account is never restricted by SCPs.

Exam Focus Points
  • AWS Organizations provides centralized management, consolidated billing, and SCPs for multiple accounts
  • SCPs are permission guardrails for member accounts; they restrict but do not grant permissions
  • SCPs never affect the management account; they affect all IAM entities including the root user in member accounts
  • Consolidated billing aggregates usage for volume discounts and allows Reserved Instance sharing
  • AWS Control Tower automates a secure multi-account landing zone with built-in preventive and detective guardrails
Knowledge Check

1. A company uses AWS Organizations and wants to prevent all member accounts from creating resources in non-approved Regions. Which feature should they use?

2. What is a key billing advantage of using AWS Organizations with consolidated billing?

Recommended: Pluralsight

Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.

Start CLF-C02 prep free10-day free trial available