L6. AWS Organizations and Multi-Account Strategy
Video generating
Check back soon for the video lesson on AWS Organizations and Multi-Account Strategy
AWS Organizations enables centralized management of multiple AWS accounts. The Cloud Practitioner exam tests how Organizations, SCPs, consolidated billing, and AWS Control Tower work together.
AWS Organizations
AWS Organizations is a free service for centrally managing multiple AWS accounts. Key features: consolidated billing, Service Control Policies (SCPs), and organizational structure.
Key Concepts
Management account (formerly master account): the account that creates the Organization and has full control. It pays the consolidated bill and applies SCPs. Member accounts: all other accounts in the Organization. They can be in Organizational Units (OUs). Organizational Units (OUs): groups of accounts within the Organization. You can nest OUs up to 5 levels deep.Service Control Policies (SCPs)
SCPs define the maximum permissions available to IAM entities in member accounts. They do NOT grant permissions; they set permission guardrails. Key facts:
- SCPs applied at an OU level affect all accounts within that OU
- SCPs affect all IAM users and roles in member accounts, including the account's root user
- SCPs do NOT affect the management account
- SCPs cannot be overridden by member account policies
- Deny creation of resources outside specific Regions
- Prevent disabling CloudTrail
- Restrict which EC2 instance types can be launched
Consolidated Billing
All member account charges roll up to the management account. Benefits:
- One bill for all AWS accounts
- Volume discounts: usage aggregated across all accounts may qualify for lower pricing tiers
- Reserved Instance sharing: RI discounts can apply across accounts in the same Organization
AWS Control Tower
AWS Control Tower sets up a well-architected multi-account environment (a "landing zone") with pre-configured guardrails (preventive and detective controls). Built on top of: Organizations, AWS Config, CloudTrail, Service Catalog. Guardrails:
- Preventive: use SCPs to prevent actions (e.g., disallow public S3 buckets)
- Detective: use AWS Config rules to detect non-compliance and report it
AWS IAM Identity Center (formerly SSO)
Centralized single sign-on for multiple AWS accounts and business applications. Users authenticate once and get access to all their assigned accounts and apps.
| Concept | Purpose |
|---|---|
| AWS Organizations | Manage multiple accounts centrally |
| SCPs | Guardrails on member account permissions |
| Consolidated Billing | Single bill, volume discounts |
| Control Tower | Automated landing zone setup |
| IAM Identity Center | SSO across accounts and applications |
- ✓AWS Organizations provides centralized management, consolidated billing, and SCPs for multiple accounts
- ✓SCPs are permission guardrails for member accounts; they restrict but do not grant permissions
- ✓SCPs never affect the management account; they affect all IAM entities including the root user in member accounts
- ✓Consolidated billing aggregates usage for volume discounts and allows Reserved Instance sharing
- ✓AWS Control Tower automates a secure multi-account landing zone with built-in preventive and detective guardrails
1. A company uses AWS Organizations and wants to prevent all member accounts from creating resources in non-approved Regions. Which feature should they use?
2. What is a key billing advantage of using AWS Organizations with consolidated billing?
Recommended: Pluralsight
Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.