AWS services that you can use with AWS Organizations - AWS Organizations

AWS services that you can use with AWS Organizations

With AWS Organizations you can perform account management activities at scale by consolidating multiple AWS accounts into a single organization. Consolidating accounts simplifies how you use other AWS services. You can leverage the multi-account management services available in AWS Organizations with select AWS services to perform tasks on all accounts that are members of your organization.

The following table lists AWS services that you can use with AWS Organizations, and the benefit of using each service on an organization-wide level.

Trusted Access – You can enable a compatible AWS service to perform operations across all of the AWS accounts in your organization. For more information, see Enabling trusted access with other AWS services.

Delegated Administrator – A compatible AWS service can register an AWS member account in the organization as an administrator for the organization's accounts in that service.

AWS service Benefits of using with AWS Organizations Service Principal Supports Trusted Access Supports Delegated Administrator

AWS Artifact

Download AWS security compliance reports such as ISO and PCI reports.

You can accept agreements on behalf of all accounts within your organization.

aws-artifact-account-sync.amazonaws.com

Yes

Learn more

No

AWS Backup

Manage and monitor backups across all of the accounts in your organization.

You can configure and manage backup plans for your entire organization, or for groups of accounts in your organization units (OUs). You can centrally monitor backups for all of your accounts.

backup.amazonaws.com

Yes

Learn more

No

AWS CloudFormation StackSets

Create, update, or delete stacks across multiple accounts and regions with a single operation.

A user in the master account can create a stack set with service-managed permissions that deploys stack instances to accounts in your organization.

member.org.stacksets.cloudformation.amazonaws.com

Yes

Learn more

No

AWS CloudTrail

Enable governance, compliance, and operational and risk auditing of your account.

A user in a master account can create an organization trail that logs all events for all accounts in that organization.

cloudtrail.amazonaws.com

Yes

Learn more

No

Amazon CloudWatch Events

Monitor your AWS resources and the applications that you run on AWS in real time.

You can enable sharing of all CloudWatch Events across all accounts in your organization.

For more information, see Sending and Receiving Events Between AWS Accounts in the Amazon CloudWatch Events User Guide.

No No

AWS Compute Optimizer

Get AWS compute optimization recommendations.

You can analyze all resources that are in your organization's accounts to get optimization recommendations.

For more information, see Accounts Supported by Compute Optimizer in the AWS Compute Optimizer User Guide.

compute-optimizer.amazonaws.com

Yes

Learn more

No

AWS Config

Assess, audit, and evaluate the configurations of your AWS resources.

You can get an organization-wide view of your compliance status. You can also use AWS Config API operations to manage AWS Config rules and conformance packs across all AWS accounts in your organization.

For AWS Config:
config.amazonaws.com
For AWS Config Rules:
config-multiaccountsetup.amazonaws.com

Yes

Learn more

Yes

Learn more:

Config rules

Conformance packs

AWS Control Tower

Set up and govern a secure, compliant, multiaccount AWS environment.

You can set up a landing zone, a multiaccount environment for all of your AWS resources. This environment includes an organization and organization entities. You can use this environment to enforce compliance regulations on all of your AWS accounts.

For more information, see How AWS Control Tower Works and Manage Accounts Through AWS Organizations in the AWS Control Tower User Guide.

controltower.amazonaws.com

Yes

Learn more

No

AWS Directory Service

Set up and run directories in the AWS Cloud or connect your AWS resources with an existing on-premises Microsoft Active Directory.

You can integrate AWS Directory Service with AWS Organizations for seamless directory sharing across multiple accounts and any VPC in a Region.

ds.amazonaws.com

Yes

Learn more

No

AWS Firewall Manager

Centrally configure and manage firewall rules for web applications across your accounts and applications.

You can centrally configure and manage AWS WAF rules across accounts in your organization.

fms.amazonaws.com

Yes

Learn more

No
Amazon GuardDuty

You can designate a member account to view and manage GuardDuty for all of the accounts in your organization. Adding member accounts automatically enables GuardDuty for those accounts in the selected AWS Region. You can also automate GuardDuty activation for new accounts added to your organization.

For more information, see GuardDuty and Organizations in the Amazon GuardDuty User Guide.

guardduty.amazonaws.com
No

Yes

Learn more

AWS Identity and Access Management

Securely control access to AWS resources.

You can use service last accessed data in IAM to help you better understand AWS activity across your organization. You can use this data to create and update service control policies (SCPs) that restrict access to only the AWS services that your organization's accounts use.

For an example, see Using Data to Refine Permissions for an Organizational Unit in the IAM User Guide.

No No

IAM Access Analyzer

Analyze resource-based policies in your AWS environment to identify any policies that grant acces to a principal outside of your zone of trust.

You can designate a member account to be an administrator for IAM Access Analyzer.

For more information, see Enabling Access Analyzer in the IAM User Guide.

access-analyzer.amazonaws.com

Yes

Learn more

Yes

Learn more

AWS License Manager

Streamline the process of bringing software licenses to the cloud.

You can enable cross-account discovery of computing resources throughout your organization.

license-manager.amazonaws.com
license-manager.member-account.amazonaws.com.

Yes

Learn more

No

Amazon Macie Discovers and classifies your business-critical content using machine learning to help you meet data security and privacy requirements. It continuously evaluates your content stored in Amazon S3 and notifies you of potential issues.

You can configure Amazon Macie for all of the accounts in your organization to get a consolidated view of all of your data in Amazon S3, across all accounts from a designated Macie administrator account. You can configure Macie to automatically protect resources in new accounts as your organization grows. You are alerted to remediate policy misconfigurations across S3 buckets throughout your organization.

macie.amazonaws.com
No

Yes

Learn more

AWS RAM

Share specified AWS resources that you own with other accounts.

You can share resources within your organization without exchanging additional invitations. Resources you can share include Route 53 Resolver rules, on-demand capacity reservations, and more.

For information about sharing capacity reservations, see the Amazon EC2 User Guide for Linux Instances or the Amazon EC2 User Guide for Windows Instances.

For a list of shareable resources, see Shareable Resources in the AWS RAM User Guide.

ram.amazonaws.com

Yes

Learn more

No

AWS Service Catalog

Create and manage catalogs of IT services that are approved for use on AWS.

You can share portfolios and copy products across accounts more easily, without sharing portfolio IDs.

servicecatalog.amazonaws.com

Yes

Learn more

Yes

Learn more

Service Quotas

View and manage your service quotas, also referred to as limits, from a central location.

You can create a quota request template to automatically request a quota increase when accounts in your organization are created.

servicequotas.amazonaws.com

Yes

Learn more

No

AWS Single Sign-On

Provide single sign-on services for all of your accounts and cloud applications.

Users can sign in to the AWS SSO user portal with their corporate credentials and access resources in their assigned master or member accounts.

sso.amazonaws.com

Yes

Learn more

No

AWS Systems Manager

Enable visibility and control of your AWS resources.

You can synchronize operations data across all AWS accounts in your organization by using Systems Manager Explorer.

ssm.amazonaws.com

Yes

Learn more

Yes

Learn more

Tag policies

Help standardize tags across resources in your organization's accounts.

You can create tag policies to define tagging rules for specific resources and attach those policies to organization entities.

For information on enabling trusted access for tag policies, see Tag policies and AWS Organizations.

tagpolicies.tag.amazonaws.com

Yes

Learn more

No