AWS services that you can use with AWS Organizations
With AWS Organizations you can perform account management activities at scale by consolidating multiple AWS accounts into a single organization. Consolidating accounts simplifies how you use other AWS services. You can leverage the multi-account management services available in AWS Organizations with select AWS services to perform tasks on all accounts that are members of your organization.
The following table lists AWS services that you can use with AWS Organizations, and the benefit of using each service on an organization-wide level.
Trusted access – You can enable a compatible AWS service to perform operations across all of the AWS accounts in your organization. For more information, see Using AWS Organizations with other AWS services.
Delegated administrator for AWS services – A compatible AWS service can register an AWS member account in the organization as an administrator for the organization's accounts in that service. For more information, see Delegated administrator for AWS services that work with Organizations.
| AWS service | Benefits of using with AWS Organizations | Supports trusted access | Supports delegated administrator |
|---|---|---|---|
|
Manage the details and metadata for all of the AWS accounts for your organization. |
You can create, update, and delete the alternate contact information for all of the accounts in your organization. |
|
|
|
AWS Application Migration Service (MGN) AWS Application Migration Service allows companies to lift-and-shift to AWS a large number of physical, virtual, or cloud servers without compatibility issues, performance disruption, or long cutover windows. |
You can manage large-scale migrations across multiple accounts. |
|
|
|
Download AWS security compliance reports such as ISO and PCI reports. |
You can accept agreements on behalf of all accounts within your organization. |
|
|
|
Automate the continuous collection of evidence to help you audit your use of cloud services. |
Continuously audit your AWS use across multiple accounts in your organization to simplify how you assess risk and compliance. |
|
|
|
Manage and monitor backups across all of the accounts in your organization. |
You can configure and manage backup plans for your entire organization, or for groups of accounts in your organization units (OUs). You can centrally monitor backups for all of your accounts. |
|
|
|
Create, update, or delete stacks across multiple accounts and Regions with a single operation. |
A user in the management account or a delegated administrator account can create a stack set with service-managed permissions that deploys stack instances to accounts in your organization. |
|
|
|
Enable governance, compliance, and operational and risk auditing of your account. |
A user in a management account or delegated administrator account can create an organization trail or event data store that logs all events for all accounts in the organization. |
|
|
|
Get AWS compute optimization recommendations. |
You can analyze all resources that are in your organization's accounts to get optimization recommendations. For more information, see Accounts Supported by Compute Optimizer in the AWS Compute Optimizer User Guide. |
|
|
|
Assess, audit, and evaluate the configurations of your AWS resources. |
You can get an organization-wide view of your compliance status. You can also use AWS Config API operations to manage AWS Config rules and conformance packs across all AWS accounts in your organization. You can use a delegated administrator account to aggregate resource configuration and compliance data from all member accounts of an organization in AWS Organizations. For more information, see Register a delegated administrator in the AWS Config Developer Guide. |
|
Learn more: |
|
Set up and govern a secure, compliant, multi-account AWS environment. |
You can set up a landing zone, a multi-account environment for all of your AWS resources. This environment includes an organization and organization entities. You can use this environment to enforce compliance regulations on all of your AWS accounts. For more information, see How AWS Control Tower and Manage Accounts Through AWS Organizations in the AWS Control Tower User Guide. |
|
|
|
Gather cost recommendations across AWS optimization products. |
You can easily identify, filter, and aggregate AWS cost optimization recommendations across your AWS Organizations member accounts and AWS Regions. For more information, see Cost Optimization Hub in the Cost Optimization Hub user guide. |
|
|
|
Generate visualizations from your log data to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. |
You can integrate Amazon Detective with AWS Organizations to ensure that your Detective behavior graph provides visibility into the activity for all of your organization accounts. |
|
|
|
Analyze operational data and application metrics and events to identify behaviors that deviate from normal operating patterns. Users are notified when DevOps Guru detects an operational issue or risk. |
You can integrate with AWS Organizations to manage insights from all accounts across your entire organization. You delegate an administrator to view, sort, and filter insights from all accounts to obtain organization-wide health of all monitored applications. |
|
|
|
Set up and run directories in the AWS Cloud or connect your AWS resources with an existing on-premises Microsoft Active Directory. |
You can integrate AWS Directory Service with AWS Organizations for seamless directory sharing across multiple accounts and any VPC in a Region. |
|
|
|
Monitor your AWS resources and the applications that you run on AWS in real time. |
You can enable sharing of all Amazon EventBridge events, formerly Amazon CloudWatch Events, across all accounts in your organization. For more information, see Sending and receiving Amazon EventBridge events between AWS accounts in the Amazon EventBridge User Guide. |
|
|
|
Centrally configure and manage firewall rules for web applications across your accounts and applications. |
You can centrally configure and manage AWS WAF rules across the accounts in your organization. |
|
|
|
GuardDuty is a continuous security monitoring service that analyzes and processes information from a variety of data sources. It uses threat intelligence feeds and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. |
You can designate a member account to view and manage GuardDuty for all of the accounts in your organization. Adding member accounts automatically enables GuardDuty for those accounts in the selected AWS Region. You can also automate GuardDuty activation for new accounts added to your organization. For more information, see GuardDuty and Organizations in the Amazon GuardDuty User Guide. |
|
|
|
Get visibility into events that might affect your resource performance or availability issues for AWS services. |
You can aggregate AWS Health events across accounts in your organization. |
|
|
|
AWS Identity and Access Management Securely control access to AWS resources. |
You can use service last accessed data in IAM to help you better understand AWS activity across your organization. You can use this data to create and update service control policies (SCPs) that restrict access to only the AWS services that your organization's accounts use. For an example, see Using Data to Refine Permissions for an Organizational Unit in the IAM User Guide. |
|
|
|
Analyze resource-based policies in your AWS environment to identify any policies that grant access to a principal outside of your zone of trust. |
You can designate a member account to be an administrator for IAM Access Analyzer. For more information, see Enabling Access Analyzer in the IAM User Guide. |
|
|
|
Automatically scan your AWS workloads for vulnerabilities to discover Amazon EC2 instances and container images that reside in Amazon ECR for software vulnerabilities and unintended network exposure. |
Delegate an administrator to enable or disable scans for member accounts, view aggregated finding data from the entire organization, create and manage suppression rules. For more information, see Managing multiple accounts with AWS Organizations in the Amazon Inspector User Guide. |
|
|
|
Streamline the process of bringing software licenses to the cloud. |
You can enable cross-account discovery of computing resources throughout your organization. |
|
|
|
Discovers and classifies your business-critical content using machine learning to help you meet data security and privacy requirements. It continuously evaluates your content stored in Amazon S3 and notifies you of potential issues. |
You can configure Amazon Macie for all of the accounts in your organization to get a consolidated view of all of your data in Amazon S3, across all accounts from a designated Macie administrator account. You can configure Macie to automatically protect resources in new accounts as your organization grows. You are alerted to remediate policy misconfigurations across S3 buckets throughout your organization. |
|
|
|
A curated digital catalog that you can use to find, buy, deploy, and manage third-party software, data, and services that you need to build solutions and run your businesses. |
You can share licenses for your AWS Marketplace subscriptions and purchases across the accounts in your organization. |
|
|
|
AWS Marketplace Private Marketplace Provides you with a broad catalog of products available in AWS Marketplace, along with fine-grained control of those products. |
Enables you to create multiple private marketplace experiences that are associated with your entire organization, one or more OUs, or one or more accounts in your organization, each with its own set of approved products. Your AWS administrators can also apply company branding to each private marketplace experience with your company or team’s logo, messaging, and color scheme. |
|
|
|
Enables you to centrally manage your AWS Cloud WAN core network and your AWS Transit Gateway network across AWS accounts, Regions, and on-premises locations. |
You can centrally manage and monitor your global networks with transit gateways and their attached resources in multiple AWS accounts within your organization. |
|
|
|
Share specified AWS resources that you own with other accounts. |
You can share resources within your organization without exchanging additional invitations. Resources you can share include Route 53 Resolver rules, on-demand capacity reservations, and more. For information about sharing capacity reservations, see the Amazon EC2 User Guide for Linux Instances or the Amazon EC2 User Guide for Windows Instances. For a list of shareable resources, see Shareable Resources in the AWS RAM User Guide. |
|
|
|
Explore your resources using an internet search engine-like experience. |
Enable multi-account search. |
|
|
|
View your security state in AWS and check your environment against security industry standards and best practices. |
You can automatically enable Security Hub for all of your organization's accounts, including new accounts as they are added. This increases the coverage for Security Hub checks and findings, which provides a more accurate picture of your overall security posture. |
|
|
|
Get visibility into your Amazon S3 storage usage and activity metrics with actionable recommendations to optimize storage. |
Configure Amazon S3 Storage Lens to gain visibility into Amazon S3 storage usage and activity trends, and recommendations for all member accounts in your organization. |
|
|
|
Amazon Security Lake centralizes security data from cloud, on-premises, and custom sources into a data lake that's stored in your account. |
Create a data lake that collects logs and events across your accounts. |
|
|
|
Create and manage catalogs of IT services that are approved for use on AWS. |
You can share portfolios and copy products across accounts more easily, without sharing portfolio IDs. |
|
|
|
View and manage your service quotas, also referred to as limits, from a central location. |
You can create a quota request template to automatically request a quota increase when accounts in your organization are created. |
|
|
|
Provide single sign-on access for all of your accounts and cloud applications. |
Users can sign in to the AWS access portal with their corporate credentials and access resources in their assigned management account or member accounts. |
|
|
|
Enable visibility and control of your AWS resources. |
You can synchronize operations data across all AWS accounts in your organization by using Systems Manager Explorer. You can manage change templates, approvals and reporting for all member accounts in your organization from a delegated administrator account by using Systems Manager Change Manager. |
|
|
|
Use standardize tags across resources in your organization's accounts. |
You can create tag policies to define tagging rules for specific resources and resource types and attach those policies to organization units and accounts to enforce those rules. |
|
|
|
Trusted Advisor inspects your AWS environment and makes recommendations when opportunities exist to save money, to improve system availability and performance, or to help close security gaps. |
Run Trusted Advisor checks for all of the AWS accounts in your organization. |
|
|
|
The AWS Well-Architected Tool helps you document the state of your workloads and compares them to the latest AWS architectural best practices. |
Enables both AWS WA Tool and Organizations customers to simplify the process of sharing AWS WA Tool resources with other members of their organization. |
|
|
|
Amazon VPC IP Address Manager (IPAM) IPAM is a VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. |
Monitor IP address usage throughout your organization and share IP address pools across member accounts. |
|
|
|
Amazon VPC Reachability Analyzer Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs). |
Trace paths across accounts in your organizations. |
|
|
