Core concepts - Organizing Your AWS Environment Using Multiple Accounts

Core concepts

This section covers the following core concepts:

AWS Organizations

The AWS Organizations service helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations helps you to centrally provision accounts and resources; secure and audit their environment for compliance; share resources; control access to accounts, regions, and services; as well as optimize costs and simplify billing. Additionally, Organizations supports aggregation of health events, consolidated data on use of access permissions, and centralized management of backups and tagging for multi-account environments.

This section includes best practices for organizing your AWS accounts, including grouping your accounts into organizational units (OUs) so that you can more effectively secure and manage your overall AWS environment.

What is an organization?

An organization is an entity that you create to consolidate a collection of accounts so that you can administer them as a single unit. Within each organization, you can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units (OUs) nested under the root. Each account can be placed directly in the root, or placed in one of the OUs in the hierarchy.

Each organization consists of:

  • A management account

  • Zero or more member accounts

  • Zero or more organizational units (OUs)

  • Zero or more policies

Organizations management account

The organization management account is the account that creates the organization. Management of the organization’s resources including OUs and policies occurs within the organization’s management account.

Creation of member accounts and associating them with OUs is also managed from within the management account. Access to the management account does not automatically result in permissions to access each member account of the organization. Cross-account AWS Identity and Access Management (IAM) roles must be configured to allow such access.

Organizations member accounts

AWS Organizations member accounts belong to the organization and reside in the overall organization’s structure. All billing for member accounts is consolidated to the management account of the organization.

Most of your workloads will reside in member accounts, except for some centrally managed processes that must reside in either the management account or in accounts assigned as designated administrators for specific AWS services.

Organizational units

An organizational unit (OU) provides a means to group accounts within a root. An OU can also contain other OUs. When you attach a policy to one of the nodes in the hierarchy, it flows down and affects all the branches (OUs) and leaves (accounts) beneath it. An OU can have exactly one parent, and each account can be a member of exactly one OU.

OUs are not meant to mirror your own organization’s reporting structure. Instead, OUs are intended to group accounts that have common overarching security policies and operational needs. The primary question to ask yourself is: How likely will the group need a set of similar policies?

The following diagram shows a basic organization that consists of seven accounts that are organized into four OUs under the root. The organization also has a few policies that are applied to OUs.


            This image shows an example of a basic organization with a management account,
              organization units, member accounts, and policies.

Example of a basic organization