By UATeam in AWS

AWS Organizations Account Management Example: A Comprehensive Guide

AWS Organizations simplifies account management for businesses operating across multiple AWS accounts. It allows centralized governance, billing, and resource sharing, enabling streamlined account management and compliance.

This article demonstrates how to use AWS Organizations for account management, including creating an organization, adding accounts, and applying service control policies (SCPs).

What Is AWS Organizations?

AWS Organizations is a service that enables:

  • Centralized Account Management: Organize and manage multiple AWS accounts under a single structure.
  • Consolidated Billing: Manage all accounts' billing from a single payer account.
  • Service Control Policies (SCPs): Apply permissions at an organizational level to enforce compliance.

AWS Organizations Account Management Example

Objective

We’ll:

  1. Create an AWS Organization.
  2. Add accounts to the organization.
  3. Use Organizational Units (OUs) to group accounts.
  4. Apply Service Control Policies (SCPs) to enforce security and compliance.

Step 1: Create an AWS Organization

  1. Log in to the AWS Management Console:
    • Ensure you are using the management account (formerly the payer account).
  2. Open AWS Organizations:
    • Navigate to AWS Organizations in the console.
  3. Create Organization:
    • Click Create Organization.
    • Choose Enable All Features for full functionality, including SCPs.

Step 2: Add AWS Accounts to the Organization

Option 1: Invite Existing Accounts

  1. In the AWS Organizations console, go to AccountsAdd AccountInvite Account.
  2. Enter the account ID or email address of the existing account.
  3. The invited account owner must accept the invitation via email or their AWS Management Console.

Option 2: Create a New Account

  1. In the AWS Organizations console, go to AccountsAdd AccountCreate Account.
  2. Enter:
    • Account Name: e.g., DevAccount.
    • Email Address: A unique email for the new account.
  3. Click Create to generate the new account.

Step 3: Group Accounts into Organizational Units (OUs)

  1. Create an OU:
    • Navigate to Organizational Units.
    • Click Create Organizational Unit and name it (e.g., Development or Production).
  2. Add Accounts to the OU:
    • Drag and drop accounts into the appropriate OU.

Organizational Units help apply policies and manage accounts as groups.

Step 4: Apply Service Control Policies (SCPs)

What Are SCPs?

Service Control Policies are guardrails that define what actions accounts can or cannot perform.

Example: Deny S3 Bucket Deletion

  1. Navigate to PoliciesService Control PoliciesCreate Policy.
  2. Save the policy and attach it to the desired OU or account.

Enter the following SCP JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyS3Delete",
      "Effect": "Deny",
      "Action": "s3:DeleteBucket",
      "Resource": "*"
    }
  ]
}

Apply the SCP:

  • Select the target OU or account.
  • Go to the Policies tab → Attach Policy → Select your policy.

Step 5: Manage Billing with Consolidated Billing

  1. Access Billing Information:
    • In the management account, navigate to Billing Dashboard.
    • View consolidated billing for all member accounts.
  2. Set Up Cost Allocation Tags:
    • Enable cost allocation tags to track expenses by project or team.
  3. Use AWS Budgets:
    • Set budget alerts for individual accounts or OUs.

Step 6: Monitor and Govern Accounts

Enable AWS Config:

  • Use AWS Config to track resource changes and compliance across accounts.

Enable CloudTrail:

  • Centralize CloudTrail logs to monitor API activity in all accounts.

View Account Activity:

  • Use the AWS Organizations Activity page to view account invitations and changes.

Best Practices for AWS Organizations Account Management

  1. Use Separate Accounts for Workloads:
    • Isolate environments like development, testing, and production into different accounts.
  2. Apply SCPs Strategically:
    • Use SCPs to enforce security policies, such as restricting access to certain regions.
  3. Monitor Usage:
    • Use AWS CloudWatch and Cost Explorer to track account usage and optimize costs.
  4. Secure Management Account:
    • Limit access to the management account to prevent accidental misconfigurations.

Conclusion

AWS Organizations provides a powerful framework for managing multiple AWS accounts under a centralized structure. By following this example, you can streamline account creation, enforce governance using SCPs, and optimize costs with consolidated billing. AWS Organizations is essential for businesses looking to scale their cloud infrastructure securely and efficiently.