AWS Organization

AWS Organizations Dashboards - Block Diagram

---

Overview

AWS Organizations is a service that allows you to manage multiple AWS accounts centrally. It helps you manage billing, control access, and automate workflows across multiple accounts, all while ensuring you maintain a secure and well-organized environment. AWS Organizations enables you to set up and manage accounts into a hierarchical structure, enforce policies, and simplify billing.

Key Features of AWS Organizations:

• Account Management: Organize accounts into a hierarchical structure with organizational units (OUs).

• Service Control Policies (SCPs): Set permission guardrails to restrict access to AWS services and resources across your organization.

• Consolidated Billing: Combine multiple AWS accounts to receive a single bill, while still maintaining separate accounts for financial and operational purposes.

• Resource Sharing: Share resources across multiple accounts.

• Cross-account Access: Easily configure access for users or roles to multiple accounts.

• Automated Account Creation: Automate the process of creating and managing AWS accounts within your organization.

Prerequisites

• Root User Access: To create or manage an AWS Organization, you must be signed in with an AWS root user or an IAM user with appropriate permissions.

• AWS Organizations Service: Ensure AWS Organizations is supported and available in your region.

Creating an AWS Organization

Step 1: Sign in to the AWS Management Console

1. Go to the AWS Management Console and sign in using your root user or an IAM user with appropriate permissions.

2. From the Services menu, search for and select AWS Organizations.

Step 2: Create an Organization

1. In the AWS Organizations console, select Create organization.

2. Choose the All features option, which enables the full set of AWS Organizations capabilities, including account management, consolidated billing, and service control policies.

3. Click Create organization.

Step 3: Organize Accounts

1. Once the organization is created, you can begin adding new accounts or inviting existing accounts to join your organization.

2. To add an account, select Accounts from the left sidebar, then click Add account. You can either create a new AWS account or invite an existing one by email.

3. Assign the new account to an Organizational Unit (OU), which helps organize your accounts in a structured manner.

---

Managing Accounts in AWS Organizations

Step 1: Create New Accounts

1. From the AWS Organizations console, go to Accounts.

2. Click Add account.

3. Select Create an AWS account.

4. Provide the email address, account name, and IAM role name.

5. Optionally, select an Organizational Unit (OU) for the account.

6. Click Create to create the new account.

Step 2: Invite Existing Accounts

1. In the Accounts section of the AWS Organizations console, click Add account.

2. Select Invite an existing account.

3. Provide the email address of the account owner you want to invite.

4. The account owner will receive an invitation to join your organization.

5. After they accept the invitation, their account will be linked to your organization.

---

Organizational Units (OUs)

Organizational Units (OUs) allow you to group accounts in a way that matches your company’s structure. For example, you can create OUs for different departments like Finance, Development, or Marketing.

Step 1: Create an Organizational Unit

1. In the AWS Organizations console, navigate to Organizational units.

2. Click Create organizational unit.

3. Provide a name for the OU (e.g., Development).

4. Click Create.

Step 2: Move Accounts Between OUs

1. In the Accounts section, select the account you want to move.

2. Click Move.

3. Choose the target Organizational Unit and click Move.

---

Service Control Policies (SCPs)

Service Control Policies (SCPs) are a powerful feature of AWS Organizations that allow you to set permission guardrails for your accounts and OUs. SCPs help you control which services and actions are available to IAM users and roles in your accounts.

Step 1: Create a Service Control Policy

1. From the AWS Organizations console, navigate to Policies.

2. Click Create policy.

3. Write your SCP using JSON to define the allowed or denied services and actions. For example, to deny access to Amazon S3, use:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Deny",
         "Action": "s3:*",
         "Resource": "*"
       }
     ]
   }

4. Click Create policy to save.

Step 2: Attach an SCP to an Organizational Unit or Account

1. Go to the Organizational units or Accounts tab.

2. Select the OU or account to which you want to attach the SCP.

3. Click Attach policy and choose the policy you created.

4. Click Attach.

---

Consolidated Billing

AWS Organizations enables Consolidated Billing, allowing you to combine the usage from multiple AWS accounts into one bill. This can result in lower costs by taking advantage of volume discounts.

Step 1: Enable Consolidated Billing

1. In the AWS Organizations console, navigate to Billing.

2. Choose Consolidated Billing from the left sidebar.

3. Ensure that Consolidated billing is enabled, which automatically aggregates billing for linked accounts.

Step 2: View Consolidated Billing Reports

1. From the AWS Billing and Cost Management Console, go to Bills.

2. You can view detailed billing information, including usage across all accounts in your organization.

---

Resource Sharing in AWS Organizations

You can share resources such as Amazon VPC subnets, AWS RAM (Resource Access Manager), and AWS Transit Gateway across multiple accounts in your organization.

Step 1: Enable Resource Sharing

1. In the AWS Organizations console, go to Resource Sharing.

2. Click Create resource share and select the resources you want to share (e.g., VPCs, Subnets).

3. Select the accounts or OUs with which you want to share the resources.

4. Click Create.

Step 2: Accept Resource Share Invitations

1. The recipient account will receive an invitation to accept the shared resources.

2. They can go to the Resource Share section in their AWS console to accept or decline the invitation.