[AWS] AWS Organizations

AWS Organizations is a centralized global management service of AWS accounts (up to 20) and billings.

  • All accounts within an AWS Organization can consolidate bills into a single account.
    • A paying account should be used for billing purposes only.
    • Economy of scale – by using more, you can save more. (Volume pricing discount)

Access Control

  • AWS Organization manages accounts and permissions and limits account usage using Service Control Policies (SCP).
  • Linked accounts belong to a group called the Organization Unit (OU).
  • A service control policy can be applied to Root -> Organizational Unit -> Account.
  • Policies are inherited.
  • Steps to attach a SCP to an account within an OU
    1. Log in to the master account and create SCP
    2. Select the Organization Unit
    3. Enable the SCP for the Organization Unit
    4. Attach a SCP to the account
  • Role switching is a method of accessing one account from another using only one set of credentials.
    • A role in Account B trusts Account A.
    • An identity in Account A can assume the role in Account B. (sts:AssumeRole) <- Trust Policy
    • Using the role, it can operate inside Account B <- Permissions Policy
  • OrganizationAccountAccessRole is needed when configuring linked accounts for role switching.

AWS:PrincipalOrgID Condition Key

  • Validates if the principal accessing the resource belongs to an account in your organization.
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "AllowPutObject",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::my-org-bucket/*",
    "Condition": {"StringEquals":

Best Practices with AWS Organizations

  • Consolidated Billing
    • A paying account should be used for billing purposes only.
  • Enable MFA on root account
  • Use strong password on root account
  • Configure access to AWS resources using Service Control Polices (SCP) on Organization Units (OU) or individual accounts.

Using CloudTrail with AWS Organizations

CloudTrail is per account and is enabled per region.

  • Turn on CloudTrail in a paying account.
  • Create a bucket policy that allows cross-account access
  • Turn on CloudTrail in all accounts in the Organization and use the bucket in the paying account.

AWS Resource Access Manager (RAM)

AWS Resource Access Manager (RAM) allows you to share resources with other accounts or within your AWS Organization.

  • You can share the following resources
    • EC2, Aurora, Transit Gateways, AWS License Manager configurations, Resource groups, Route 53 Resolver rules, and CodeBuild.
  • With RAM, you do not need to create duplicate resources in multiple accounts, which reduces the operational overhead of managing resources.
  • You can create a Resource Share and specify resources and principals (accounts or organization units (OUs)).

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s