In this topic, I will discuss AWS Organization in detail. To implement AWS Landing Zone, you must understand of AWS Organization structure, its concepts, and key benefits. So before starting, let’s understand the problem statement.
Challenges with Multi-account management without AWS organization
- Having a uniform policy across all your accounts is impractical and challenging to manage. Applying policies individually to each account by logging in becomes a time-consuming process.
- Another issue arises with network security, particularly in firewall configurations. Some accounts may have overly restrictive firewalls, while others might allow worldwide access—a suboptimal practice. Without controlling policies and permission boundaries, administrators in these accounts can perform any operation, posing a security risk.
- The third challenge involves the centralized billing console. Even though the consolidated billing concept existed before AWS Organizations, managing 100 accounts, each handling its expenses independently, proves cumbersome under the company umbrella.
What are AWS Organizations?
AWS Organizations is a service provided by Amazon Web Services (AWS) that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
This service is designed to simplify billing and cost allocation, apply policies across your accounts, and enable efficient resource sharing and collaboration within your organization.
Key Features of AWS Organizations
- Consolidated Billing
- Centralized Management
- Organizational Units (OUs)
- Service Control Policies (SCPs)
- Cross-Account Resource Sharing
- Consolidated Access Logging
AWS Organizations is beneficial in scenarios where an organization has multiple AWS accounts for different teams, projects, or business units.
It helps streamline administrative tasks, enforce security policies, and optimize costs by providing a centralized view and control over resources. This is especially useful in large enterprises or organizations with complex AWS infrastructures.
In summary, AWS Organizations are required for efficient management, governance, and collaboration across multiple AWS accounts within an organization. It simplifies administrative tasks, enhances security, and provides a framework for optimizing resource usage and cost management.
Organizations Structure
Key components of AWS organization structure
Root – Root is the top-level organization unit. Master account and other OU lie under the ROOT OU.
Organization Units (OUs) – OUs are containers for accounts within your organization. They provide a way to group accounts based on business units, applications, or other criteria. OUs help you apply policies to a specific set of accounts, making it easier to manage and enforce governance at scale.
Service Control Policies (SCPs) – SCPs are policies that you apply to OUs or individual accounts to set fine-grained permissions for AWS services. SCPs allow you to control which AWS services and actions are allowed or denied for accounts within the organization.
MASTER – The master account is the initial AWS account created when you sign up for AWS. It has the highest level of permissions and is used to create and manage the organization.
CORE OU – In the Core OUs, we have some specific centralized AWS accounts, that perform very specialized operations for the entire AWS organization’s account. These accounts are Security, Log Archive, Network & Shared Services. It will be explored in detail in our upcoming blog post.
Workload Account – a “workload account” refers to an AWS account specifically designated to host and manage a particular workload or application. In the above diagram, PROD and NON-PROD under BU1 & BU2 can be referred to as workload accounts.
Subscribe to our newsletter to receive notifications about the next part of our articles. Don’t miss out on the latest updates and insights. Simply click the link below to subscribe.
