Organizations
Chapter 26: AWS Organizations & Service Control Policies
Section titled “Chapter 26: AWS Organizations & Service Control Policies”Multi-Account Management & Governance
Section titled “Multi-Account Management & Governance”26.1 Overview
Section titled “26.1 Overview”AWS Organizations is a free service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
AWS Organizations Overview+------------------------------------------------------------------+| || +------------------------+ || | AWS Organizations | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Central | | Account | | Service | || | Govern | | Grouping | | Control | || | | | | | Policies | || | - Billing| | - OUs | | - SCPs | || | - Mgmt | | - Hier | | - Perms | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Key Features
Section titled “Key Features”| Feature | Description | Benefit |
|---|---|---|
| Consolidated Billing | Single payment method | Cost savings |
| Account Management | Create/delete accounts | Automation |
| Organizational Units (OUs) | Group accounts | Hierarchical management |
| Service Control Policies | Permission boundaries | Security governance |
| Integration | AWS services | Centralized control |
26.2 Organization Structure
Section titled “26.2 Organization Structure”Root and OU Hierarchy
Section titled “Root and OU Hierarchy” Organization Hierarchy+------------------------------------------------------------------+| || +--------+ || | Root | || +--------+ || | || +----------------+----------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | OU | | OU | | OU | || | Security | | Dev | | Prod | || +----------+ +----------+ +----------+ || | | | || +----+----+ +----+----+ +----+----+ || | | | | | | || v v v v v v || +------+ +------+ +------+ +------+ +------+ +------+ || |Acct-1| |Acct-2| |Acct-3| |Acct-4| |Acct-5| |Acct-6| || |Sec-A | |Sec-B | |Dev-A | |Dev-B | |Prod-A| |Prod-B| || +------+ +------+ +------+ +------+ +------+ +------+ || |+------------------------------------------------------------------+Organization Unit (OU) Design Patterns
Section titled “Organization Unit (OU) Design Patterns” OU Design Patterns+------------------------------------------------------------------+| || Pattern 1: Environment-Based || +------------------------------------------------------------+ || | Root | || | |-- OU: Production | || | |-- OU: Non-Production | || | |-- OU: Development | || | |-- OU: Testing | || | |-- OU: Staging | || +------------------------------------------------------------+ || || Pattern 2: Team/Department-Based || +------------------------------------------------------------+ || | Root | || | |-- OU: Engineering | || | |-- OU: Finance | || | |-- OU: Marketing | || | |-- OU: Security | || +------------------------------------------------------------+ || || Pattern 3: Hybrid (Recommended) || +------------------------------------------------------------+ || | Root | || | |-- OU: Security (Security Tooling) | || | |-- OU: Infrastructure (Shared Services) | || | |-- OU: Workloads | || | |-- OU: Production | || | |-- OU: App-Team-A | || | |-- OU: App-Team-B | || | |-- OU: Non-Production | || | |-- OU: Development | || | |-- OU: Testing | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+26.3 Service Control Policies (SCPs)
Section titled “26.3 Service Control Policies (SCPs)”SCP Overview
Section titled “SCP Overview” Service Control Policies+------------------------------------------------------------------+| || SCPs are permission boundaries that define the maximum || permissions for accounts in an organization. || || +-------------------+ +-------------------+ || | Identity-based | | SCP (Boundary) | || | Policies (IAM) | --> | (Allow/Deny) | --> Effective || | | | | Permissions || +-------------------+ +-------------------+ || || Note: SCPs do NOT grant permissions - they only limit them || |+------------------------------------------------------------------+SCP Evaluation Logic
Section titled “SCP Evaluation Logic” SCP Permission Evaluation+------------------------------------------------------------------+| || Permission Request || | || v || +------------------------+ || | Check Explicit Deny | || | in any SCP? | || +------------------------+ || | | || Yes No || | | || v v || +----------+ +------------------------+ || | DENY | | Check Explicit Allow | || | (Final) | | in any SCP? | || +----------+ +------------------------+ || | | || Yes No || | | || v v || +----------+ +------------------+ || | ALLOW | | Implicit Deny | || | (Check | | (No permission) | || | IAM) | +------------------+ || +----------+ || |+------------------------------------------------------------------+SCP Examples
Section titled “SCP Examples”Example 1: Deny All Services Except S3
Section titled “Example 1: Deny All Services Except S3”{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllExceptS3", "Effect": "Deny", "NotAction": [ "s3:*", "iam:GetUser", "iam:GetRole", "organizations:Describe*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/OrganizationAccountAccessRole" ] } } } ]}Example 2: Prevent Leaving Organization
Section titled “Example 2: Prevent Leaving Organization”{ "Version": "2012-10-17", "Statement": [ { "Sid": "PreventLeaveOrganization", "Effect": "Deny", "Action": "organizations:LeaveOrganization", "Resource": "*" } ]}Example 3: Region Restriction
Section titled “Example 3: Region Restriction”{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyNonApprovedRegions", "Effect": "Deny", "NotAction": [ "iam:*", "organizations:*", "cloudfront:*", "route53:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "us-east-1", "us-west-2", "eu-west-1" ] } } } ]}Example 4: Prevent Disabling Security Services
Section titled “Example 4: Prevent Disabling Security Services”{ "Version": "2012-10-17", "Statement": [ { "Sid": "PreventSecurityServiceDisable", "Effect": "Deny", "Action": [ "guardduty:DeleteDetector", "guardduty:DisassociateFromMasterAccount", "cloudtrail:DeleteTrail", "cloudtrail:StopLogging", "config:DeleteConfigurationRecorder", "config:StopConfigurationRecorder", "securityhub:DeleteHub" ], "Resource": "*" } ]}26.4 Organization Best Practices
Section titled “26.4 Organization Best Practices”Multi-Account Strategy
Section titled “Multi-Account Strategy” Recommended Multi-Account Structure+------------------------------------------------------------------+| || +--------+ || | Root | || +--------+ || | || +------------------------+------------------------+ || | | | | | || v v v v v || +------+ +------+ +----------+ +------+ +----------+ || |Security| |Infra- | |Workloads | |Sandbox| | Suspended| || | OU | |structure| OU | | OU | | OU | || +------+ +------+ +----------+ +------+ +----------+ || | | | | | || v v v v v || +------+ +------+ +----------+ +------+ +----------+ || |Audit | |Shared | |Prod-Accts| |Test | |Quarantine| || |Acct | |Services| |Dev-Accts | |Accts | | Accts | || | | | | | | | | | | || |Log | |Network| | | | | | | || |Archive| |Base | | | | | | | || +------+ +------+ +----------+ +------+ +----------+ || |+------------------------------------------------------------------+Account Factory Pattern
Section titled “Account Factory Pattern” Account Factory Architecture+------------------------------------------------------------------+| || +------------------+ || | Account Factory | || | (AWS Control | || | Tower / Custom) | || +------------------+ || | || v || +------------------+ || | Account Creation | || | Pipeline | || | | || | 1. Create Account| || | 2. Move to OU | || | 3. Apply SCPs | || | 4. Configure | || | Baseline | || | 5. Notify Team | || +------------------+ || | || v || +------------------+ +------------------+ || | New Account | --> | Configured | || | (Raw) | | Account | || +------------------+ +------------------+ || |+------------------------------------------------------------------+26.5 AWS Control Tower Integration
Section titled “26.5 AWS Control Tower Integration”Control Tower Overview
Section titled “Control Tower Overview” AWS Control Tower Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS Control Tower | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Landing | | Guardrails| | Account | || | Zone | | (Controls)| | Factory | || | | | | | | || | - Multi | | - Prevent | | - Auto | || | Account| | - Detect | | Create | || | - Baseline| | - SCPs | | - Config | || | - Config | | - Config | | - OU | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Guardrails Types
Section titled “Guardrails Types” Control Tower Guardrails+------------------------------------------------------------------+| || Preventive Guardrails (SCPs) || +------------------------------------------------------------+ || | - Disallow public S3 buckets | || | - Disallow public RDS snapshots | || | - Disallow unapproved regions | || | - Disallow disabling CloudTrail | || | - Disallow leaving organization | || +------------------------------------------------------------+ || || Detective Guardrails (AWS Config Rules) || +------------------------------------------------------------+ || | - Detect public S3 bucket access | || | - Detect unencrypted EBS volumes | || | - Detect MFA not enabled | || | - Detect root account usage | || | - Detect missing CloudTrail | || +------------------------------------------------------------+ || || Proactive Guardrails (CloudFormation Hooks) || +------------------------------------------------------------+ || | - Prevent non-compliant resource creation | || | - Validate configurations before deployment | || | - Enforce tagging requirements | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+26.6 CLI Commands
Section titled “26.6 CLI Commands”Organization Management
Section titled “Organization Management”# Create organizationaws organizations create-organization \ --feature-set ALL
# Describe organizationaws organizations describe-organization
# List accountsaws organizations list-accounts
# Create organizational unitaws organizations create-organizational-unit \ --parent-id r-xxxx \ --name "Production"
# List OUsaws organizations list-organizational-units \ --parent-id r-xxxx
# Move account to OUaws organizations move-account \ --account-id 123456789012 \ --source-parent-id r-xxxx \ --destination-parent-id ou-xxxx-xxxx
# Create accountaws organizations create-account \ --email "account@example.com" \ --account-name "Production-Account"SCP Management
Section titled “SCP Management”# Create policyaws organizations create-policy \ --type SERVICE_CONTROL_POLICY \ --name "DenyRegions" \ --description "Deny non-approved regions" \ --content file://scp-policy.json
# List policiesaws organizations list-policies \ --filter SERVICE_CONTROL_POLICY
# Attach policy to OUaws organizations attach-policy \ --policy-id p-xxxx \ --target-id ou-xxxx-xxxx
# Detach policyaws organizations detach-policy \ --policy-id p-xxxx \ --target-id ou-xxxx-xxxx
# Describe policyaws organizations describe-policy \ --policy-id p-xxxx26.7 Security Best Practices
Section titled “26.7 Security Best Practices”SCP Strategy
Section titled “SCP Strategy” SCP Security Strategy+------------------------------------------------------------------+| || Layer 1: Organization-Level SCPs || +------------------------------------------------------------+ || | - Prevent leaving organization | || | - Prevent disabling CloudTrail/Config | || | - Prevent root account access keys | || +------------------------------------------------------------+ || || Layer 2: OU-Level SCPs || +------------------------------------------------------------+ || | - Region restrictions | || | - Service restrictions | || | - Instance type restrictions | || +------------------------------------------------------------+ || || Layer 3: Account-Level SCPs || +------------------------------------------------------------+ || | - Specific service denies | || | - Resource-level restrictions | || | - Tag-based restrictions | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Security Account Structure
Section titled “Security Account Structure” Security Accounts Architecture+------------------------------------------------------------------+| || Security OU || +------------------------------------------------------------+ || | | || | +----------------+ +----------------+ +----------------+ | || | | Security Hub | | Audit Account | | Log Archive | | || | | Account | | | | Account | | || | | | | | | | | || | | - Security Hub | | - CloudTrail | | - S3 Logs | | || | | - GuardDuty | | - Config Logs | | - Long-term | | || | | - Detective | | - Audit Tools | | Retention | | || | | - Macie | | - Reports | | - Compliance | | || | +----------------+ +----------------+ +----------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+26.8 Troubleshooting
Section titled “26.8 Troubleshooting”Common Issues
Section titled “Common Issues” Common SCP Issues+------------------------------------------------------------------+| || Issue 1: "Access Denied" for Admin Actions || +------------------------------------------------------------+ || | Cause: SCP blocking admin actions | || | Solution: Add exception for admin role in SCP | || | | || | Condition: | || | "StringNotEquals": { | || | "aws:PrincipalArn": "arn:aws:iam::*:role/AdminRole" | || | } | || +------------------------------------------------------------+ || || Issue 2: Cannot Create Resources in New Region || +------------------------------------------------------------+ || | Cause: Region restriction SCP | || | Solution: Update SCP to include new region | || +------------------------------------------------------------+ || || Issue 3: Account Cannot Leave Organization || +------------------------------------------------------------+ || | Cause: PreventLeaveOrganization SCP | || | Solution: Management account must remove account | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Debugging SCPs
Section titled “Debugging SCPs”# Check effective policyaws organizations describe-effective-policy \ --policy-type SERVICE_CONTROL_POLICY \ --target-id 123456789012
# List policies attached to OUaws organizations list-policies-for-target \ --target-id ou-xxxx-xxxx \ --filter SERVICE_CONTROL_POLICY
# Check if policy is attachedaws organizations list-targets-for-policy \ --policy-id p-xxxx26.9 Exam Tips
Section titled “26.9 Exam Tips”
Key Exam Points+------------------------------------------------------------------+| || 1. SCPs do NOT grant permissions - they only limit them || || 2. Management account is NOT affected by SCPs || || 3. SCPs must have at least one Allow statement to be effective || || 4. FullAWSAccess SCP is attached by default to all roots/OUs || || 5. Explicit Deny always overrides Allow || || 6. AWS Organizations is FREE (no additional charges) || || 7. Consolidated Billing provides volume pricing benefits || || 8. Control Tower = Organizations + Config + CloudFormation || || 9. Guardrails = Preventive (SCPs) + Detective (Config Rules) || || 10. Account Factory automates account creation || |+------------------------------------------------------------------+26.10 Summary
Section titled “26.10 Summary” Chapter 26 Summary+------------------------------------------------------------------+| || AWS Organizations || +------------------------------------------------------------+ || | - Free service for multi-account management | || | - Consolidated billing across accounts | || | - Hierarchical structure with OUs | || +------------------------------------------------------------+ || || Service Control Policies || +------------------------------------------------------------+ || | - Permission boundaries (not grants) | || | - Inherit down the OU hierarchy | || | - Can deny any action except management account | || +------------------------------------------------------------+ || || Best Practices || +------------------------------------------------------------+ || | - Use multi-account strategy (not single account) | || | - Implement Control Tower for automation | || | - Apply defense-in-depth with layered SCPs | || | - Separate security, audit, and workload accounts | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Next Chapter: Chapter 27: AWS KMS, Secrets Manager & Parameter Store