AWS Organizations & Multi-Account
Chapter 26: AWS Organizations & Service Control Policies
Section titled “Chapter 26: AWS Organizations & Service Control Policies”Multi-Account Management & Governance
Section titled “Multi-Account Management & Governance”26.1 Overview
Section titled “26.1 Overview”AWS Organizations is a free service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
AWS Organizations Overview+------------------------------------------------------------------+| || +------------------------+ || | AWS Organizations | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Central | | Account | | Service | || | Govern | | Grouping | | Control | || | | | | | Policies | || | - Billing| | - OUs | | - SCPs | || | - Mgmt | | - Hier | | - Perms | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Key Features
Section titled “Key Features”| Feature | Description | Benefit |
|---|---|---|
| Consolidated Billing | Single payment method | Cost savings |
| Account Management | Create/delete accounts | Automation |
| Organizational Units (OUs) | Group accounts | Hierarchical management |
| Service Control Policies | Permission boundaries | Security governance |
| Integration | AWS services | Centralized control |
26.2 Organization Structure
Section titled “26.2 Organization Structure”Root and OU Hierarchy
Section titled “Root and OU Hierarchy” Organization Hierarchy+------------------------------------------------------------------+| || +--------+ || | Root | || +--------+ || | || +----------------+----------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | OU | | OU | | OU | || | Security | | Dev | | Prod | || +----------+ +----------+ +----------+ || | | | || +----+----+ +----+----+ +----+----+ || | | | | | | || v v v v v v || +------+ +------+ +------+ +------+ +------+ +------+ || |Acct-1| |Acct-2| |Acct-3| |Acct-4| |Acct-5| |Acct-6| || |Sec-A | |Sec-B | |Dev-A | |Dev-B | |Prod-A| |Prod-B| || +------+ +------+ +------+ +------+ +------+ +------+ || |+------------------------------------------------------------------+Organization Unit (OU) Design Patterns
Section titled “Organization Unit (OU) Design Patterns” OU Design Patterns+------------------------------------------------------------------+| || Pattern 1: Environment-Based || +------------------------------------------------------------+ || | Root | || | |-- OU: Production | || | |-- OU: Non-Production | || | |-- OU: Development | || | |-- OU: Testing | || | |-- OU: Staging | || +------------------------------------------------------------+ || || Pattern 2: Team/Department-Based || +------------------------------------------------------------+ || | Root | || | |-- OU: Engineering | || | |-- OU: Finance | || | |-- OU: Marketing | || | |-- OU: Security | || +------------------------------------------------------------+ || || Pattern 3: Hybrid (Recommended) || +------------------------------------------------------------+ || | Root | || | |-- OU: Security (Security Tooling) | || | |-- OU: Infrastructure (Shared Services) | || | |-- OU: Workloads | || | |-- OU: Production | || | |-- OU: App-Team-A | || | |-- OU: App-Team-B | || | |-- OU: Non-Production | || | |-- OU: Development | || | |-- OU: Testing | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+26.3 Service Control Policies (SCPs)
Section titled “26.3 Service Control Policies (SCPs)”SCP Overview
Section titled “SCP Overview” Service Control Policies+------------------------------------------------------------------+| || SCPs are permission boundaries that define the maximum || permissions for accounts in an organization. || || +-------------------+ +-------------------+ || | Identity-based | | SCP (Boundary) | || | Policies (IAM) | --> | (Allow/Deny) | --> Effective || | | | | Permissions || +-------------------+ +-------------------+ || || Note: SCPs do NOT grant permissions - they only limit them || |+------------------------------------------------------------------+SCP Evaluation Logic
Section titled “SCP Evaluation Logic” SCP Permission Evaluation+------------------------------------------------------------------+| || Permission Request || | || v || +------------------------+ || | Check Explicit Deny | || | in any SCP? | || +------------------------+ || | | || Yes No || | | || v v || +----------+ +------------------------+ || | DENY | | Check Explicit Allow | || | (Final) | | in any SCP? | || +----------+ +------------------------+ || | | || Yes No || | | || v v || +----------+ +------------------+ || | ALLOW | | Implicit Deny | || | (Check | | (No permission) | || | IAM) | +------------------+ || +----------+ || |+------------------------------------------------------------------+SCP Examples
Section titled “SCP Examples”Example 1: Deny All Services Except S3
Section titled “Example 1: Deny All Services Except S3”{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllExceptS3", "Effect": "Deny", "NotAction": [ "s3:*", "iam:GetUser", "iam:GetRole", "organizations:Describe*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/OrganizationAccountAccessRole" ] } } } ]}Example 2: Prevent Leaving Organization
Section titled “Example 2: Prevent Leaving Organization”{ "Version": "2012-10-17", "Statement": [ { "Sid": "PreventLeaveOrganization", "Effect": "Deny", "Action": "organizations:LeaveOrganization", "Resource": "*" } ]}Example 3: Region Restriction
Section titled “Example 3: Region Restriction”{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyNonApprovedRegions", "Effect": "Deny", "NotAction": [ "iam:*", "organizations:*", "cloudfront:*", "route53:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "us-east-1", "us-west-2", "eu-west-1" ] } } } ]}Example 4: Prevent Disabling Security Services
Section titled “Example 4: Prevent Disabling Security Services”{ "Version": "2012-10-17", "Statement": [ { "Sid": "PreventSecurityServiceDisable", "Effect": "Deny", "Action": [ "guardduty:DeleteDetector", "guardduty:DisassociateFromMasterAccount", "cloudtrail:DeleteTrail", "cloudtrail:StopLogging", "config:DeleteConfigurationRecorder", "config:StopConfigurationRecorder", "securityhub:DeleteHub" ], "Resource": "*" } ]}26.4 Organization Best Practices
Section titled “26.4 Organization Best Practices”Multi-Account Strategy
Section titled “Multi-Account Strategy” Recommended Multi-Account Structure+------------------------------------------------------------------+| || +--------+ || | Root | || +--------+ || | || +------------------------+------------------------+ || | | | | | || v v v v v || +------+ +------+ +----------+ +------+ +----------+ || |Security| |Infra- | |Workloads | |Sandbox| | Suspended| || | OU | |structure| OU | | OU | | OU | || +------+ +------+ +----------+ +------+ +----------+ || | | | | | || v v v v v || +------+ +------+ +----------+ +------+ +----------+ || |Audit | |Shared | |Prod-Accts| |Test | |Quarantine| || |Acct | |Services| |Dev-Accts | |Accts | | Accts | || | | | | | | | | | | || |Log | |Network| | | | | | | || |Archive| |Base | | | | | | | || +------+ +------+ +----------+ +------+ +----------+ || |+------------------------------------------------------------------+Account Factory Pattern
Section titled “Account Factory Pattern” Account Factory Architecture+------------------------------------------------------------------+| || +------------------+ || | Account Factory | || | (AWS Control | || | Tower / Custom) | || +------------------+ || | || v || +------------------+ || | Account Creation | || | Pipeline | || | | || | 1. Create Account| || | 2. Move to OU | || | 3. Apply SCPs | || | 4. Configure | || | Baseline | || | 5. Notify Team | || +------------------+ || | || v || +------------------+ +------------------+ || | New Account | --> | Configured | || | (Raw) | | Account | || +------------------+ +------------------+ || |+------------------------------------------------------------------+26.5 AWS Control Tower Integration
Section titled “26.5 AWS Control Tower Integration”Control Tower Overview
Section titled “Control Tower Overview” AWS Control Tower Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS Control Tower | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Landing | | Guardrails| | Account | || | Zone | | (Controls)| | Factory | || | | | | | | || | - Multi | | - Prevent | | - Auto | || | Account| | - Detect | | Create | || | - Baseline| | - SCPs | | - Config | || | - Config | | - Config | | - OU | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Guardrails Types
Section titled “Guardrails Types” Control Tower Guardrails+------------------------------------------------------------------+| || Preventive Guardrails (SCPs) || +------------------------------------------------------------+ || | - Disallow public S3 buckets | || | - Disallow public RDS snapshots | || | - Disallow unapproved regions | || | - Disallow disabling CloudTrail | || | - Disallow leaving organization | || +------------------------------------------------------------+ || || Detective Guardrails (AWS Config Rules) || +------------------------------------------------------------+ || | - Detect public S3 bucket access | || | - Detect unencrypted EBS volumes | || | - Detect MFA not enabled | || | - Detect root account usage | || | - Detect missing CloudTrail | || +------------------------------------------------------------+ || || Proactive Guardrails (CloudFormation Hooks) || +------------------------------------------------------------+ || | - Prevent non-compliant resource creation | || | - Validate configurations before deployment | || | - Enforce tagging requirements | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+26.6 CLI Commands
Section titled “26.6 CLI Commands”Organization Management
Section titled “Organization Management”# Create organizationaws organizations create-organization \ --feature-set ALL
# Describe organizationaws organizations describe-organization
# List accountsaws organizations list-accounts
# Create organizational unitaws organizations create-organizational-unit \ --parent-id r-xxxx \ --name "Production"
# List OUsaws organizations list-organizational-units \ --parent-id r-xxxx
# Move account to OUaws organizations move-account \ --account-id 123456789012 \ --source-parent-id r-xxxx \ --destination-parent-id ou-xxxx-xxxx
# Create accountaws organizations create-account \ --email "account@example.com" \ --account-name "Production-Account"SCP Management
Section titled “SCP Management”# Create policyaws organizations create-policy \ --type SERVICE_CONTROL_POLICY \ --name "DenyRegions" \ --description "Deny non-approved regions" \ --content file://scp-policy.json
# List policiesaws organizations list-policies \ --filter SERVICE_CONTROL_POLICY
# Attach policy to OUaws organizations attach-policy \ --policy-id p-xxxx \ --target-id ou-xxxx-xxxx
# Detach policyaws organizations detach-policy \ --policy-id p-xxxx \ --target-id ou-xxxx-xxxx
# Describe policyaws organizations describe-policy \ --policy-id p-xxxx26.7 Security Best Practices
Section titled “26.7 Security Best Practices”SCP Strategy
Section titled “SCP Strategy” SCP Security Strategy+------------------------------------------------------------------+| || Layer 1: Organization-Level SCPs || +------------------------------------------------------------+ || | - Prevent leaving organization | || | - Prevent disabling CloudTrail/Config | || | - Prevent root account access keys | || +------------------------------------------------------------+ || || Layer 2: OU-Level SCPs || +------------------------------------------------------------+ || | - Region restrictions | || | - Service restrictions | || | - Instance type restrictions | || +------------------------------------------------------------+ || || Layer 3: Account-Level SCPs || +------------------------------------------------------------+ || | - Specific service denies | || | - Resource-level restrictions | || | - Tag-based restrictions | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Security Account Structure
Section titled “Security Account Structure” Security Accounts Architecture+------------------------------------------------------------------+| || Security OU || +------------------------------------------------------------+ || | | || | +----------------+ +----------------+ +----------------+ | || | | Security Hub | | Audit Account | | Log Archive | | || | | Account | | | | Account | | || | | | | | | | | || | | - Security Hub | | - CloudTrail | | - S3 Logs | | || | | - GuardDuty | | - Config Logs | | - Long-term | | || | | - Detective | | - Audit Tools | | Retention | | || | | - Macie | | - Reports | | - Compliance | | || | +----------------+ +----------------+ +----------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+26.8 Troubleshooting
Section titled “26.8 Troubleshooting”Common Issues
Section titled “Common Issues” Common SCP Issues+------------------------------------------------------------------+| || Issue 1: "Access Denied" for Admin Actions || +------------------------------------------------------------+ || | Cause: SCP blocking admin actions | || | Solution: Add exception for admin role in SCP | || | | || | Condition: | || | "StringNotEquals": { | || | "aws:PrincipalArn": "arn:aws:iam::*:role/AdminRole" | || | } | || +------------------------------------------------------------+ || || Issue 2: Cannot Create Resources in New Region || +------------------------------------------------------------+ || | Cause: Region restriction SCP | || | Solution: Update SCP to include new region | || +------------------------------------------------------------+ || || Issue 3: Account Cannot Leave Organization || +------------------------------------------------------------+ || | Cause: PreventLeaveOrganization SCP | || | Solution: Management account must remove account | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Debugging SCPs
Section titled “Debugging SCPs”# Check effective policyaws organizations describe-effective-policy \ --policy-type SERVICE_CONTROL_POLICY \ --target-id 123456789012
# List policies attached to OUaws organizations list-policies-for-target \ --target-id ou-xxxx-xxxx \ --filter SERVICE_CONTROL_POLICY
# Check if policy is attachedaws organizations list-targets-for-policy \ --policy-id p-xxxx26.9 Why This Matters in DevOps/SRE
Section titled “26.9 Why This Matters in DevOps/SRE”AWS Organizations is the foundation of enterprise cloud governance. SREs use it to enforce security boundaries via SCPs, manage blast radius through account isolation, centralize billing, and automate account provisioning. A well-designed multi-account strategy is the first step to a secure, scalable AWS environment.
26.10 Linux Systems Perspective
Section titled “26.10 Linux Systems Perspective”Organization Management from Arch Linux
Section titled “Organization Management from Arch Linux”# Install toolssudo pacman -S aws-cli-v2 jq
# === Organization Health Dashboard ===#!/bin/bash# ~/bin/org-status.shecho "=== Organization Overview ==="aws organizations describe-organization \ --query 'Organization.{Id:Id,Master:MasterAccountId,Features:FeatureSet}' \ --output table
echo ""echo "=== Accounts ==="aws organizations list-accounts \ --query 'Accounts[*].{Name:Name,Id:Id,Email:Email,Status:Status}' \ --output table
echo ""echo "=== OUs ==="ROOT_ID=$(aws organizations list-roots --query 'Roots[0].Id' --output text)aws organizations list-organizational-units-for-parent \ --parent-id "$ROOT_ID" \ --query 'OrganizationalUnits[*].{Name:Name,Id:Id}' \ --output table
# === SCP Audit Script ===#!/bin/bash# ~/bin/scp-audit.shecho "=== Service Control Policies ==="for POLICY_ID in $(aws organizations list-policies \ --filter SERVICE_CONTROL_POLICY \ --query 'Policies[*].Id' --output text); do echo "--- Policy: $POLICY_ID ---" aws organizations describe-policy --policy-id "$POLICY_ID" \ --query 'Policy.{Name:PolicySummary.Name,Description:PolicySummary.Description}' \ --output table echo "Targets:" aws organizations list-targets-for-policy --policy-id "$POLICY_ID" \ --query 'Targets[*].{Name:Name,Type:Type}' --output tabledone26.11 Common Mistakes & Anti-Patterns
Section titled “26.11 Common Mistakes & Anti-Patterns” Anti-Pattern Best Practice ───────────────────────────────────────────────────────────── ❌ Everything in one account ✅ Multi-account strategy (blast radius isolation) ❌ SCPs that break ops tooling ✅ Exempt admin/break-glass roles in SCP conditions ❌ No testing before SCP deploy ✅ Test in sandbox OU first, then promote to prod OUs ❌ Management account for workloads ✅ Management account only for billing and org management ❌ No account factory automation ✅ Use Control Tower or custom IaC for account creation26.12 Interview Questions
Section titled “26.12 Interview Questions”-
Q: How do you safely roll out a new SCP across a large organization?
- A: (1) Write the SCP and validate JSON syntax, (2) Attach to a Sandbox OU first with test accounts, (3) Change actions to
Countor use CloudTrail to verify what would be denied, (4) After validation, attach to Dev/Staging OUs, (5) Monitor for 1-2 weeks for access denied errors, (6) Finally attach to Production OUs. Always include an exception condition for a break-glass IAM role so you can recover if the SCP blocks critical operations.
- A: (1) Write the SCP and validate JSON syntax, (2) Attach to a Sandbox OU first with test accounts, (3) Change actions to
-
Q: Management account vs delegated admin — when to use each?
- A: Management account should only be used for: org management, billing, SCP attachment. Everything else should use delegated admin accounts — Security Hub admin in the Security account, CloudFormation StackSets admin in the Infrastructure account, etc. This follows least privilege and reduces the blast radius if the management account is compromised.
26.13 Exam Tips
Section titled “26.13 Exam Tips”
Key Exam Points+------------------------------------------------------------------+| || 1. SCPs do NOT grant permissions - they only limit them || || 2. Management account is NOT affected by SCPs || || 3. SCPs must have at least one Allow statement to be effective || || 4. FullAWSAccess SCP is attached by default to all roots/OUs || || 5. Explicit Deny always overrides Allow || || 6. AWS Organizations is FREE (no additional charges) || || 7. Consolidated Billing provides volume pricing benefits || || 8. Control Tower = Organizations + Config + CloudFormation || || 9. Guardrails = Preventive (SCPs) + Detective (Config Rules) || || 10. Account Factory automates account creation || |+------------------------------------------------------------------+26.14 Summary
Section titled “26.14 Summary” Chapter 26 Summary+------------------------------------------------------------------+| || AWS Organizations || +------------------------------------------------------------+ || | - Free service for multi-account management | || | - Consolidated billing across accounts | || | - Hierarchical structure with OUs | || +------------------------------------------------------------+ || || Service Control Policies || +------------------------------------------------------------+ || | - Permission boundaries (not grants) | || | - Inherit down the OU hierarchy | || | - Can deny any action except management account | || +------------------------------------------------------------+ || || Best Practices || +------------------------------------------------------------+ || | - Use multi-account strategy (not single account) | || | - Implement Control Tower for automation | || | - Apply defense-in-depth with layered SCPs | || | - Separate security, audit, and workload accounts | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Next Chapter: Chapter 27: AWS KMS, Secrets Manager & Parameter Store
Last Updated: March 2026