AWS Organizations Cheat Sheet

AWS Organizations is a management service that enables centralized governance of multiple AWS accounts. It supports policy-based controls, consolidated billing, hierarchical account management, and organization-wide governance.

Key Terms

• Organization: A collection of AWS accounts managed centrally.
• Management Account: Main account that creates and administers the organization; acts as the payer account.
• Member Account: Any account (besides the management account) that is part of an organization.
• Administrative Root: Top container in the organization’s hierarchy; all OUs and accounts fall beneath it.
• Organizational Unit (OU): Logical grouping of accounts; can contain nested OUs.
• Policy: JSON-based document defining controls applied across accounts or OUs.
• Service Control Policy (SCP): Organization-wide permission filter defining which services/actions are allowed.

Features

1. Centralized Account Management
   • Create new AWS accounts or invite existing ones into an organization.
   • Organize accounts into Organizational Units (OUs) in a hierarchy (up to 5 levels deep).
   • Account migration: Move an account from one organization to another.
   • Support for large organizations: Manage up to 10,000 member accounts with quota approval.
2. Consolidated Billing
   • Single payment method for all accounts.
   • Combined view of all charges and access to aggregated discounts.
3. Policy-Based Governance
   • Apply Service Control Policies (SCPs) to organizations, OUs, or individual accounts.
   • Declarative policies: Enforce desired configurations for AWS services at scale.
   • Resource Control Policies (RCPs): Control maximum available permissions for resources.
   • Backup policies update: Flexible resource selection with conditions and resource keys.
   • Policies are inherited through hierarchy.
4. Security Enhancements
   • Security Hub policies: Centrally manage Security Hub configurations across accounts.
   • Centralized root access: Manage root credentials across member accounts to prevent unauthorized access.
   • Chat applications policies: Control account access via Slack, Teams, etc.
   • Service Control Policies (SCPs) enforce organization-wide restrictions.
   • Permissions boundaries ensure IAM policies cannot exceed SCP restrictions.
   • ABAC (tag-based authorization) applies across accounts, OUs, users, and policies.
5. Monitoring & Notifications
   • Account state monitoring: Track Active, Suspended, or Closed states across accounts via console, CLI, or SDKs.
   • AWS User Notifications integration: Centrally configure and view notifications across accounts.
   • AMS Self-Service Reporting (SSR) integration: Aggregate self-service reports across accounts.
6. Managed Policies Updates
   • AWSOrganizationsFullAccess: Enables viewing and modifying account names.
   • DeclarativePoliciesEC2Report policy: Enables declarative EC2 reporting.
   • AWSOrganizationsReadOnlyAccess: Enables viewing root email addresses and enabled regions.
7. Usability & Documentation
   • Scenario-driven documentation and reorganized content for improved readability.
   • Opt-out guidance for all supported AWS AI services.
8. Lifecycle Management
   • Automatically create and manage accounts for new teams, apps, or environments.
   • Remove AWS accounts from an organization to make them standalone.

Use Cases 

• Multi-Account Best Practices
  • Separate environments: Dev, Test, Prod.
  • Isolate workloads for security and blast-radius reduction.
  • Manage departments/business units independently.
• Central Governance
  • Apply mandatory policies organization-wide:
    • Restrict unapproved AWS regions.
    • Prevent disabling CloudTrail.
    • Require encryption and logging.
    • Ensure compliance across accounts.
• Financial Control
  • Centralize cost tracking.
  • Allocate budgets per OU or team.
  • Leverage discounted pricing through aggregated usage.

• Lifecycle Management
  • Automatically create/manage accounts for new teams, apps, or environments.

Administrative Actions

• Create an AWS account and add it to your organization, or add an existing AWS account to your organization.
• Organize your AWS accounts into groups called organizational units (OUs).
• Organize your OUs into a hierarchy that reflects your company’s structure.
• Centrally manage and attach policies to the entire organization, OUs, or individual AWS accounts.

Concepts

• An organization is a collection of AWS accounts you can organize into a hierarchy and manage centrally.

• Management Account: The AWS account used to create the organization. Cannot be changed. Responsible for paying all charges accrued by member accounts.

• From the management account, you can create, invite, or remove accounts, and attach policies to administrative roots, OUs, or accounts.

• Member Account: Any AWS account other than the management account. Can belong to only one organization.

• Administrative Root: Top-most container in the organization hierarchy; you can create OUs under it.

• Organizational Unit (OU): Groups AWS accounts; can contain nested OUs.

• Policy: Document with statements defining controls applied to accounts or OUs.

• Service Control Policy (SCP): Filters allowed services/actions; does not grant permissions.

AWS Organizations Feature Sets

• Consolidated Billing: All organizations support basic billing management.

• All Features Enabled: Includes consolidated billing plus advanced features like SCPs.

• Accounts can be removed and converted to standalone accounts.

Organization Hierarchy

• Hierarchy can be five levels deep including root and lowest OUs.

• Policies are inherited through hierarchical connections.

• Policies can be assigned at different points in the hierarchy.

• Tags or user-defined attributes can be attached to OUs, root, and policies for ABAC (Attribute-Based Access Control).

Security

A. Service Control Policies (SCPs)

• Enforce organization-wide restrictions.
• Limit IAM permissions for all identities in an account.
• Prevent usage of disallowed services or operations.
• Guarantee global security requirements (e.g., MFA, encryption).

B. Permissions Boundary

• SCPs act as the outer boundary.
• IAM policies cannot exceed SCP restrictions.

C. Account Roles

• Management account:
  • Full administrative authority
  • Pays all bills
• Member accounts:
  • Controlled through SCPs
  • Belong to only one organization at a time

D. Tag-Based Authorization

• Apply ABAC to control access using tags on:
  • Accounts
  • OUs
  • Users
  • Policies

AWS Organizations Pricing

• AWS Organizations service is free. Only the usage of AWS resources in member accounts incurs costs.

Managing Multi-Account AWS Environments Using AWS Organizations:

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

Validate Your Knowledge

Question 1

A company requires corporate IT governance and cost oversight of all of its AWS resources across its divisions around the world. Their corporate divisions want to maintain administrative control of the discrete AWS resources they consume and ensure that those resources are separate from other divisions.

Which of the following options will support the autonomy of each corporate division while enabling the corporate IT to maintain governance and cost oversight? (Select TWO.)

1. Use AWS Trusted Advisor and AWS Resource Groups Tag Editor
2. Enable IAM cross-account access for all corporate IT administrators in each child account.
3. Create separate VPCs for each division within the corporate IT AWS account. Launch an AWS Transit Gateway with equal-cost multipath routing  (ECMP) and VPN tunnels for intra-VPC communication.
4. Use AWS Consolidated Billing by creating AWS Organizations to link the divisions’ accounts to a parent corporate account.

5. Create separate Availability Zones for each division within the corporate IT AWS account. Improve communication between the two AZs using the AWS Global Accelerator.

Question 2

A multinational manufacturing company has multiple AWS accounts in multiple AWS regions across North America, Europe, and Asia. The solutions architect has been tasked to set up AWS Organizations to centrally manage policies and have full administrative control across the multiple AWS accounts owned by the company.

Which of the following options is the recommended implementation to achieve this requirement with the LEAST effort?

1. Set up AWS Organizations by establishing cross-account access from the master account to all member AWS accounts of the company. The master account will automatically have full administrative control across all member accounts.
2. Set up AWS Organizations by sending an invitation to the master account of your organization from each of the member accounts of the company. Create an OrganizationAccountAccessRole IAM role in the member account and grant permission to the master account to assume the role.
3. Use AWS Control Tower from the master account and enroll all the member AWS accounts of the company. AWS Control Tower will automatically provision the needed IAM permissions to have full administrative control across all member accounts.
4. Set up AWS Organizations by sending an invitation to all member accounts of the company from the master account of your organization. Create an OrganizationAccountAccessRole IAM role in the member account and grant permission to the master account to assume the role.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

AWS Organizations Cheat Sheet References:

https://docs.aws.amazon.com/organizations/latest/userguide/
https://aws.amazon.com/organizations/features/
https://aws.amazon.com/organizations/faqs/