AWS Security, Identity & Compliance: AWS Organizations
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. For the SAA-C03 exam, understanding how to govern multiple accounts, apply security guardrails, and optimize billing is critical.
The Real-World Analogy
Imagine a global franchise like McDonald’s. Each individual restaurant (AWS Account) has its own staff and local inventory. However, the Corporate Headquarters (Management Account) sets the safety standards (SCPs), provides shared supply chain resources (Resource Access Manager), and pays one giant electricity bill for all locations (Consolidated Billing).
Core Concepts
- Management Account: The hub of the organization. It handles billing and can create/invite member accounts.
- Member Account: Any account in the organization that isn’t the management account.
- Organizational Unit (OU): A container for accounts. You can nest OUs to create a hierarchy that matches your company structure.
- Service Control Policy (SCP): JSON policies that specify the maximum available permissions for an OU or account.
Service Control Policies (SCPs) vs. IAM
One of the most common exam points is the interaction between SCPs and IAM policies. Remember: An action is allowed only if both the SCP and the IAM policy allow it.
| Feature | IAM Policy | Service Control Policy (SCP) |
|---|---|---|
| Scope | Users, Groups, Roles within an account. | Accounts or Organizational Units (OUs). |
| Granting Power | Can grant permissions. | Cannot grant permissions; only filters/restricts. |
| Management Account | Applies to all users/roles. | Does NOT apply to the Management Account. |
| Default State | Implicit Deny. | FullAWSAccess (Allow All) is default. |
Key Features for SAA-C03
1. Consolidated Billing
Combine usage across all accounts to reach volume discount tiers faster (e.g., S3 storage tiers). One bill is generated for the Management Account, and tax benefits are calculated centrally.
2. Multi-Account Security Strategy
Use Organizations to enable “Security Hub,” “GuardDuty,” and “CloudTrail” across the entire organization with a single click. This ensures that a new account created yesterday is automatically monitored today.
3. Tag Policies & Backup Policies
Ensure compliance by mandating specific tags on resources or enforcing automated backup schedules across all accounts via AWS Backup integration.
Decision Matrix: If-Then Guide
- If you need to prevent a Root User from deleting CloudTrail… Then use an SCP with
"Effect": "Deny"oncloudtrail:StopLogging. - If you want to share a VPC Subnet or Transit Gateway… Then use Resource Access Manager (RAM) integrated with Organizations.
- If you need to aggregate AWS Config rules from 50 accounts… Then use an AWS Config Aggregator with Organizations support.
- If you want to pay for all accounts using one Credit Card… Then enable Consolidated Billing.
Exam Tips and Gotchas
- The Management Account is Exempt: SCPs do not restrict the Management Account. This is a common distractor in “how to restrict the admin” questions.
- Explicit Deny Overrides: If an SCP denies
s3:*, no user in that account (including the root user) can access S3, even if they have anAdministratorAccessIAM policy. - Invitation vs. Creation: You can invite existing accounts to your Org. They must accept. Accounts created inside the Org do not need to accept an invitation.
- Feature Sets: Organizations has two modes: Consolidated Billing Only and All Features. SCPs require All Features to be enabled.
Topics covered:
Summary of key subtopics covered in this guide:
- Management vs. Member Accounts
- Organizational Units (OU) Hierarchy
- Service Control Policies (SCP) Logic
- Consolidated Billing Benefits
- Integration with RAM and AWS Config
- Security Guardrails and Centralized Logging
AWS Organizations Architecture
Visualizing the hierarchy: Root → OUs → Accounts with SCP Guardrails.
Centralized Security
Integrate GuardDuty and Security Hub to monitor all accounts from a single “Delegated Administrator” account. Enable CloudTrail Org Trails to log every API call across the entire landscape.
Volume Discounts
Consolidated billing aggregates usage. Example: If Account A uses 50TB of S3 and Account B uses 50TB, they are billed at the 100TB tier (cheaper) rather than two separate 50TB tiers.
Multi-Account Isolation
Use a Landing Zone pattern. Separate accounts for Logging, Security, Shared Services, and Workloads. This limits the blast radius of a security breach or a runaway bill.
Pro-Tip: When moving an account between OUs, the SCPs of the old OU are removed and the SCPs of the new OU are applied immediately.