Multi-Account Management with AWS Organizations - OU Design and Governance with SCPs
Establish governance for multi-account environments through OU hierarchy design and SCP-based access control. Also covers cost management with consolidated billing.
Overview of Organizations
Organizations is a service for centrally managing up to thousands of AWS accounts. Running all environments in a single account blurs security boundaries and makes billing separation difficult. By separating accounts with Organizations and grouping them into OU hierarchies, you achieve security boundaries and billing separation for each environment. OUs (Organizational Units) are created under the organization root, and accounts are placed within OUs in a tree structure. The management account (formerly master account) governs the entire organization and is not subject to SCP restrictions. In on-premises environments, achieving similar isolation requires network segmentation or physical server separation at significant cost, whereas AWS account creation completes with a single API call at no additional infrastructure cost.
SCPs and Consolidated Billing
SCPs are access control policies applied to OUs or accounts that set upper limits on IAM policies. For example, applying an SCP that "prohibits use of regions other than specified ones" to a production OU means that accounts under it cannot create resources in restricted regions, even if IAM policies allow it. SCPs can be written in either allow-list or deny-list format, with deny-list being operationally simpler and recommended. SCPs inherit downward through the OU hierarchy, so a parent OU's SCP applies to all child OUs and their accounts. With consolidated billing, usage across all accounts in the organization is aggregated, and volume discounts for S3 and EC2 are applied. RIs and Savings Plans are also shared within the organization, with discounts applying to accounts other than the purchasing account. Combined with AWS Cost Explorer for OU-level and account-level cost analysis, and AWS Budgets for per-account budget alerts, you can proactively prevent cost overruns.
OU Design and Account Strategy
OU (Organizational Unit) design is the foundation for security boundaries and governance. The recommended OU structure includes a Security OU (log archive, security audit), Infrastructure OU (networking, shared services), Workloads OU (production, development, staging), and Sandbox OU (experimentation). SCPs are applied to OUs and inherited by all accounts underneath. The delegated administrator feature delegates management of security-related services (GuardDuty, Security Hub, Config) to a security account, keeping operations on the management account to a minimum. CloudTrail organization trails aggregate API operations from all accounts into a central log archive account, streamlining security audits and compliance. Tag policies standardize resource tags across all accounts, improving cost allocation accuracy. To learn Organizations from basics to advanced topics, books (Amazon) offer a systematic approach.
Cross-Account Resource Sharing with RAM
AWS RAM (Resource Access Manager) enables secure resource sharing across AWS accounts. It supports sharing of VPC subnets, Transit Gateways, Route 53 Resolver rules, Network Firewall policies, and many other resource types. When integrated with Organizations, resource sharing can be automated at the OU level - new accounts added to an OU automatically gain access to shared resources. By sharing VPC subnets managed by a central networking account to workload accounts, you achieve efficient IP address space management and centralized network policy control. Resource ownership remains with the sharing account, maintaining security and governance while enabling efficient resource utilization.
Choosing Between Organizations and Control Tower
Organizations is the foundational service for organizational structure, while Control Tower is a best-practice automation service built on top of Organizations. When using Organizations alone, you must manually configure OU design, SCP creation, and log aggregation. Enabling Control Tower provides a Landing Zone with recommended OU structure, over 400 predefined guardrails (SCPs plus Config rules supporting CIS Benchmark and NIST 800-53), and Account Factory for automated new account provisioning. For simple configurations with few accounts (around 5), Organizations alone is sufficient, but for environments expected to grow beyond 10 accounts, adopting Control Tower is recommended. Control Tower encompasses all Organizations features, so enabling it later preserves existing OU structures.
Design Pitfalls and Considerations
A common pitfall in Organizations operations is running workloads in the management account. Since the management account is exempt from SCP restrictions, security guardrails do not apply to it. Use the management account only for organization management and billing, and always place workloads in member accounts. For SCP design, using allow-lists creates operational burden as every new service release requires SCP updates, so deny-lists that explicitly state only prohibited actions are more practical. OU nesting depth is limited to 5 levels, but excessive depth makes SCP inheritance complex and difficult to track which policies apply to which accounts. Keeping it to 2-3 levels is an operational best practice. Each account maintains an independent IAM boundary, so a security incident in one account minimally impacts others - this isolation is the greatest advantage of a multi-account strategy.
Organizations Pricing
Organizations itself incurs no additional charges. Consolidated billing aggregates member account usage, providing volume discount benefits. Enabling RI and Savings Plans sharing applies discounts to accounts other than the purchasing account. As the number of accounts grows, costs accumulate for services enabled in each account (CloudTrail, Config, GuardDuty), so managing which services to enable at the OU level is important. Enforcing tag policies through Organizations maintains consistent tagging rules across all accounts, enabling accurate cost allocation.
Summary
Organizations is a service that centralizes governance and cost management for multi-account environments. OU hierarchies and SCPs establish security boundaries, and the delegated administrator feature delegates security service management to dedicated accounts. RAM simplifies network design through cross-account resource sharing, while consolidated billing leverages volume discounts and RI/Savings Plans sharing. Tag policies standardize resource tags across the organization, and CloudTrail organization trails provide unified API auditing across all accounts. For environments with 10 or more accounts, combining with Control Tower strengthens automation, and avoiding workload execution in the management account is key to maintaining security.