Operations Management

Multi-Account Management with AWS Organizations - OU Design and Governance with SCPs

Establish governance for multi-account environments through OU hierarchy design and SCP-based access control. Also covers cost management with consolidated billing.

約 3 分で読めます

Overview of Organizations

Organizations is a service for centrally managing up to thousands of AWS accounts. Running all environments in a single account blurs security boundaries and makes billing separation difficult. By separating accounts with Organizations and grouping them into OU hierarchies, you achieve security boundaries and billing separation for each environment.

SCPs and Consolidated Billing

SCPs are access control policies applied to OUs or accounts that set upper limits on IAM policies. For example, applying an SCP that "prohibits use of regions other than specified ones" to a production OU means that accounts under it cannot create resources in restricted regions, even if IAM policies allow it. With consolidated billing, usage across all accounts in the organization is aggregated, and volume discounts for S3 and EC2 are applied. RIs and Savings Plans are also shared within the organization, with discounts applying to accounts other than the purchasing account.

OU Design and Account Strategy

OU (Organizational Unit) design is the foundation for security boundaries and governance. The recommended OU structure includes a Security OU (log archive, security audit), Infrastructure OU (networking, shared services), Workloads OU (production, development, staging), and Sandbox OU (experimentation). SCPs are applied to OUs and inherited by all accounts underneath. The delegated administrator feature delegates management of security-related services (GuardDuty, Security Hub, Config) to a security account, keeping operations on the management account to a minimum. Tag policies standardize resource tags across all accounts, improving cost allocation accuracy. To learn Organizations from basics to advanced topics, books (Amazon) offer a systematic approach.

Organizations Pricing

Organizations itself incurs no additional charges. Consolidated billing aggregates member account usage, providing volume discount benefits. Enabling RI and Savings Plans sharing applies discounts to accounts other than the purchasing account. As the number of accounts grows, costs accumulate for services enabled in each account (CloudTrail, Config, GuardDuty), so managing which services to enable at the OU level is important.

Summary

Organizations is a service that centralizes governance and cost management for multi-account environments. OU hierarchies and SCPs establish security boundaries, and the delegated administrator feature delegates security service management to dedicated accounts. Consolidated billing leverages volume discounts and RI/Savings Plans sharing, while tag policies standardize resource tags across the organization.

Related Services

AWS OrganizationsA service for centrally managing multiple AWS accountsAWS Control TowerA service that automates multi-account environment setup and governanceAWS ConfigA service that records and evaluates AWS resource configuration changes and continuously monitors compliance

Related Articles

Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsEstablish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsAutomatically build a best-practice multi-account environment and maintain continuous compliance with over 400 guardrails. Learn extension techniques using Account Factory and Customizations for Control Tower.Building Managed Active Directory with AWS Directory Service - Identity Management for Hybrid EnvironmentsSet up AWS Managed Microsoft AD and design trust relationships with on-premises AD. This article covers hybrid identity management through integration with WorkSpaces, RDS, and FSx.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

AWS OrganizationsAn account management service that centrally manages multiple AWS accounts as an organization, with consolidated billing and service control policies for governanceMulti-Account Management - Organization-Wide Governance with AWS Organizations and RAMLearn how to deploy CloudTrail, Config, GuardDuty, and Security Hub across all accounts using the Organizations delegated administrator model, achieving unified security and compliance management.Multi-Account Strategy and AWS Organizations - The Optimal Approach to Cloud GovernanceEstablish security boundaries and optimize cost allocation through OU hierarchy design and SCP governance controls in Organizations. This article covers the full picture of multi-account operations, including Control Tower guardrails and consolidated billing.AWS Multi-Account Governance - Organizational Control with Organizations, Control Tower, and SCPsThis article examines the multi-account governance mechanisms centered on AWS Organizations, Control Tower, and SCPs (Service Control Policies), comparing them with Azure Management Groups to explain the differences in enterprise governance design capabilities.