AWS Organizations
An account management service that centrally manages multiple AWS accounts as an organization, with consolidated billing and service control policies for governance
Overview
AWS Organizations is a service that groups multiple AWS accounts into an organization for centralized management. It hierarchically organizes accounts into OUs (Organizational Units) and controls the maximum allowed operations per account through SCPs (Service Control Policies). Consolidated Billing aggregates usage charges from all accounts into the management account, maximizing volume discount benefits. Many AWS services including Control Tower, Config, GuardDuty, and Security Hub integrate with Organizations, making it the foundation for multi-account strategies.
Guardrail Design with SCPs and Their Relationship to IAM
SCPs (Service Control Policies) are the most powerful governance feature of Organizations, defining the maximum API actions an account can perform. SCPs are written in JSON format similar to IAM policies, but instead of granting permissions, they set permission boundaries. This means that operations not allowed by an SCP cannot be performed even if permitted by IAM policies within the account. While Azure Management Groups' Azure Policy centers on compliance checks and auto-remediation (enforcing that settings must be a certain way), SCPs specialize in guardrail-style controls that absolutely prevent specific operations, making the model simpler. In practice, the deny-list approach (allow everything by default and explicitly deny specific operations) is recommended for manageability. Typical SCPs include preventing CloudTrail from being disabled, restricting resource creation to specific regions, and limiting root user usage. SCPs are applied to OUs and inherited by all accounts within the OU, so OU structure design directly impacts SCP effectiveness.
OU Structure Design and Delegated Administrator
The first thing to design when deploying Organizations in practice is the OU structure. AWS's recommended configuration places Security OU (log archive, security audit), Infrastructure OU (shared networking, DNS), Sandbox OU (experimentation), and Workloads OU (production, staging, development) directly under Root. Since the OU structure determines where SCPs are applied, it is critical to separate account groups with different security requirements into distinct OUs. Using the Delegated Administrator feature, you can manage GuardDuty and Security Hub organization-wide from a security account without concentrating permissions in the management account. The best practice is to keep the management account focused on billing and organizational structure, while delegating day-to-day security operations to a delegated administrator account. AWS multi-account management books (Amazon) are a great resource for learning these patterns in depth.
Consolidated Billing and RI/Savings Plans Sharing Design
Organizations' Consolidated Billing aggregates usage charges from all accounts into the management account, maximizing volume discount benefits. S3 storage costs and EC2 data transfer charges are discounted based on the organization's combined usage, resulting in lower per-unit pricing than individual account contracts. The Reserved Instance and Savings Plans sharing feature is equally powerful - discounts purchased in one account are automatically applied across all accounts in the organization. You can also intentionally disable this sharing to restrict discounts to specific accounts. Standardizing cost allocation tags across the organization and analyzing costs by OU or account in Cost Explorer provides visibility into which departments are consuming what costs. For billing alerts, a two-tier structure is effective: setting organization-wide thresholds in the management account while managing individual account budgets with AWS Budgets.