AWS Organisations

Natasha Ong
This is some text inside of a div block.
4 min read

In a nutshell:

Use AWS Organisations to consolidate and manage multiple AWS accounts from a central location.
You can centrally control permissions for the accounts in your organisation by using service control policies (SCPs).
You can implement groupings using organisational units (OUs) to meet security, compliance, or budgetary needs.

In your journey with AWS, you probably start with a single AWS account where everything was kept. It's a common way to begin, but as a company grows or ventures further into the cloud, you might need a better way to organise things.

For example, you might want your developers to access certain tools, your accounting team to handle billing, or different parts of your business to use AWS services without affecting each other.

As you add more people and their needs, it can get quite complicated! For example, let's say you have four separate accounts.

  • You pay bills for Accounts A, B, C and D separately.
  • Sometimes Account B has permissions to the wrong services.
  • Account C needs access to billing and compliance info.
  • Oh no! Turns out Account D doesn't have the right security settings.

To make sense of it all and control who can do what in each account, AWS has a useful service called AWS Organisations.

AWS Organisations

Think of AWS Organisations as the one stop shop where you can manage all your AWS accounts. It's like a control centre that makes it easier to:

  • Handle billing
  • Control who gets access to what
  • Keep things compliant
  • Make everything secure
  • Share resources.

Note that when you create an organisation, AWS Organisations automatically creates a root, which is the parent account for all the accounts in your organisation.

Why we love AWS Organisations

  1. Combined billing: With this feature, you can put all the bills from different accounts into one payment. This makes it less confusing and easier to see how much everything costs. More on this in the next topic!
  2. Organisational units: AWS Organisations lets you group your accounts in a structured way. Think of these like folders of accounts to keep things organised and separate. We'll dive into this in a second.
  3. Access control: You get to manage account permissions using a feature called Service Control Policies (SCPs). With SCPs you can restrict the AWS services, resources, and even individual API actions that users/roles in each account can access.

Organisational units

In AWS Organisations, you can group accounts into organisational units (OUs).  

Companies can use OUs in all kinds of ways:

  • Group accounts based on the AWS services they can access. This helps meet security or compliance regulations in their industry.
  • Group accounts based on the department e.g. developer OU, accounting OU.
  • Group accounts based on their budget e.g. a group for accounts that are just testing products, so they can spend a maximum of $500 each.

When you apply a policy to an OU, all the accounts in the OU automatically inherit the permissions specified in the policy. For example, let's say your company has a few products that have to meet strict laws.

  • To meet these laws, there are only a handful of AWS services you can use.
  • You have multiple accounts all with restricted access - they can only use the allowed list of AWS services.
  • To save time, you can put all these accounts into one OU. Then, you can attach a policy to the OU (instead of doing this one by one for each account).

Here is an example of what OUs could look like in a company.

Diagram showing an OU being placed under the root. The OU contains the HR and Legal accounts.
  • If your company instead wanted to use separate accounts for different departments (finance, IT, HR and legal), you can put them all under one organisation (this is the root).
  • The HR and legal departments always need access to the same AWS services and resources, so you place them into an OU together.
  • Now, if there's a change in the services that your HR and legal departments need access to, you can attach those changes to the OU. This saves you time (and any potential errors) if you had to apply it to the HR and legal accounts separately..