AWS - IAM

Configure AWS IAM at Scale

AWS Organizations

AWS Organizations is a service for centralized governance, billing, and access control across multiple AWS accounts. By structuring accounts into a hierarchy, you can enforce policies, streamline resource sharing, and maintain compliance at scale.

Management Account and Organizational Units

Creating Your Management Account

The management account (formerly the “master” account) acts as the root of your AWS Organization. It holds billing responsibility and delegates policy management to Organizational Units (OUs) or individual member accounts.

Organizing With OUs

  1. Create one or more Organizational Units (OUs) under the management (root) account.
  2. Move or add member accounts into these OUs.
  3. Apply Service Control Policies (SCPs) at the OU level for inherited governance.

Warning

Avoid using the root user for everyday tasks. Instead, assign permissions through IAM roles in member accounts to reduce security risk.

The image is a diagram of an AWS Organizations structure, showing a hierarchy with a root management account, organizational units, and member accounts.

Any SCP attached to an OU automatically cascades to all nested OUs and member accounts. You can also target SCPs directly to individual accounts when a specialized policy is required.

Note

Service Control Policies (SCPs) define the maximum available permissions for IAM identities in accounts, but they don’t grant permissions by themselves.

Key Benefits of AWS Organizations

AWS Organizations unlocks powerful features for enterprises:

The image lists the benefits of AWS Organizations, including centralized billing, resource sharing, access management, compliance, and simplified account management.

BenefitDescription
Centralized BillingAggregate charges from all member accounts into one monthly invoice.
Resource SharingShare VPCs, RDS, EC2, S3, and more across accounts with AWS Resource Access Manager.
Access ManagementEnforce uniform IAM policies and manage credentials organization‐wide.
ComplianceApply security baselines and audit controls centrally to meet regulatory needs.
Simplified Account ManagementMonitor and administer all accounts from a single, unified dashboard.

Watch Video

Watch video content

Previous
Overview