AWS - IAM
Configure AWS IAM at Scale
AWS Organizations
AWS Organizations is a service for centralized governance, billing, and access control across multiple AWS accounts. By structuring accounts into a hierarchy, you can enforce policies, streamline resource sharing, and maintain compliance at scale.
Management Account and Organizational Units
Creating Your Management Account
The management account (formerly the “master” account) acts as the root of your AWS Organization. It holds billing responsibility and delegates policy management to Organizational Units (OUs) or individual member accounts.
Organizing With OUs
- Create one or more Organizational Units (OUs) under the management (root) account.
- Move or add member accounts into these OUs.
- Apply Service Control Policies (SCPs) at the OU level for inherited governance.
Warning
Avoid using the root user for everyday tasks. Instead, assign permissions through IAM roles in member accounts to reduce security risk.
Any SCP attached to an OU automatically cascades to all nested OUs and member accounts. You can also target SCPs directly to individual accounts when a specialized policy is required.
Note
Service Control Policies (SCPs) define the maximum available permissions for IAM identities in accounts, but they don’t grant permissions by themselves.
Key Benefits of AWS Organizations
AWS Organizations unlocks powerful features for enterprises:
| Benefit | Description |
|---|---|
| Centralized Billing | Aggregate charges from all member accounts into one monthly invoice. |
| Resource Sharing | Share VPCs, RDS, EC2, S3, and more across accounts with AWS Resource Access Manager. |
| Access Management | Enforce uniform IAM policies and manage credentials organization‐wide. |
| Compliance | Apply security baselines and audit controls centrally to meet regulatory needs. |
| Simplified Account Management | Monitor and administer all accounts from a single, unified dashboard. |
Links and References
Watch Video
Watch video content