Organizations & SCP
Organizations
Global service
Manage multiple AWS accounts under an organization
one main account known as management account
other are member accounts
Member account can only be part of one organization
Consolidated Billing across all accounts - single payment method
Pricing benefits from aggregated usage of AWS resources (volume discount for EC2, S3…)
Shared reserved instances and Savings Plans discounts across accounts
API is available to automate AWS account creation (on demand account creation)
- API can only create member accounts. They cannot configure anything within those accounts (use CloudFormation for that).
Organizational Units (OU)
Folders for grouping AWS accounts of an organization
Can be nested
Advantages
Multi Account vs One Account Multi VPC
Use tagging standards for billing purposes
Enable CloudTrail on all accounts, send logs to central S3 account
Send CloudWatch Logs to central logging account
Establish Cross Account Roles for Admin purposes
Service Control Policies (SCP)
IAM policies applied to OU or Accounts to restrict Users and Roles
Does not apply to the management account
Applies to all the Users and Roles of the member accounts, including the root user. So, if something is restricted for that account, even the root user of that account won’t be able to do it.
Must have an explicit allow (does not allow anything by default)
Does not apply to service-linked roles
Explicit Deny has the highest precedence
SCP Hierarchy
Migrating Accounts between Organizations
To migrate member accounts from one organization to another
Remove the member account from the old organization
Send an invite to the member account from the new organization
Accept the invite from the member account
To migrate the master account
Remove the member accounts from the organizations using procedure above
Delete the old organization
Repeat the process above to invite the old master account to the new org