Organizations

Introduction

  • Central governance (SCP / Consolidated billing) across AWS accounts

  • Perform tasks in your organization and its accounts on your behalf

    • Use trusted access to enable an AWS service (trusted service. Ex. RAM)

Usage

  • Master accounts must invite child accounts.

  • Master accounts can create child accounts.

  • Master can access child accounts with:

    • CloudFormation StackSets to create IAM roles in target accounts.

    • Assume the roles using the STS Cross Account capability.

  • Can create a dedicated account for logging or security.

  • For a member to leave an organization, check:

    • The member must enable IAM user access to billing.

    • The member must have the information required for it to operate as a standalone account. (Ex. permission of "organizations:DescribeOrganization" or "organizations:LeaveOrganization")

  • API is available to automate AWS account creation.

  • Integration with AWS SSO

  • Consolidated Billing

    • Only master account can view / download the report (CSV), but report can be drill down by each member account.

AWS Orginaizaion Options:

  • Consolidated billing features:

    • Consolidated billing across all accounts - single payment method.

    • Pricing benefits from aggregated usage.

  • All Features (by default)

    • Includes consolidated billing features

    • Supports SCP

    • Child accounts must approve enabling all features.

    • Ability to apply an SCP to prevent member accounts from leaving the org.

    • Can't switch to Consolidated billing features only.

Multi Account Strategies

  • Create account per department, per cost center, per dev / test / prod, based on regulatory restrictions (using SCP), for better limits, isolated account for logging.

  • Multi Account vs One Account Multi VPC

  • Use tagging standards for billing purposes

  • Enable CloudTrail on all accounts, send logs to central S3 bucket

  • Send CloudWatch Logs to central logging account

  • Establish Cross account roles for admin purposes

Service Control Policy (SCP)

  • Organization policy as whitelist or blacklist (allow all at top, then disable items) IAM actions

  • Applied at the Root, OU or Account level.

  • SCP is applied to all the users and roles of the account, including Root.

  • The SCP doesn't affect service-linked roles.

  • SCP must have an explicit allow (doesn't allow anything by default)

  • SCP dosen't related to resources.

  • SCP dosen't grant any permission (just specify the maximum permissions).

    • Permissions are granted with IAM

  • Use cases:

    • Restrict access to certain services (for example: can't use EMR)

    • Enforce PCI compliance by explicitly disabling services.

Reserved Instances / Savings Plans

  • The consolidated billing feature treats all the accounts in the organization as one account.

  • Accounts in the organization can share benefits of RIs with any other account.

  • The payer account (master account) can turn off RI discount / Savings Plans discount sharing for any accounts in that organization, including the payer account.

  • RIs and Savings Plans discounts aren't shared between any accounts that have sharing turned off.

  • To share an RI / Savings Plans discount with an account, both accounts must have sharing turned on. The master account can turn off sharing for any member account.

RI Consolidated Billing examples

  • For zonal RIs must have the same:

    • AZ (align with AZ id, not AZ name.)

  • For zonal DB instances must have the same:

    • Engine, AZ, Instance Type, Deployment Type (ex. Multi-AZ)

PreviousIAMNextResource Access Manager (RAM)

Last updated