What is AWS Organizations and why it is important?

What is AWS Organizations and why it is important?

Aws Organization is an account management service that allows you to consolidate multiple AWS accounts into an organization, enabling you to create a hierarchical structure that can be managed centrally. It is a policy based management for multiple AWS accounts. These multiple AWS accounts can split in different ways like environments (prod, dev and test), projects (project 1, project 2 and project 3) and business units (sales, support and developer).

If a company uses multiple accounts outside of AWS organizations, the Service Control Policies must be enforced independently for all accounts, which may contribute to creating misconfigurations across these accounts and to accessing resources or data that would otherwise be limited. This control is streamlined by AWS Organizations so that all accounts can be handled centrally, thus it restricts access to specific AWS resources and ensures compliance with the policies of your company.

The creation of multiple groups of AWS accounts is known as the Organizational Units and then policies are applied to those Organizational Units, commonly referred to as Service Control Policies (SCPs). These policies centrally control the use of AWS services across multiple AWS accounts, without the need for custom scripts and manual processes. Entities in the AWS accounts can only use the AWS services allowed by both the SCP and the AWS IAM policy for the account. The SCP overwrites the policy of IAM. SCP is never applied to the master account.

The policies in AWS Organizations are applied to the following entity:
  • Root- if policy is applied to the root, it will apply to all accounts in the organization
  • OU- if policy is applied to OU, it will be applied to the accounts within that OU and even to the child OUs as well
  • Account- if policy is applied to an account, it is for that particular account only

    Features of AWS Organizations

    AWS Organizations are available to all AWS customers at no additional charge in two feature sets:

    • Only Consolidated Billing Features: This mode only provides the consolidated billing features and does not include the other advanced features of AWS Organizations, such as the use of policies to restrict what users and roles in different accounts can access. SCPs aren’t available if your organization has enabled only the consolidated billing features

    • All features: This mode is the complete feature set that includes all the functionality of consolidated billing in addition to the advanced features that provide more control over the accounts in your organization

    Consolidated Billing

    One of the key features of an AWS Organization is the consolidation of billing of all the AWS accounts in your organization, where you have a single AWS account as the paying master account linked with a set of all other AWS accounts to form a simple one-level hierarchy. At the end of the month, you obtain a combined view of charges incurred by all of your AWS accounts. It also provides a cost report for each member account that is associated with the master paying account. Consolidated billing is available at no additional cost.

    In the Consolidated billing feature, you can manage and track billing of multiple AWS accounts in a master account. Through this, you can make accounting easy and use services at a low price. In Consolidated billing, max 20 accounts are allowed to link to the master account, and in the same organization, two masters (paying) account are not allowed. As we know that the master account is the main account, we need to secure that account for which you will need to use MFA and a strong, complex password. Always try to use the master account for paying purposes not for using resources, which is the best practice. In consolidated billing, you can also enable monitoring of root account, via this you can monitor billing data of all accounts as well, or you can create billing alerts to an individual account for monitoring. With the help of ‘Consolidated billing’, you can perform auditing by the use of CloudTrail that is per AWS account and enabling per region by pushing combined logs to the centralized S3 bucket, but for that, you need to enable CloudTrail in master account, define a policy for cross-account access, and enable CloudTrail in all other accounts.

    With only the consolidated billing feature enabled, each member account is independent of other member accounts. Unless the master account explicitly restricts linked accounts by using policies, the owner of each member account can independently access resources, sign up for AWS services and use AWS Premium Support. Account owners use their own IAM username and password with independently assigned account permissions in the organization.

    Situation

    A company has a huge number of employees, and they all are using cloud services. Now, the company needs to keep track of usage by individual employees and also wants to restrict the usage. If a new employee is hired for a particular department, how will he be added to a specific department?

    Solution

    With the help of AWS Organizations service, they can keep track of each individual employee and also attach a policy to a specific organization unit that is its department. They can also add new accounts on specific organization units with the help of this service.

    Step-by-Step Guide

     

    1. Go to AWS console and click on “Create an Organization”.

     

    2. If you want to work on an existing account, select it from the list of existing accounts. If you are a new member, then add an account by clicking on “Add account”. 3. Click on “Create account”. You can also select “Invite account” to invite the created account.4. Now enter details and click on “Create”.5. The new account is added. Now, go to “Organize accounts”.6. Here, you can see the organizational units are created. You can also create new OU to manage the new account. Click on “New Organizational Unit”.7. Now, enter the name of the OU that you want to create. Click “Create Organization unit”.8. Go to “Accounts” in the root account. Select the account and click “Move” to move the account to the OU.9. Now, choose “OU” from root to move the account. Click on “Move”.10. To add policies to the account, go to “Policies”. Click “Create policy”.11. Enter the policy name and effects that you want to allow or deny.12. Click on “Statement Builder” and select the option of your choice.13. Click on “Create Policy”.
    14. The policy has been created.
    15. Select the policy you want to add on the account and go to “Accounts” from the right side of the screen.
    16. Now attach the required account to the policy.

    Conclusion

    AWS Organizations helps you manage the system centrally; you can either grow or scale AWS workloads. Whether you are an emerging business or a big company, AWS Organizations helps you manage billing centrally, control access, use compliance and security, and share resources through your AWS accounts. With the Consolidated billing feature, you can ensure that all the costs for each account are billed against the master account, so you can benefit from volume discounts that otherwise might not be available at the individual account level.

Scroll to Top