What is AWS Organizations?

AWS accounts are natural boundaries for permission, security, costs, and workloads. Using a multi-account environment is a recommended best-practice when scaling your cloud environment. You can simplify account creation by programmatically creating new accounts using the AWS Command Line Interface (AWS CLI), SDKs, or APIs, and centrally provision recommended resources and permissions to those accounts with AWS CloudFormation StackSets.

As you create new accounts, you can group them into organizational units (OUs), or groups of accounts that serve a single application or service. Apply tag polices to classify or track resources in your organization, and provide attribute-based access control for users or applications. In addition, you can delegate responsibility for supported AWS services to accounts so users can manage them on behalf of your organization.

You can centrally provide tools and access for your security team to manage security needs on behalf of the organization. For example, you can provide read-only security access across accounts, detect and mitigate threats with Amazon GuardDuty, review unintended access to resources with IAM Access Analyzer, and secure sensitive data with Amazon Macie.

Set up AWS IAM Identity Center to provide access to AWS accounts and resources using your active directory, and customize permissions based on separate job roles. You can also apply organization policies to users, accounts, or OUs. For example, service control policies (SCPs) enable you to to control access to AWS resources, services, and Regions within your organization. Resource control policies (RCPs) enable you to centrally prevent the unintended use of your AWS resources. Chatbot policies enable you to control access to your organization's accounts from chat applications such as Slack and Microsoft Teams.

You can share AWS resources within your organization using AWS Resource Access Manager (AWS RAM). For example, you can create your Amazon Virtual Private Cloud (Amazon VPC) subnets once and share them across your organization. You can also centrally agree to software licenses with AWS License Manager, and share a catalog of IT services and custom products across accounts with AWS Service Catalog.

You can activate AWS CloudTrail across accounts, which creates a log of all activity in your cloud environment that cannot be turned off or modified by member accounts. In addition, you can set policies to enforce backups on your specified cadence with AWS Backup, or define recommended configuration settings for resources across accounts and AWS Regions with AWS Config.

Organizations provides you with a single consolidated bill. In addition, you can view usage from resources across accounts and track costs using AWS Cost Explorer, and optimize your usage of compute resources using AWS Compute Optimizer.

You can automate the creation of AWS accounts to quickly launch new workloads. Add the accounts to user-defined groups for instant security policy application, touchless infrastructure deployments, and auditing. Create separate groups to categorize development and production accounts and use AWS CloudFormation StackSets to provision services and permissions to each group.

You can apply service control policies (SCPs) to ensure that your users perform only the actions that meet your security and compliance requirements. Create a central log of all actions performed across your organization using AWS CloudTrail. View and enforce standard resource configurations across accounts and AWS Regions using AWS Config. Automatically apply regular backups using AWS Backup. Use AWS Control Tower to apply pre-packaged governance rules for security, operations, and compliance for your AWS workloads.

Create a Security group and provide it with read-only access to all of your resources to identify and mitigate security concerns. You can allow that group to manage Amazon GuardDuty so they can actively monitor and mitigate threats to your workloads, and IAM Access Analyzer to quickly identify unintended access to your resources.

Organizations makes it easy for you to share critical central resources across your accounts. For example, you can share your central AWS Directory Service for Microsoft Active Directory so that applications can access your central identity store.

Share your AWS Directory Service for Microsoft Active Directory as a central identity store for your applications. Use AWS Service Catalog to share IT services in designated accounts so users can quickly discover and deploy approved services. Ensure that application resources are created on your Amazon Virtual Private Cloud (Amazon VPC) subnets by centrally defining them once and sharing them across your organization using AWS Resource Access Manager (AWS RAM).