The_High_Cloud
Understanding AWS Organizations and Consolidating member Accounts with Organizational Units

Understanding AWS Organizations and Consolidating member Accounts with Organizational Units

ferozekhan's photo
ferozekhan
·

4 min read

AWS Organizations is a service that helps you centrally manage and govern your AWS accounts at scale. It allows you to consolidate multiple accounts into a single hierarchical structure, apply policies, and simplify billing through consolidated billing features. This is particularly useful for businesses with multiple departments or projects or geographies, enabling better resource management, security enforcement, and cost optimization.

TLDR;

AWS Organization is an AWS service to consolidate multiple AWS Accounts into a hierarchy of Organizational Units for:

1. Simplified and Centralized Account Management

2. Consolidated Billing

3. Sharing Resources via RAM and

4. Applying SCPs to meet Governance requirements

You start with a standard AWS Account and use the same to create an Organization. This standard AWS Account that you use to create the Organization with, BECOMES the Management or Master or Payer account. This Management Account can now invite other existing standard AWS accounts into the Organization or Create new AWS Accounts as MEMBER ACCOUNTS.

The Management and Members accounts may now be structured into a hierarchy using the Organization Root at the TOP and multi-level Organizational Units based on Business Units, Functions, or by Country location that can be used to group one of more AWS Member Accounts.

Key Features of AWS Organizations

  • Account Consolidation: Manage multiple AWS accounts in a single hierarchy.

  • Organizational Units (OUs): Group accounts for easier management and policy application.

  • Service Control Policies (SCPs): Enforce permissions across accounts and OUs.

  • Consolidated Billing: Share Reserved Instances and Savings Plans to reduce costs.

  • Sharing Resources via Resource Access Manager.

Steps to Consolidate AWS Accounts with Organizational Units (OUs)

  1. Set Up AWS Organizations:

    • Log in to the AWS Management Console using the root account or an IAM user with necessary permissions.

    • Navigate to AWS Organizations and create an organization if it doesn’t already exist.

  1. Create Organizational Units (OUs):

    • In the AWS Organizations dashboard, create OUs to logically group accounts based on business needs (e.g., production, development, finance, etc.).

    • Provide meaningful names to the OUs for better organization.

  2. Add Accounts to the Organization:

    • Invite existing accounts by sending an invitation to their email address or AWS account ID.

  • Create new AWS accounts directly within the organization if needed.

  1. Move Accounts to Organizational Units:

    • Assign each AWS account to the appropriate OU based on its purpose, function, department or geographies. This step simplifies policy management and governance.

IAM Consolidation and Switch Role

With AWS Organizations, we could use IAM from one of the AWS Accounts and use Switching roles to manage resources across the other AWS Member Accounts using a single IAM user. When you switch roles, you temporarily take on the permissions assigned to the new role. When you exit the role, you give up those permissions and get your original permissions back.

  1. Define Service Control Policies (SCPs):

    • Create and attach SCPs to OUs or accounts to enforce permissions and restrict access to AWS services. For example:

      • Allow only specific services for development accounts.

      • Deny certain actions in production accounts to enforce security.

  2. Enable Consolidated Billing:

    • Ensure that the Master Account (now referred to as the Management Account) has consolidated billing enabled.

    • View a unified bill for all member accounts and share unused Reserved Instances or Savings Plans.

  3. Monitor and Audit:

    • Use AWS CloudTrail and AWS Config to monitor and audit account activities within your organization.

    • Analyze cost and usage using the AWS Cost Explorer and Billing Dashboard.

Benefits of Using AWS Organizations for Account Consolidation

  • Simplified Management: Centralized control over permissions, policies, and billing.

  • Enhanced Security: SCPs ensure consistent security across accounts.

  • Cost Optimization: Consolidated billing reduces overall costs through resource sharing.

  • Scalability: Easily add or remove accounts as your organization grows.

That's all folks. Hope you enjoyed this quick introduction to AWS Organizations. By leveraging AWS Organizations and Organizational Units, you can achieve structured account management and governance while optimizing costs and security across your cloud infrastructure.

Kindly share with the community. Until I see you next time. Cheers !

AWSAWS Certified Solutions Architect AssociateAWS Organizations