📡 You're offline — showing cached content
New version available!
Quick Access
🗺️ Roadmaps 🃏 Flashcards 📚 Series 🎓 Tutorials 🗺️ My Path 🎤 Mock Interview Cheat Code 📄 Resume Builder 🛠️ Dev Tools
Tutorials AWS Solutions Architect AWS Organizations and Multi-Account Strategy

AWS Organizations and Multi-Account Strategy

4 min read Quiz at the end
Design multi-account strategies with AWS Organizations, OUs, and Service Control Policies for security and compliance.

AWS Organizations — Managing Multiple Accounts

As companies grow, they create multiple AWS accounts: one for production, one for development, one for security tooling, one for each business unit. AWS Organizations manages all these accounts centrally.

Teacher Note: Think of AWS Organizations like a company org chart. The CEO (management account) oversees all departments (member accounts). The CFO controls the budget for everyone (consolidated billing). HR sets company-wide policies (SCPs) that every department must follow.

Why Multiple AWS Accounts?

  • Blast radius limitation: if dev account is compromised, production account is unaffected
  • Cost allocation: separate bills per team, project, or environment
  • Security isolation: different security policies per environment
  • Service quota isolation: dev workloads cannot exhaust production quotas
  • Compliance: regulated workloads (PCI, HIPAA) in dedicated compliant accounts

AWS Organizations Structure

Root
  Management Account (billing, org control - touch nothing else here)
  |
  OU: Security
  |   Account: Security-Tooling (GuardDuty, Security Hub, CloudTrail)
  |   Account: Log-Archive (centralised logs)
  |
  OU: Infrastructure
  |   Account: Networking (shared VPC, Transit Gateway, DNS)
  |   Account: Shared-Services (ECR, CodeArtifact)
  |
  OU: Workloads
      OU: Production
      |   Account: App1-Prod
      |   Account: App2-Prod
      OU: Development
          Account: App1-Dev
          Account: App2-Dev

Service Control Policies (SCPs)

SCPs are permission guardrails applied at the OU or account level. Even if an IAM policy grants a permission, an SCP can DENY it. SCPs cannot grant permissions — they only restrict.

# SCP example: Prevent disabling CloudTrail in any account
{
  "Effect": "Deny",
  "Action": "cloudtrail:StopLogging",
  "Resource": "*"
}

# SCP example: Restrict to approved regions only
{
  "Effect": "Deny",
  "Action": "*",
  "Resource": "*",
  "Condition": {
    "StringNotEquals": {
      "aws:RequestedRegion": ["us-east-1", "eu-west-1"]
    }
  }
}
Exam Tip: SCPs do NOT grant permissions — they only LIMIT what IAM can grant. If an SCP allows * and IAM denies, IAM still denies. If an SCP denies and IAM allows, the SCP denial wins. Think of SCPs as the maximum ceiling of permissions in an account.
Topic Quiz · 1 questions

Test your understanding before moving on

1. A company wants to PREVENT any account in the organization from creating resources outside of us-east-1 regardless of what IAM policies allow. What is the correct tool?
💡 SCPs override IAM — even AdministratorAccess cannot bypass an SCP Deny. SCPs enforce guardrails at the account or OU level.