AWS Certified Solutions Architect - Professional
  • AWS Certified Solutions Architect - Professional
  • Accounts & Permissions
    • AWS Organizations
    • Service Control Policies
    • Security Token Service
    • Permissions Boundaries
    • Permissions Evaluation
    • AWS Resource Access Manager
    • Service Quotas
  • ADVANCED IDENTITIES & FEDERATION
    • SAML2.0 Identity Federation
    • IAM Identity Center
    • Amazon Cognito
    • Amazon Workspaces
    • Directory Service
    • AWS Control Tower
  • NETWORKING & HYBRID
    • Private and Public AWS Services
    • DHCP In a VPC
    • VPC Router
    • Stateful vs Stateless Firewalls
    • Network Access Control Lists
    • Security Groups
    • AWS Local Zones
    • Border Gateway Protocol
    • AWS Global Accelerator
    • IPSec VPN
    • Site2Site VPN
    • Transit Gateway
    • VPC Routing
    • Accelerated Site-to-Site VPN
    • AWS Client VPN
Powered by GitBook
On this page
  1. Accounts & Permissions

AWS Organizations

Last updated 2 days ago

  • A tool to manage multiple AWS accounts efficiently, mainly for larger businesses.

  • Reduces costs and administrative overhead.

🌳 Structure of AWS Organizations

  • Hierarchical structure like an inverted tree.

  • Root (top-level container) holds:

    • AWS accounts (management & member accounts).

    • Organizational Units (OUs) – sub-containers within the root.

  • OUs can contain:

    • Other AWS accounts.

    • Nested OUs (multi-level hierarchy).

💳 Billing

  • Consolidated Billing:

    • One single monthly bill for the entire organization.

    • All costs are consolidated under the management account.

    • Greatly reduces financial admin for large companies.

🛡️ Security & Control

  • Service Control Policies (SCPs):

    • Set permission boundaries for what accounts can or cannot do.

    • Apply at the OU or account level.

🔄 Account Management

  • You can:

    • Invite existing AWS accounts.

    • Create new accounts directly in the organization (requires only a unique email).

    • No need for an invite process if account is created directly.

🔐 Identity & Access Management

  • Avoid IAM users in every account.

  • Use IAM roles to allow access across accounts.

  • Use identity federation with on-premise systems:

    • Use a central identity account.

    • Authenticate once, then switch roles to other member accounts.