AWS Organizations | Overview & Hands-On.

Here’s twtech Overiew of AWS Organizations.

View:

•        Architecture,
•        Key concepts,
•        Advanced use cases,
•        Best practices for enterprise-scale identity / governance management.

 Overview

•        AWS Organizations is a service that allows twtech to centrally manage and govern multiple AWS accounts within its environment.
•        AWS Organizations is foundational for multi-account:
• Strategies, 
• Security governance, 
• Billing consolidation,  
• Compliance enforcement.
•        AWS Organizations provides a hierarchical account management structure with Organization Units (OUs).
•        AWS Organizations supports Service Control Policies (SCPs) for enforcing guardrails across accounts.

 Core Components

1. Organization Root

• The top-level container for all accounts.
• Every organization has exactly one root.
• SCPs (supports Service Control Policies) applied at the root affect all accounts within the organization.

2. Organization Units (OUs)

• Logical groupings of AWS accounts within twtech organization.
• Allow hierarchical policy application (e.g., Security OU, Sandbox OU, Production OU).
• SCPs can be attached to OUs to propagate governance across multiple accounts.

# Example hierarchy:

Root

├── Security OU

│   ├── Logging Account

│   └── Audit Account

├── Production OU

│   ├── App1 Account

│   └── App2 Account

└── Sandbox OU

    ├── Dev Account

    └── Test Account

3. Accounts

• Each account is an isolated boundary for resources and billing.
• Management account: The root account that creates and manages the organization.
• Member accounts: Invited or created accounts managed under the organization.

4. Service Control Policies (SCPs)

• SCPs define the maximum available permissions within accounts.
• They do not grant permissions; they act as guardrails that restrict IAM users/roles.
• Effective permissions = IAM permissions ∩ SCP permissions.

# Example SCP (deny access to certain regions):

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "DenyUnsupportedRegions",

      "Effect": "Deny",

      "Action": "*",

      "Resource": "*",

      "Condition": {

        "StringNotEquals": {

          "aws:RequestedRegion": [

            "us-east-2",

            "us-west-2"

          ]

        }

      }

    }

  ]

}

5. Consolidated Billing

• Aggregates billing across all accounts for volume discounts and centralized cost management.
• twtech can use Cost Explorer or AWS Billing Dashboard to monitor total and per-account spend.

twtech-AWS-Organization Architecture:

Advanced Capabilities

 Delegated Administrators

• Allows delegation of specific AWS services to designated accounts.
• Example: A central Security Account can be delegated admin for AWS GuardDuty, Security Hub, or Macie.

 Tag Policies

• Enforce standardized tagging across accounts and resources.
• Example: Require Environment and CostCenter tags on all EC2 instances.

 AI Services Opt-Out Policies

• Control access to AI/ML services that store or process customer data (e.g., Rekognition, Translate).

 Backup Policies

• Centrally manage AWS Backup plans and vaults across accounts.

 Integration with Other AWS Services

Service	Integration	Purpose
AWS Control Tower.	Built on top of AWS Organizations.	Automates setup of multi-account landing zone.
AWS SSO / IAM Identity Center.	Integrates with Organizations.	Centralized identity and access management.
AWS Config.	Aggregates compliance data org-wide.	Compliance and resource inventory visibility.
CloudTrail.	Organization-level trails.	Unified auditing of API activity.
Service Catalog.	Central provisioning guardrails.	Standardized resource deployment across accounts.

 Best Practices

1. Adopt a multi-account strategy early (security, workload isolation, cost tracking).
2. Use OUs to mirror business or environment structure (e.g., Dev/Test/Prod, BU1/BU2).
3. Apply SCPs at OU level rather than individual accounts.
4. Keep management account clean — don’t deploy workloads there.
5. Implement least privilege SCPs (deny known bad actions, not whitelist everything).
6. Enable AWS CloudTrail and Config Organization-wide.
7. Set up a central security OU for logging, audit, and security tooling.
8. Regularly review SCPs and account structure for drift or unnecessary restrictions.
9. Combine with AWS Control Tower for automation and governance at scale.

 Example Organizational Layout

OU	Purpose	Example SCP
Security	Centralized security tooling.	Deny resource deletions.
Infrastructure	Shared services (e.g., networking)	Restrict IAM changes.
Production	Mission-critical workloads.	Deny region changes.
Development / Test	Developing / Testing environments	Allow all but billing actions.

 Use Cases

• Centralized Governance: Enforce compliance via SCPs across 100+ accounts.
• Cost Optimization: Consolidated billing and cross-account reserved instance sharing.
• Security Hardening: Deny risky services or enforce encryption everywhere.
• Delegated Operations: Assign teams to manage security, networking, or logging accounts.

Project: Hands-On

How twtech use aws organization services to manage all resources within its environment.

Search for aws service: aws organization.

About aws organization and how it works

Benefits and features

 Use cases

Create an organization: twtechAwsOganiztion

Prerequisite:

·       Have more than one account (possibly three accounts…Dev-account, Test-accont, Prod-account)

·       Create organization from the principal account.

Sign up for: twtech-Dev-Account

Email: twtechdevacct@gmail.com

Sign up for: twtech-Test-Account

Email: twtechtestacct@gmail.com

 Create other accounts is need be

Sign-in the accounts to different browsers: Chrome, Firefox, Edge.

twtech-Test-Account: 31xxxxxxx (twtechtestacct@gmail.com)

twtech-Dev-Account: 58xxxxxxxxxx (twtechdevacct@gmail.com)

twtech-principal-Account: 98xxxxxxxxxx (twtech671@gmail.com)

From the Princal account : Create an Organization

Creating an organization

How twtech adds Accounts into the organization:

Add an AWS account: Send Invitations to the accounts to be added.

twtech can add an AWS account to your organization either by creating an account or by inviting one or more existing AWS accounts to join your organization.

How twtech view pending invitations: View all inviations

Go to other accounts (Test ):  click on invitations to accept

Accept invitation sent to twtech-Test-Account (Child-Accont) via email: twtechtestacct@gmail.com

Sent from Principal-Account (management Account): twtech671@gmail.com

Go to other accounts (Dev):  click on invitations to accept

Accept invitation sent to twtech-Dev-Account (Child-Accont) via email: twtechdevacct@gmail.com

Sent from Principal-Account (management Account): twtech671@gmail.com

 

How twtech other Accounts may choose to leave this organization (managed by twtech Principal Account: Leave this Organization

NB:

Leave organization

·       If twtech other accounts leave the organization (managed by the Principal Accont), those Accounts the exited (left) become responsible for all their billing charges related to their account.

·       If those twtech accounts that exited (left) wants to rejoin the organization (managed by the Principal Account), they must receive and approve a new invitations

From the aws manangement account (Principal Accont with Organization): twtech should see all the accounts in the organization.

Account: twtech Principal account (Management Account) and Child Accounts:

How twtech organizes its Accounts with OU (Organization Units)

 
Create organizational unit (OU) in Root

·       An organizational unit (OU) can contain both accounts and other OUs.

·       The organizational unit (OU) enables twtech to create an inverted tree hierarchy.

·       The structure has a root at the top and branches of OUs that reach down.

·       The branches end in accounts that act as the leaves of the tree.

 Create organizational unit (OU): twtechTest

 
Create organizational unit (OU): twtechProd

Create organizational unit (OU): twtechDev

How twtech creates other departments in the organizational units (OU): twtechSeniorDevelopers

twtecDevDepartments: twtechSeniorDevelopers

How twtech creates other departments in the organizational units (OU): twtechJuniorDevelopers

NB:

twtechJuniorDevelopers are under twtechSeniorDevelops in OU

How twtech creates: Children (Child OU)

Select the oganizatonal unit and click open: twtechProd

Navigat (scroll to): Select Children bar then Action.

From Action drop down menu, select:  Create new OU (safety)

Create new OU for: Departments

•        twtechSafety,
•       twtechHR,
•        twtechSecurity,
•        twtechManagers,
•        twtechProcessAssistants
•        twtechITEngineers,
•        twtechHealth,
•        twtechAssociates,
•        twtechAmbassadors.

The reason twtech creates an organization and put units under is for the purpose of: Service Control Policies (SCPs)

twtech would be able to define clearly the roles that each Unit ( department) can perform or blocked from performing.

Forexample in the twtechProd-OU: The Managers department is granted all full permission. (RWE)

•        Read(R), … They can read everything.
•        Write (W), …. They can write what they suggest.
•        Execute (E) …. Can also make Changes.

Then twtechHealth Department has only: RW

•        Read (R)   …. They can read everything.
•        Write (W) …. They can write what they suggest.
•        No Execute (-E)… They Can not make Changes.

twtechAssociates have only the Read Permission; R

• Read (R)   …. They can read everything
• Write (-W) …. They can  Not write what they suggest
• No Execute (-E)…  The Can not make Changes,

NB:

• The Prinicple of Least Previlleges (PoLP) comes to play…. “assign everyone just the reqired permissions needed to perform a task”
• How twtech may move an entire account into a department (Units):  Moving Child account to other accounts.
• Select the chil account: twtechDev-Account go to Action and select from drop-down menu: Move

Move AWS account 'twtech-Dev-Account'

·       When twtech moves an AWS account from one organization unit (OU) to another, it changes the policies that apply to the account.

·       This can change the permissions for the account and how supported AWS services can interact with the account.

Move twtech-Dev-Account to the department (Unit) of: twtechSeniorDevelopers

NB:

·       Any other account order than the Principal Account is known as a Child Account.

·       Within the child accounts can be created children or departments.

·       It best Practice to leave the management account under Root, but it can also be moved to any other twtech units (department) if real need be.

How twtech enable service control policies (SCP): To restrict tasks that child Accounts can perfom in the organization.

twtech needs to go to the organization menu and select:  Policies

Introducing resource control policies (RCPs)

twtech can now centrally enforce consistent access controls on AWS resources in its organization's member accounts

From: Disabled Policies

To:  Enabling only the most needed Policies to Perfom tasks (PoLP)

Enable first the Service Control Policy: SCP

Confirm to:  Enable Service Control Policies (SCPS)

NB:

This permits twtech to Restrict what chidren Accounts can Perform

NB:

The FullAWSAccess policy means: The Management account has Full AWS Accounts Access

twtech can also  verify whether the Service Control Policies is now: Enabled

How twech created Policies and attach to the SCPs: Restricting Access to some Resources in the Accounts.

Create new service control policy

·        A service control policy (SCP) specifies the maximum permissions that can be used by users and roles in your organization's accounts. An SCP doesn't grant permissions.

·        twtech must still use IAM permission policies or resource policies to grant permissions.

Search for the servive to be restricted service: S3

twtech needs to select restriction from:  Access Level list

# json

{

            "Version": "2012-10-17",

            "Statement": [

                        {

                                    "Sid": "twtechDenyAccessS3",

                                    "Effect": "Deny",

                                    "Action": [

                                                "s3:*"

                                    ],

                                    "Resource": ["*"]

                        }

            ]

} 

Create Policy:

How twtech verifies: To be sure its s3 buckets are now is denied access.

Click on root Account: To Access Root Policies

FullAWSAccess:  Allows RootUser to have access to every in the organization.

NB:

•        Children Accounts (OU) has other Policies associated.. defining what the are allow or restricted form perfoming.
•        One of the Policies is also attached to the Root Account

How twtech may attach a new policy to those that a unit already has: Attach

Attach a service control policy

A service control policy (SCP) specifies the maximum permissions that can be used by users and roles in your organization's accounts.

An SCP doesn't grant permissions.

Again twtech must still use IAM permission policies or resource policies to grant permissions

Attached Policy: twtechDenyAccessS33

NB:

Any Sub Units (department) under twtechDev(OU) is: Automatically attached the Policy from DevOU

How twtech verifies that the denie access for S3 works.

Go to the awd account with S3 buckets from Console. UI from twtech-Dev-Account

Try to access the s3 bucket: twtechs3

Unable to access bucket UI: Permission Denied.

NB:

Even as policies created restrict access to Resources, twtech is still able to access all Resources from the Organization Account (Management Account Principal Account).