Organizations & Multi-Account — Concept (Organizations, Control Tower, IAM Identity Center, RAM)

AWS Organizations

AWS Organizations = central management of multiple AWS accounts in a tree of OUs (Organizational Units).

Features

• Consolidated billing (single payer, shared volume discounts and RIs/SPs).
• Service Control Policies (SCPs) = allow/deny boundaries applied to accounts/OUs (don't grant, only limit).
• Centralized CloudTrail organization trail, Config aggregator, GuardDuty admin, Security Hub master, Backup admin.
• Tag policies, AI services opt-out policies, backup policies.

Structure

• Management account (formerly master) — billing payer, full control.
• Member accounts — owned by management account.
• OU = grouping of accounts (e.g. prod, dev, security).
• Recommended baseline: separate accounts for prod, dev, security/logging, sandbox.

AWS Control Tower

• Opinionated landing zone on top of Organizations.
• Sets up multi-account baseline automatically (logging, SSO, guardrails).
• Built-in guardrails (preventive via SCPs, detective via Config rules).
• Account Factory to provision new accounts via Service Catalog.
• AWS-recommended starting point for new multi-account setups.

AWS IAM Identity Center (formerly AWS SSO)

• Centralized SSO for AWS accounts and SaaS apps.
• Integrates with Active Directory / external IdP (SAML 2.0).
• Users get a portal listing all roles in all accounts they can assume.
• Best practice replacement for IAM users in multi-account setups.

AWS Resource Access Manager (RAM)

• Share AWS resources across accounts:
  • Subnets of a VPC (via shared VPC)
  • Transit Gateway
  • Route 53 Resolver rules
  • License Manager configurations
  • Aurora clusters (snapshots)
• Allows resource owner to centrally manage; consumers see the resource as if it were theirs.

SCPs (must understand)

• Attached to root, OU, or account.
• Don't grant permissions — only deny / allow filter what IAM policies can grant.
• Common patterns:
  • Block specific regions
  • Block disabling CloudTrail / Config / GuardDuty
  • Block leaving the org
  • Block root user actions
  • Require encryption / specific tags
• Management account is NOT affected by SCPs.

Common exam scenarios

1. "Block all child accounts from using regions outside EU" → SCP with RegionRestriction condition.
2. "Provide single sign-on across all 50 accounts to existing AD users" → IAM Identity Center with AD connection.
3. "Quickly stand up landing zone with logging, baseline guardrails" → Control Tower.
4. "Share a VPC subnet with another account" → RAM + Shared VPC.
5. "One bill for all accounts, share RI discount" → Consolidated billing in Organizations.
6. "Prevent disabling CloudTrail in any account" → SCP denying cloudtrail:Stop*Logging.
7. "Aggregate all GuardDuty findings across org" → enable GuardDuty Organizations admin.

Exam tip

• SCPs only limit, never grant.
• Management account is exempt from SCPs and should host only billing / org-management resources.
• Control Tower is the modern landing zone; IAM Identity Center is the modern SSO.

References

• https://docs.aws.amazon.com/organizations/
• https://docs.aws.amazon.com/controltower/
• https://docs.aws.amazon.com/singlesignon/
• https://docs.aws.amazon.com/ram/