Security and billingSecurity and complianceIntermediate36 min read

What Is AWS Organizations? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

AWS Organizations is like a master control panel for all your AWS accounts. Instead of logging into each account separately to manage settings or see bills, you use one place to apply rules, group accounts, and pay for everything. It helps companies keep their cloud setup secure and organized, especially as they grow.

Common Commands & Configuration

aws organizations create-account --email admin@example.com --account-name "ProdAccount" --role-name OrganizationAccountAccessRole

Creates a new member account within an AWS Organization. Used when you need to automate account creation and assign the initial IAM role for admin access.

Commonly tested: exams ask which role allows the management account to access member accounts (OrganizationAccountAccessRole). Also tests that the management account cannot be deleted or left the organization.

aws organizations list-accounts

Lists all accounts (management and member) in the AWS Organization. Useful for auditing and automation scripts.

Exams often test that this operation requires permissions from the management account, and that member accounts cannot see other member accounts' details without appropriate delegation.

aws organizations attach-policy --policy-id p-examplepolicy --target-id ou-exampleou

Attaches a Service Control Policy (SCP) to an organizational unit (OU) or account. Used to apply permission guardrails across accounts.

Key exam point: SCPs do not grant permissions-they only restrict them. SCPs affect all users and roles in the target account, including the root user. Exams test that SCPs are not effective for the management account.

aws organizations enable-policy-type --root-id r-exampleroot --policy-type SERVICE_CONTROL_POLICY

Enables Service Control Policies (SCPs) at the root of the organization. Required before SCPs can be created or attached.

Exams test that SCPs are enabled per policy type. Remember that SCPs must be enabled at the root before they can be used. Also, you cannot enable SCPs only for a subset of accounts-they apply at the root level.

aws organizations create-organization --feature-set ALL

Creates a new AWS Organization with consolidated billing and all features enabled. The management account becomes the payer account.

Exams frequently ask about the difference between 'ALL' and 'CONSOLIDATED_BILLING' feature sets. With 'ALL', you get SCPs and centralized management; with 'CONSOLIDATED_BILLING', you only get combined billing. The default IAM role (OrganizationAccountAccessRole) is created when using 'ALL'.

aws organizations move-account --account-id 123456789012 --source-parent-id r-exampleroot --destination-parent-id ou-exampleou

Moves an existing member account from one OU or root to another. Used when reorganizing accounts within the organization hierarchy.

Exams test that moving accounts between OUs can cause SCPs to apply differently. Also, moving accounts may require the destination OU to have appropriate policies. The management account cannot be moved.

AWS Organizations appears directly in 642exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CLF-C02. Practise them →

Must Know for Exams

AWS Organizations is a high-frequency topic in AWS certification exams, particularly the AWS Cloud Practitioner, AWS Developer Associate, AWS Solutions Architect Associate (SAA), and AWS SysOps Administrator Associate. For the AWS Cloud Practitioner exam, it is covered under the domain of 'Security and Compliance' and 'Cloud Technology and Services'. You need to understand that it provides centralized control for multiple accounts, that it offers consolidated billing, and that it is free to use.

Questions at this level often ask about its primary purpose: to manage multiple accounts centrally. They do not require deep knowledge of SCP syntax but expect you to know what an SCP does and how it differs from an IAM policy. For the AWS Solutions Architect Associate (SAA) exam, AWS Organizations is a critical topic in the 'Design for Security' domain.

You will be tested on scenarios involving multi-account strategies. A typical question might describe a company that has multiple accounts and needs to enforce a policy that prevents users in certain accounts from deleting Amazon S3 buckets. The correct answer will involve creating an SCP and attaching it to the appropriate organizational unit.

You need to understand the hierarchical nature of OUs and how SCPs are inherited. You must also know that the management account is exempt from SCPs. Another common exam question involves the use of AWS Organizations with AWS Single Sign-On (SSO) to federate access across accounts.

You may also see questions about service-linked roles that are created when you enable certain features, like AWS CloudTrail integration. For the SysOps Administrator exam, you will face operational questions. You might be asked how to troubleshoot a situation where a new account cannot access a service, and the answer involves checking the SCP attached to the account's OU.

You need to know the step-by-step process to invite a member account, how to move accounts between OUs, and how to enable all features. The exam also tests your understanding of the difference between 'Consolidated billing features' and 'All features'. You must know that to use SCPs, you must enable 'All features'.

For the Developer Associate exam, the focus is more on automation. You might need to know how to programmatically create new accounts using the AWS Organizations API or AWS CloudFormation. Questions could involve using the 'organizations:CreateAccount' API and the process of creating an IAM role for cross-account access.

For candidates studying for the Azure exams (AZ-104, Azure Fundamentals) or Google Cloud exams (ACE, Digital Leader), AWS Organizations is sometimes mentioned in comparison questions. For example, a question might ask how AWS Organizations compares to Azure Management Groups. Understanding the AWS version helps you understand the concept of hierarchical management, which is a common pattern across cloud providers.

The exam pattern for AWS Organizations questions includes scenario-based multiple-choice questions. For example, 'A company has 50 AWS accounts. The security team wants to ensure that all accounts have encryption enabled for Amazon EBS volumes.

What should they do?' The answer would be to create an SCP that denies the creation of EBS volumes without encryption and attach it to the root of the organization. Another pattern is 'A startup has three accounts: dev, test, and prod.

They want a single bill. What service should they use?' The answer is AWS Organizations with consolidated billing. Trap answers may include IAM, Amazon S3 cross-region replication, or AWS Budgets.

You need to be precise. The cost of failure in an exam context is losing marks. But more importantly, misunderstanding this service in a real job could lead to security vulnerabilities or operational inefficiencies.

Knowing it well, therefore, is a high-return investment for your exam preparation and career.

Simple Meaning

Imagine you have a large family with many members. Each family member has their own wallet, their own set of keys to the house, and their own chores. Now imagine trying to manage the household budget, make sure everyone locks the doors at night, and assign new chores to everyone. Doing this by walking from room to room and talking to each person individually would be exhausting and you would probably miss something. AWS Organizations is like setting up a family command center in the kitchen. In this command center, you have a master key that can open any room, a central ledger that shows every penny spent by anyone, and a rule board where you can post notices like no one is allowed to leave the front door unlocked. You can group family members into teams. For example, you can put all the kids who do yard work together and give their team a specific allowance. If a new rule needs to apply to everyone, you post it on the board once, and it automatically applies to every room. In the world of AWS, a cloud computing company, Organizations does exactly this for your AWS accounts. AWS accounts are like those individual family members. Each account can have its own resources, like virtual computers, databases, and storage. But if you have ten or a hundred accounts, managing them one by one becomes impossible. AWS Organizations lets you create a management account, which is your command center. From there, you can invite other accounts to join your organization. You can create organizational units, which are like folders to group accounts. For example, you can put all accounts used by your development team in one folder and all accounts used by your production team in another. You then apply service control policies, which are like the rule board. These policies can say things like no one in this group is allowed to turn off logging, or no one is allowed to use a specific type of expensive computer. The most powerful part is consolidated billing. Instead of getting ten different bills, you get one single bill that shows all the spending, making it much easier to budget and track costs. This central control prevents security accidents, saves time, and keeps your cloud environment organized.

For a company that is growing, this is a lifesaver. Without AWS Organizations, a busy manager might have to log into each account, check each setting, and hope nothing slipped through the cracks. With Organizations, the manager sets a policy once, and it applies to every account in that group automatically. New accounts that join the organization instantly inherit the rules. This ensures that security baselines are consistent. It also means that if a developer creates a new account for a project, they do not accidentally leave the data unencrypted because the Organization’s policy already requires encryption. This makes AWS Organizations one of the foundational tools for any serious cloud operation. It is like the skeleton that holds the rest of the cloud body together, providing structure and control without which things would quickly become chaotic.

For IT professionals studying for AWS certification exams, understanding AWS Organizations is crucial because it appears in questions about security, governance, and multi-account strategies. It is not just a billing tool. It is a governance tool. The ability to enforce rules across accounts without exceptions is a powerful concept that separates beginners from advanced cloud architects. The simple idea of a central command center that applies rules to many accounts is the heart of AWS Organizations.

Full Technical Definition

AWS Organizations is a global service that enables centralized management of multiple Amazon Web Services (AWS) accounts. It allows an organization to consolidate billing, enforce policies, and simplify account creation and governance. The service operates at the account level, meaning it is not a virtual private cloud or a region-specific service. It is available globally and does not require you to enable it in each region. The architecture of AWS Organizations is based on a hierarchical structure. At the top is the management account, previously called the master account. This account is the only one that can create the organization, invite other accounts, and apply policies. Beneath the management account, you can create organizational units (OUs). OUs are containers for accounts. They can be nested up to five levels deep, allowing you to create a tree-like structure that mirrors your company’s organizational or functional needs. For example, you might have an OU for Security, an OU for Development, and within Development, an OU for Web Applications and another for Mobile Applications. The key technical components include service control policies (SCPs), tag policies, backup policies, and AI services opt-out policies. SCPs are JSON-based policies that specify the maximum permissions available to accounts in an OU or directly to an account. Importantly, SCPs are not identity and access management (IAM) policies. IAM policies grant permissions to IAM users and roles. SCPs are account-level permission boundaries. They define what actions principals in the account can perform, even if an IAM policy grants broader permissions. SCPs do not grant permissions themselves. They only deny or allow actions up to a certain limit. For example, an SCP can deny the ability to delete S3 buckets or restrict the use of specific instance types. SCPs can be applied to the root of the organization, which applies to all accounts, or to specific OUs. The effective permission of an account is the intersection of the SCPs applied to its path down the hierarchy and the IAM policies assigned to its users. This means SCPs create a security guardrail.

Consolidated billing is another core technical feature. When you enable consolidated billing, all accounts in the organization are linked to the management account for payment purposes. The management account pays the aggregated charges. This provides a single cost and usage report. It also allows the organization to aggregate usage across accounts to potentially qualify for volume discount tiers. For example, if one account uses a small amount of Amazon S3 storage but across all accounts the organization uses a huge amount, the organization might get a lower per-gigabyte price. Consolidated billing does not affect the performance or security of individual accounts. It is purely a financial and reporting feature. AWS Organizations also provides an API that allows you to programmatically create and manage accounts. This is critical for enterprises that need to automate the creation of development and testing accounts. You can use AWS CloudFormation, AWS Control Tower, or custom scripts to call the Organizations API. When you create an account through the API, you can designate the IAM role name that will be created in the new account, allowing you to federate access from the management account. This automation is a key enabler for implementing a multi-account strategy, which is a best practice recommended by AWS. The multi-account strategy reduces the blast radius of security incidents. If one account is compromised, the damage is contained. It also helps with cost allocation, as each account can be tied to a specific project or team. AWS Organizations integrates with other AWS services. AWS Single Sign-On (SSO) can be configured to allow users to log in once and access multiple accounts within the organization based on their roles. AWS CloudTrail can be configured to log API calls across all accounts in the organization and deliver them to a single Amazon S3 bucket in the management account for centralized auditing. AWS Config can aggregate configuration data across accounts. The service uses the AWS Organizations API, which is a public API that uses HTTPS for secure communication.

When you create an organization, you choose one of two feature sets. The first is consolidated billing features only. This is the basic mode where you only get the billing aggregation and nothing else. You cannot use SCPs or other governance features. The second is all features mode, which includes consolidated billing plus SCPs, tag policies, and all other governance capabilities. Most enterprises choose all features. It is possible to upgrade from consolidated billing only to all features, but you cannot downgrade. The process to invite an account involves the management account sending an invitation. The invited account must accept the invitation, or you can create a new account that automatically becomes a member. Member accounts cannot leave the organization unless they are removed by the management account. The management account has special powers. For example, it can access billing data of member accounts, and it can also assume an IAM role in member accounts if that role has been configured. This access is separate from SCPs. The management account is not subject to SCPs applied to the root of the organization. This is by design, as the management account needs full control to manage the organization. However, this also means that if the management account is compromised, the entire organization is at risk. Therefore, security best practices strongly recommend that the management account be used only for administrative tasks and not for running workloads. You should tightly restrict who has access to the management account and require multi-factor authentication.

From an implementation perspective, AWS Organizations is free to use. You only pay for the AWS resources you use in your accounts, such as EC2 instances or S3 storage. There is no cost for the service itself. The service has certain limits. For example, you can have a maximum of five management accounts in a single organization? No, you can only have one management account. You can have up to 20,000 member accounts. OUs can be nested up to five levels. There are limits on the number of SCPs per account and the size of SCP documents. These limits are documented in the AWS Service Quotas documentation and are subject to change. AWS Organizations uses eventual consistency for some operations. For example, when you create a policy, it may take a few seconds to propagate to all accounts. For exam purposes, you need to remember that SCPs are inherited by child OUs and accounts, that the management account is not affected by SCPs attached to the root, and that consolidated billing is a key feature. You should also know that AWS Organizations is the foundation for AWS Control Tower, which is a higher-level service that automates the setup of a multi-account environment.

Real-Life Example

Think about a large apartment building with many tenants. The building has a landlord, a manager, and dozens of individual apartments. Each apartment has its own door, its own mailbox, and its own utilities.

Without a central system, the manager would have to go door to door to collect rent, deliver notices about noise, and make sure no one is breaking the fire code. It would be chaotic. AWS Organizations is like the building’s central management office.

In this office, the landlord sits. The landlord has a master key that can open any apartment. The landlord also has a single bank account where all the rent checks are deposited. This is the consolidated billing feature.

The landlord can see exactly how much each tenant pays, but the tenant sees only their own bill. Now, the landlord wants to enforce some rules. The landlord posts a notice on the main bulletin board that says, no one can have a barbecue on the balcony and no one can store flammable liquids in their apartment.

This notice applies to everyone in the building. In AWS Organizations, this bulletin board is a service control policy. The notice is the policy. It applies to all tenants, meaning all accounts, because it is attached to the root of the organization.

Now, the landlord also has a team of superintendents who handle different wings of the building. One superintendent handles the east wing, which has mostly commercial offices. Another handles the west wing, which has residential apartments.

The landlord can create subgroups. The landlord might post a separate notice for the commercial wing that says, you must keep your loading dock clean. This is like creating an organizational unit for the commercial accounts and applying a specific SCP to that OU.

The residents in the west wing do not have a loading dock, so they are not affected. Their notice still says no barbecues on balconies. The power of this system is that the landlord posts the rule once, and it automatically applies to every apartment in that group.

If a new tenant moves into the east wing, they immediately see the notice about the loading dock. They do not need to be told separately. This automatic enforcement is critical in cloud environments.

In a large company, an IT team might manage hundreds of accounts. Without AWS Organizations, they would have to manually configure security settings in each account. With Organizations, they create an SCP that says, for example, deny all actions on Amazon S3 that do not use encryption.

This SCP is applied to the root of the organization. Any new account that joins the organization immediately has this rule, preventing a developer from accidentally storing sensitive data without encryption. The analogy of the apartment building also helps explain the management account.

The landlord’s apartment is the management account. It is special. The landlord can go into any other apartment (account) because they have the master key (they can assume a role).

But the notices on the bulletin board do not apply to the landlord’s own apartment. The management account is not subject to SCPs attached to the root. This makes sense because the landlord needs full freedom to manage the building.

However, this also means that if someone breaks into the landlord’s apartment, they have total control. So the landlord must be extra careful. They lock their door with high-security locks (multi-factor authentication) and never leave the master key lying around.

In the same way, companies must protect their management account with extreme care. The apartment building analogy grounds the abstract concept of account management into something tangible. It shows how grouping, rule enforcement, and central billing work together to make managing many independent units easier and safer.

It also highlights the special status of the central authority (the management account) and the need for its protection.

Why This Term Matters

In the real world of IT, companies rarely use a single AWS account. As organizations grow, they adopt a multi-account strategy for many reasons. One reason is security. If you put all your applications and data in one account, and that account gets compromised, a bad actor has access to everything.

By using multiple accounts, you create isolation. If a development account is hacked, the production data in another account is safe. AWS Organizations is the tool that makes managing many accounts practical.

Without it, the administrative overhead of managing login credentials, billing, and security policies across dozens or hundreds of accounts would be overwhelming. You would have to manually configure IAM roles in every account, manually review each account’s bill, and manually ensure each account complies with company security standards. That is not just time-consuming.

It is error-prone. IT professionals use AWS Organizations to automate governance. For example, they can create an SCP that prevents anyone from launching Amazon EC2 instances in forbidden regions.

This rule is enforced automatically for every account in the organization. If a developer tries to spin up a server in a region where the company does not have compliance approval, the action is denied, even if the developer’s IAM user has full admin rights. This level of control is essential for regulated industries like finance and healthcare where compliance is not optional.

Another reason why it matters is cost management. With consolidated billing, a company can track cloud spending across all teams and projects from a single dashboard. This helps identify which team is spending the most, which projects are over budget, and where to apply cost-saving measures.

It also enables the enterprise to qualify for volume discounts, lowering the overall cloud bill. Without Organizations, each account would be billed separately, and the company might miss out on these savings. AWS Organizations is a prerequisite for other important AWS services like AWS Control Tower, which provides a pre-built governance framework.

Many enterprise customers use Control Tower to automatically set up a secure, multi-account environment. This shows that Organizations is not just a feature. It is the foundation for advanced cloud management.

For IT professionals, knowing how to set up and manage AWS Organizations is a core job skill. It appears in job interviews, in architectural discussions, and in troubleshooting scenarios. It directly impacts security posture, operational efficiency, and cost control.

Understanding this service is a clear differentiator between a junior cloud administrator who manages accounts one by one and a senior cloud architect who designs a scalable, secure, and manageable cloud infrastructure.

How It Appears in Exam Questions

Questions about AWS Organizations appear in several distinct patterns across the exams. The most common type is the scenario-based question where you must choose the correct service or configuration to solve a governance or billing problem. For example, a question might describe a large enterprise that has 200 AWS accounts. The security team needs a way to prevent any IAM user, regardless of their permissions, from launching Amazon EC2 instances in unauthorized regions. The correct answer is to create a service control policy (SCP) that denies the ec2:RunInstances action in the regions that are not allowed, and then attach that SCP to the root of the AWS Organization. This pattern tests your understanding that SCPs act as a guardrail that even an administrator in a member account cannot override.

Another common pattern involves consolidated billing. The question might say a company has multiple AWS accounts and wants to see a single monthly bill that includes all usage. The answer is to enable consolidated billing in AWS Organizations. A trap might be to suggest using AWS Cost Explorer or AWS Budgets, which are tools for analyzing costs, not aggregating them across accounts. You need to know that consolidated billing is a feature of Organizations.

A different question pattern focuses on account creation and management. For instance, a company wants to automate the creation of new AWS accounts for new projects. The solution is to use the AWS Organizations API to programmatically create accounts, and then use AWS CloudFormation StackSets to deploy resources into those new accounts. This tests your knowledge of the integration between Organizations and other services.

Questions also test your understanding of the management account. A classic trap question might say: A company has an SCP attached to the root that denies all actions on Amazon DynamoDB. A security administrator is unable to create a DynamoDB table in the management account. Is this correct? The answer is that the management account is not affected by SCPs, so the administrator should be able to create the table. The reason the administrator might fail is something else, like a deny in an IAM policy. But the SCP is not the cause. This questions your grasp of a core nuance.

Troubleshooting questions are common in the SysOps exam. For example, a user in a member account reports they cannot see the consolidated billing page. The answer is that only the management account can see the consolidated bill. Member accounts see only their own billing data. Another troubleshooting scenario might involve a new member account that cannot access a particular service. The solution is to check the SCPs attached to the OU where the account resides. If the SCP denies the service, that is the problem.

Configurational questions appear as well. You might be asked what steps are required to enable SCPs. The answer is that you must enable all features in AWS Organizations. If the organization is currently in consolidated billing mode only, you need to upgrade. This is a straightforward fact but often tested. Another configuration question might involve moving an account from one OU to another. You need to know that you can do this from the AWS Organizations console or API, and the SCPs from the new OU immediately apply to the account.

Finally, integration questions are increasingly common. For example, a company wants to centralize logging for all accounts. They decide to use AWS CloudTrail. The question asks how to ensure that logs from all accounts are delivered to a single Amazon S3 bucket. The correct approach is to set up a trail in the management account and enable the option to log all accounts in the organization. This tests your knowledge of the integration between CloudTrail and Organizations. The exam tests your ability to apply AWS Organizations to real-world governance, security, billing, and automation problems. You must not only know the features but also understand the interaction between components and the limitations, especially regarding the management account and SCPs.

Practise AWS Organizations Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine you work for a mid-sized company called TechGlobal Inc. that builds mobile applications. TechGlobal currently has three AWS accounts: one for the development team, one for the testing team, and one for the production environment.

Up until now, each team managed its own account separately. The development team has full admin access and occasionally forgets to turn off expensive virtual servers on weekends. The testing team accidentally deleted a database last month.

The production team is very careful, but the CEO is worried about security loopholes. The company wants to get a handle on this chaos. They decide to use AWS Organizations. First, the cloud administrator logs into the account that will be the management account.

This is the account that TechGlobal uses for administrative purposes only. They create an AWS Organization and name it 'TechGlobal-Org'. They then invite the three existing accounts to join.

The administrators of the development, testing, and production accounts receive an invitation and accept it. Now, all three accounts are members of the organization. The administrator enables all features, which allows for service control policies.

The administrator then creates organizational units. She creates an OU called 'Sandbox' and puts the development and testing accounts into it. She creates another OU called 'Production' and puts the production account there.

Now, she creates a service control policy called 'NoDBAccessOutside'. This SCP denies the DeleteDBInstance action for the development and testing accounts. She attaches this policy to the 'Sandbox' OU.

Now, even if a developer has full admin permissions in their IAM role, they cannot delete a database instance. The operation is blocked by the SCP. Next, she creates a second SCP called 'CostManagement'.

This SCP denies the ability to launch EC2 instances of expensive instance types, like p3.16xlarge, in the Sandbox OU. She attaches it there. The production team is allowed to use any instance type because they need powerful machines for load testing, so she does not attach this policy to the Production OU.

Finally, she enables consolidated billing. Now, the monthly bill shows all usage from all three accounts in one consolidated view. The finance team is happy because they can track spending per account.

The security team is happy because the database cannot be accidentally deleted. The development team is slightly restricted, but they understand it is for the good of the company. This scenario demonstrates the core power of AWS Organizations.

It is a practical example of how a company can regain control over its cloud environment using OUs, SCPs, and consolidated billing, all without disrupting the day-to-day work of the developers.

Common Mistakes

Thinking service control policies (SCPs) grant permissions to users.

SCPs never grant permissions. They only define a boundary of what is allowed. Permissions are granted by Identity and Access Management (IAM) policies. An SCP cannot grant an action that an IAM policy does not allow. It only restricts further.

Always view SCPs as a limit or a fence. They can only deny or allow actions up to a maximum. They cannot give new permissions.

Believing the management account is subject to the same SCPs as member accounts.

The management account is never affected by SCPs that are attached to the root of the organization. This is a fundamental design rule. The management account needs full control to manage the organization.

Remember that SCPs do not apply to the management account. If you need to restrict the management account, you must rely on IAM policies and multi-factor authentication.

Assuming AWS Organizations is a regional service or must be enabled per region.

AWS Organizations is a global service. It operates across all AWS regions. You do not need to configure it in each region. Policies and accounts are managed globally.

Think of AWS Organizations as a global control plane, similar to IAM. You enable it once, and it applies everywhere.

Confusing consolidated billing with cost optimization features like Savings Plans.

Consolidated billing simply aggregates charges from multiple accounts into one bill. It does not, by itself, optimize costs. However, it enables aggregate usage, which can qualify the organization for volume discounts and better pricing tiers.

Understand that consolidated billing is a financial reporting feature. Use it with tools like AWS Cost Explorer to analyze and optimize costs.

Moving an account between organizational units and expecting the old SCPs to remain effective.

When an account is moved to a new OU, it immediately inherits the SCPs from the new OU. The old SCPs stop applying. This can cause unintended changes in permissions.

Always verify the SCPs attached to the new OU before moving an account. Plan the account migration carefully to avoid security gaps or accidental denial of access.

Thinking that AWS Organizations can only be used with a single AWS account.

AWS Organizations is specifically designed for managing multiple accounts. If you have only one account, you do not need it. Its value comes from central control across multiple accounts.

Only enable AWS Organizations when you have or plan to have more than one AWS account. For a single account, focus on IAM policies.

Exam Trap — Don't Get Fooled

{"trap":"An SCP attached to the root of the organization prevents everyone from using a specific service. An administrator logs into the management account and finds they can still use the service. They think the SCP is broken."

,"why_learners_choose_it":"Learners often assume that the root of the organization applies to all accounts including the management account. They do not know the special exemption. They also might think that SCPs work exactly like IAM policies."

,"how_to_avoid_it":"Memorize this rule: SCPs do not apply to the management account. The management account is the only account that can override the SCP attached to the root. If you see a question where a user in a member account cannot perform an action, check the SCP.

If it is the management account, the SCP is not the reason."

Commonly Confused With

AWS OrganizationsvsAWS Identity and Access Management (IAM)

IAM is about controlling permissions for individual users and roles within a single AWS account. AWS Organizations is about managing multiple accounts and applying policies across them as a group. IAM policies grant or deny specific actions, while SCPs in Organizations set account-level boundaries for all users and roles in that account.

IAM is like giving a specific employee a key card that opens certain doors in one building. AWS Organizations is like the building manager putting a sign on the whole building saying no one can open the door to the server room, regardless of their key card.

AWS OrganizationsvsAWS Control Tower

AWS Control Tower is a higher-level service that automates the setup of a multi-account environment using AWS Organizations. It provides a pre-built governance framework, including account factory, logging, and guardrails. AWS Organizations is the underlying service that Control Tower uses. You can use Organizations without Control Tower, but Control Tower requires Organizations.

AWS Organizations is like the raw lumber and nails. AWS Control Tower is like a pre-designed house kit that uses that lumber and nails to build a specific type of house quickly.

AWS OrganizationsvsAWS Budgets

AWS Budgets is a tool for setting cost and usage alerts. It monitors your spending and notifies you when you exceed or are about to exceed your budget. AWS Organizations is a management and governance service. While they work together (you can create budgets for accounts in an organization), their purpose is different: one is about cost tracking, the other is about account management and policy enforcement.

Budgets are like the fuel gauge and warning light in your car. Organizations is like the steering wheel and brakes that control where the car goes and how fast.

AWS OrganizationsvsAWS Single Sign-On (SSO)

AWS SSO allows users to log in once and access multiple AWS accounts and applications. It is an access management service. AWS Organizations provides the structure (accounts and OUs) that SSO uses. SSO can be configured to grant access to accounts based on the Organizational Units they belong to, but SSO itself does not enforce policies like SCPs.

SSO is like a master key that opens many doors. Organizations is the building manager who decides which doors exist and can put a lock on them.

AWS OrganizationsvsAWS resource groups and tagging

Resource groups and tagging are methods to organize resources within a single account or across accounts using metadata. AWS Organizations organizes the accounts themselves. You can use both together, but they operate at different levels. Resource groups group resources like EC2 instances or S3 buckets. Organizations groups entire AWS accounts.

Tagging is like putting stickers on boxes in a warehouse to say what is inside. AWS Organizations is like having separate warehouse rooms for different departments.

Step-by-Step Breakdown

1

Create the AWS Organization

The first step is to create the organization from the account that will become the management account. You go to the AWS Organizations console, choose to create an organization, and select either 'Consolidated billing features' or 'All features'. For full governance, choose all features. This creates a root container that holds everything.

2

Invite or create member accounts

You can invite existing AWS accounts to join your organization. The owner of the target account receives an invitation and must accept it. Alternatively, you can create new accounts directly from the Organizations console or API. New accounts are automatically members. This step populates your organization with accounts.

3

Create Organizational Units (OUs)

Organizational units act as folders to group accounts. You can create OUs with names like 'Dev', 'QA', 'Prod', 'Security', etc. OUs can be nested up to five levels deep. This structure mirrors your company's functional or security requirements. Grouping accounts makes policy management efficient.

4

Move accounts into the appropriate OUs

Once OUs are created, you move accounts into them. Each account can only be in one OU at a time. For example, move the development account into the 'Dev' OU. Moving an account changes the security policies that apply to it, as it now inherits the policies of the new OU.

5

Create Service Control Policies (SCPs)

SCPs are JSON documents that define permissions boundaries. You write a policy that either allows or denies specific AWS actions. For example, you can create an SCP that denies the deletion of Amazon S3 buckets. SCPs do not grant permissions; they only restrict them. You create them in the Policies section of the console.

6

Attach SCPs to OUs or the root

You attach the SCP to the OU where you want the policy to apply. If you attach it to the root, it applies to all accounts in the organization. If you attach it to a specific OU, it applies only to accounts in that OU and its child OUs. An account is affected by the union of all SCPs attached to its path from the root down to itself.

7

Enable consolidated billing (if not already)

Consolidated billing is automatically enabled when you create an organization. This allows the management account to pay for all the member accounts. You can view a single bill. You can also enable features like volume discounts. This step is simple but critical for cost management and reporting.

8

Integrate with other AWS services

Once the organization is set up, you can integrate it with AWS CloudTrail for centralized logging, AWS Config for compliance, AWS SSO for access management, and AWS Control Tower for advanced governance. These integrations enhance security and operational visibility across all accounts.

Troubleshooting Clues

Member account cannot access resources despite having IAM permissions

Symptom: Users in a member account get 'AccessDenied' errors even though their IAM policy allows the action.

A Service Control Policy (SCP) applied at the OU or root level may be explicitly denying the action. SCPs override IAM permissions even if they are Allow.

Exam clue: Exams present a scenario where an IAM user has full admin rights but can't perform a simple action because an SCP blocks it. The correct answer is to check the SCP associated with the account or OU.

Cannot create a new member account from the management account

Symptom: The CreateAccount API call fails with 'AccountLimitExceeded' or 'AccessDenied'.

AWS Organizations has a default soft limit of 10 accounts per organization. To create more, you must request a limit increase via Service Quotas. Also, the management account must have the necessary permissions (e.g., organizations:CreateAccount).

Exam clue: Exams test that account creation limits are per organization and can be increased only through AWS Support or Service Quotas. The error 'AccountLimitExceeded' is a common distractor.

SCP not taking effect on a member account

Symptom: Admin expects an SCP to block a specific action, but the member account can still perform it.

SCPs are not effective on the management account. Also, SCPs require time to propagate (usually a few seconds to minutes). If the SCP is attached to an OU but the account was moved recently, propagation may be delayed.

Exam clue: Exams often ask why an SCP didn't block an action-the answer is often 'The management account is not affected by SCPs' or 'SCP propagation delay'.

Account cannot leave the organization

Symptom: When trying to remove an account from the organization, the operation fails with 'Account cannot be removed' or 'Account has active resources'.

Member accounts must be 'clean'-they cannot have any active AWS resources or subscriptions. Also, the account must have the appropriate IAM role (OrganizationAccountAccessRole) or a support role to initiate the leave request.

Exam clue: Exams test that the management account cannot leave the organization. For member accounts, they must delete all resources first. The error 'Account cannot be removed because it has active resources' is a typical exam distractor.

Consolidated billing shows unexpected charges

Symptom: The management account sees charges in the consolidated bill that seem to belong to another account, or charges are duplicated.

Consolidated billing aggregates all costs from member accounts. However, if some accounts are not part of the organization (e.g., pre-existing accounts not invited), they will not appear. Also, discounts can be applied incorrectly if accounts are not properly grouped.

Exam clue: Exams often test that consolidated billing provides a single bill for all accounts, but does not change how individual accounts are charged. Misattribution of reserved instance (RI) discounts is a common topic.

IAM role 'OrganizationAccountAccessRole' missing after account creation

Symptom: When creating a new member account via automation, the default admin role is not created.

The role is only created automatically if you use the 'CreateAccount' API with the default setting. If you pass a custom role name, the role will be created with that name. Alternatively, if you create the account via the AWS Organizations console but with certain options, the role might be skipped.

Exam clue: Exams test that this role is created by default and grants the management account full access to the member account. Questions may ask how to regain access if the role is accidentally deleted (you can re-create it manually in the member account).

Service Control Policies (SCPs) not displayed in the member account's IAM console

Symptom: A member account admin logs into IAM and cannot see any SCP policies.

SCPs are only visible in the AWS Organizations console (from the management account) or via the Organizations API. They are not visible in the member account's IAM console because they are not IAM policies-they are organization-wide guardrails.

Exam clue: Exams often test that SCPs are not visible to individual account users. The confusion between IAM policies and SCPs is a common exam trap.

Learn This Topic Fully

This glossary page explains what AWS Organizations means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.A company uses AWS Organizations with all features enabled. An administrator attaches a Service Control Policy (SCP) to the root that denies all EC2 actions. Which account is NOT affected by this SCP?

2.An AWS Organization has consolidated billing enabled but not all features. Which of the following is NOT available?

3.A security engineer wants to ensure that no EC2 instances in a specific OU can be launched outside the 'us-east-1' region. Which approach should they use?

4.You are an administrator of the management account in AWS Organizations. You try to remove a member account from the organization, but the operation fails. What is the MOST likely cause?

5.When creating a new member account via AWS Organizations, which IAM role is automatically created for the management account to access the new account?