This chapter covers AWS Organizations Consolidated Billing, a core feature for cost optimization in multi-account AWS environments. Understanding this topic is critical for the SAA-C03 exam, as questions on cost management, billing, and multi-account strategies appear frequently—approximately 10-15% of exam questions touch on cost optimization, with consolidated billing being a key component. We will explore how consolidated billing works, its benefits, and how to configure it, along with common pitfalls and exam traps.
Jump to a section
Imagine a large corporation with multiple departments, each with its own phone extension. The company has a single main phone line that all departments share for external calls. At the end of the month, the phone company sends one consolidated bill for all calls made from the main line. The company's accounting department then breaks down the bill by department based on the extension used for each call. Each department sees its own usage and charges, but the total bill is lower because the company gets volume discounts (e.g., lower per-minute rates) that no single department could get alone. Departments can also negotiate special rates for certain services (like international calls) that apply to all extensions. Importantly, the main line can block certain premium-rate numbers for all departments, enforcing a company-wide policy. This is exactly how AWS Organizations Consolidated Billing works: multiple AWS accounts (departments) share a single payment method (main line) and get volume discounts on services like EC2 and S3. Each account sees its own usage in Cost Explorer (itemized bill), while the payer account sees the aggregated total and receives the consolidated invoice. Service Control Policies (SCPs) act like the company-wide rules to block certain actions across all accounts.
What is AWS Organizations Consolidated Billing?
AWS Organizations is a service that enables you to centrally manage multiple AWS accounts. Consolidated Billing is a feature of AWS Organizations that allows you to combine usage from all member accounts into a single monthly bill for the management (payer) account. This aggregation provides several cost benefits, including volume discounts, reserved instance sharing, and simplified billing.
Why Consolidated Billing Exists
Before AWS Organizations, managing multiple accounts meant each account had its own separate bill, with no way to combine usage for discounts. As organizations grew, they needed a way to:
Aggregate usage to qualify for volume pricing tiers (e.g., higher EC2 usage reduces per-hour rates).
Share Reserved Instances and Savings Plans across accounts to maximize utilization.
Centralize payment while maintaining account isolation for security or organizational boundaries.
Simplify auditing by having a single invoice.
Consolidated Billing solves these problems by treating all accounts as a single customer for pricing purposes while keeping each account's usage data separate for internal chargeback.
How It Works Internally
When you create an AWS Organization, you designate one account as the management (payer) account. All other accounts become member accounts. The payer account is responsible for paying the consolidated bill. The process works as follows:
Account Linking: Member accounts are invited to join the organization. Once accepted, they are linked under the payer account.
Usage Aggregation: AWS aggregates all usage from all accounts in the organization. For services like EC2, S3, and RDS, the combined usage determines the pricing tier. For example, if Account A uses 50 GB of S3 Standard storage and Account B uses 150 GB, the total is 200 GB, which may qualify for a lower per-GB price than either account alone.
Billing Calculation: At the end of the month, AWS calculates the total cost based on aggregated usage. The payer account receives a single invoice that includes all charges from all member accounts.
Cost Allocation: Each account can still view its own usage and charges via Cost Explorer. The payer account can see all accounts' usage. Tags can be used to allocate costs to specific projects or departments.
Key Components and Defaults
Management Account: The account that creates the organization and pays the bills. It cannot be changed after creation.
Member Accounts: Accounts that belong to the organization. They can be created via AWS Organizations or invited.
Organizational Units (OUs): Groups of accounts that allow hierarchical management and policy application.
Service Control Policies (SCPs): Policies that control permissions for accounts in the organization. They can be used to enforce cost controls (e.g., deny launching expensive instance types).
Consolidated Billing Feature: Enabled by default when you create an organization. You cannot disable it; you can only remove accounts.
Important Defaults:
Consolidated billing is automatically enabled when you create an AWS Organization.
All existing accounts in the organization are subject to consolidated billing.
There is no additional cost for using AWS Organizations or Consolidated Billing.
The payer account is responsible for all charges; member accounts cannot have their own payment methods.
Reserved Instance (RI) and Savings Plan Sharing
One of the most powerful features of consolidated billing is the ability to share Reserved Instances and Savings Plans across accounts. AWS automatically applies any RI or Savings Plan discounts from any account in the organization to matching usage in any other account. This maximizes utilization and reduces waste.
How RI Sharing Works:
RIs are purchased in a specific account (e.g., the payer account or a member account).
The discount is applied to any account in the organization that has matching usage (same instance family, region, etc.).
The account that purchased the RI still receives the billing benefit (the RI cost is charged to that account).
There is no need to manually share RIs; it's automatic.
Example: If Account A buys 10 m5.large RIs in us-east-1, and Account B launches 5 m5.large instances in us-east-1, Account B's instances get the RI discount. Account A pays for the RIs, but the overall organization saves money because fewer instances run at on-demand rates.
Savings Plans: Similar to RIs, Savings Plans (Compute, EC2 Instance, or Machine Learning) are shared across accounts in the organization automatically. The discount applies to usage from any account.
Cost Explorer and Budgets
With consolidated billing, the payer account can use Cost Explorer to view costs across all accounts, filter by account, tag, or service. Budgets can be set at the organization level or per account. Alerts can be sent when costs exceed thresholds.
Configuration Example: To create a budget that alerts when total organization costs exceed $10,000:
aws budgets create-budget \
--account-id 123456789012 \
--budget '{"BudgetName":"OrgBudget","BudgetLimit":{"Amount":"10000","Unit":"USD"},"TimeUnit":"MONTHLY","BudgetType":"COST"}' \
--notifications-with-subscribers '[
{"Notification":{"NotificationType":"ACTUAL","ComparisonOperator":"GREATER_THAN","Threshold":100},
"Subscribers":[{"SubscriptionType":"EMAIL","Address":"admin@example.com"}]}
]'SCPs for Cost Control
Service Control Policies (SCPs) can be used to restrict actions that could increase costs. For example, you can deny launching EC2 instances of certain types or in certain regions. SCPs apply to all accounts in an OU or the entire organization.
Example SCP to deny launching GPU instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyGPUInstances",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringLike": {
"ec2:InstanceType": ["p*", "g*"]
}
}
}
]
}How It Interacts with Other Services
AWS Cost and Usage Report: Can be configured to include all accounts in the organization, providing detailed hourly usage data.
AWS Budgets: Can be set at the organization level or per account.
AWS Trusted Advisor: Can check for unused RIs across the organization.
AWS Control Tower: Automatically sets up consolidated billing with guardrails.
Limitations
The payer account cannot be changed once the organization is created. To change it, you must migrate accounts to a new organization.
Only one organization per AWS account.
The payer account is still a regular AWS account; it can have its own resources.
Consolidated billing does not merge accounts; each account remains separate with its own resources and permissions.
Verification Commands
To list all accounts in an organization:
aws organizations list-accountsTo describe the organization:
aws organizations describe-organizationTo see the consolidated billing details (in the console, navigate to Billing and Cost Management > Consolidated Billing).
Create AWS Organization
Sign in to the AWS Management Console with the account that will be the management (payer) account. Navigate to AWS Organizations and choose 'Create organization'. AWS automatically enables consolidated billing. The management account becomes the payer account. This step is irreversible; the management account cannot be changed later. Note that the account must have a valid payment method and must not be a member of any other organization.
Invite or Create Member Accounts
To add existing AWS accounts, send invitations from the Organizations console. The invited account must accept the invitation. Alternatively, create new accounts directly within Organizations, which automatically generates a new AWS account with a unique email and password. New accounts created this way have no payment method; they use the payer account's payment method. Accounts can be organized into Organizational Units (OUs) for hierarchical management.
Enable Reserved Instance Sharing
By default, Reserved Instance and Savings Plan sharing is enabled for the organization. No action is needed. AWS automatically calculates the aggregated usage and applies discounts across accounts. The discount is applied to any account with matching usage, regardless of which account purchased the RI. This is a key benefit: it maximizes RI utilization and reduces waste.
Apply Service Control Policies
Optionally, attach SCPs to the root, OUs, or individual accounts to enforce cost controls. For example, deny launching expensive instance types or restrict regions. SCPs are evaluated before IAM policies and can only restrict permissions, never grant them. They apply to all users and roles in the account, including the root user. Use caution: overly restrictive SCPs can break legitimate workloads.
Monitor Costs with Cost Explorer
The payer account can use Cost Explorer to view aggregated costs across all accounts. Filter by account, service, or tag. Set budgets and alerts to monitor spending. Each member account can also view its own costs but cannot see other accounts' costs unless granted cross-account access. Cost Explorer data is available up to 12 months. Use the AWS Cost and Usage Report for detailed hourly data.
Enterprise Scenario 1: Large Enterprise with Business Units
A multinational corporation has multiple business units, each with its own AWS account for isolation. The central IT team uses AWS Organizations with consolidated billing to aggregate usage and get volume discounts. They purchase all Reserved Instances in the payer account, which automatically apply to any account that launches matching instances. This reduces overall EC2 costs by 30%. They use SCPs to restrict non-production accounts from launching expensive instance types (e.g., p3.16xlarge) and to enforce that all resources are tagged with a cost center. The finance team uses Cost Explorer to allocate costs back to business units based on tags. A common issue is that some teams forget to tag resources, making cost allocation inaccurate. To solve this, they use SCPs to deny launching resources without required tags.
Enterprise Scenario 2: Startup with Multiple Environments
A fast-growing startup uses separate AWS accounts for development, staging, and production. They consolidate billing to simplify payment and get volume discounts. They purchase Compute Savings Plans in the payer account, which cover all accounts. However, they initially configured the development account with its own payment method, which prevented it from being added to the organization. They had to migrate the account by closing it and recreating it under the organization. They also learned that the payer account cannot be changed, so they carefully chose the account to be the payer. A misconfiguration occurred when an SCP accidentally denied access to S3 for all accounts, causing production outages. They learned to test SCPs on a test OU first.
Enterprise Scenario 3: Managed Service Provider (MSP)
An MSP manages AWS accounts for multiple clients. They use AWS Organizations with consolidated billing for each client, creating separate organizations per client. They act as the payer account for each client's organization, handling billing and applying SCPs for security. They use Cost Explorer to generate client-specific reports. A common challenge is that each client's organization has a separate payer account, requiring multiple invoices. They automate account creation and policy management using AWS CloudFormation and the Organizations API. They also set up budgets to alert when a client's costs exceed expectations. One client accidentally launched a large number of instances, causing a spike; the budget alert helped the MSP quickly identify and shut down the resources.
SAA-C03 Exam Focus on Consolidated Billing
The SAA-C03 exam tests consolidated billing primarily under the Cost Optimized domain (Objective 4.4). Questions often appear in the context of multi-account strategies, cost optimization, and reserved instance sharing. Here are the key points:
What the Exam Tests: - Understanding that consolidated billing aggregates usage for volume discounts. - Knowing that Reserved Instances and Savings Plans are automatically shared across accounts in an organization. - Recognizing that Service Control Policies can enforce cost controls. - Identifying that the payer account receives the consolidated invoice and is responsible for payment. - Knowing that member accounts cannot have their own payment methods.
Common Wrong Answers and Why Candidates Choose Them: 1. "Consolidated billing merges accounts into a single account." This is wrong because accounts remain separate; only billing is combined. Candidates confuse billing aggregation with account merging. 2. "Reserved Instances must be manually shared across accounts." This is false; sharing is automatic. Candidates think they need to configure RI sharing because they are used to manual processes. 3. "Each member account receives its own invoice." Incorrect; only the payer account receives the consolidated invoice. Member accounts can view their own usage but not a separate invoice. 4. "You can change the payer account at any time." False; the management account is fixed after creation. Candidates may think they can reassign the payer role.
Specific Numbers and Terms: - The term "management account" is used in the exam, not "payer account". - The exam may ask about "all features" mode vs. "consolidated billing only" mode. All features include SCPs and sharing; consolidated billing only does not. - Reserved Instance discount applies to any account in the organization; the account that purchased the RI still pays for it. - SCPs are applied at the root, OU, or account level; they cannot be applied to individual IAM users.
Edge Cases: - If an account leaves the organization, its RIs and Savings Plans no longer benefit the organization. - SCPs do not affect the management account by default; to apply SCPs to the management account, you must enable a feature. - Consolidated billing does not affect data transfer costs; data transfer between accounts is still charged separately.
How to Eliminate Wrong Answers: - If an answer says "each account gets its own invoice," it's wrong. - If an answer says "RIs must be shared manually," it's wrong. - If an answer says "you can change the payer account," it's wrong. - If an answer says "consolidated billing combines resources," it's wrong (it combines billing only).
Consolidated billing aggregates usage from all member accounts for volume discounts on services like EC2, S3, and RDS.
Reserved Instances and Savings Plans are automatically shared across all accounts in the organization, maximizing utilization.
Only the management (payer) account receives the consolidated invoice; member accounts cannot have their own payment methods.
Service Control Policies (SCPs) can be used to enforce cost controls by denying specific actions (e.g., launching expensive instance types).
The management account cannot be changed after the organization is created; choose carefully.
Consolidated billing does not merge accounts; each account remains independent with its own resources and security.
Cost Explorer and AWS Budgets can be used to monitor and alert on costs across the organization.
When an account leaves the organization, its RIs and Savings Plans no longer benefit the remaining accounts.
These come up on the exam all the time. Here's how to tell them apart.
Consolidated Billing (All Features)
Enables Service Control Policies (SCPs) for fine-grained access control
Allows automatic Reserved Instance and Savings Plan sharing
Supports integration with AWS Control Tower and AWS SSO
Provides centralized logging with AWS CloudTrail
Recommended for production environments with multiple accounts
Consolidated Billing Only
No SCPs; only basic billing aggregation
No automatic RI sharing; RIs are account-specific
No integration with advanced governance tools
CloudTrail is not centrally managed per organization
Suitable for simple billing consolidation without policy enforcement
Mistake
Consolidated billing merges all accounts into a single AWS account.
Correct
Accounts remain separate with their own resources, permissions, and security boundaries. Only billing is consolidated. Each account still has its own root user and IAM configuration.
Mistake
Reserved Instances must be manually shared across accounts in the organization.
Correct
RI and Savings Plan discounts are automatically applied to any matching usage across all accounts in the organization. No manual sharing is needed. The discount follows the usage, not the account.
Mistake
Each member account receives its own monthly invoice from AWS.
Correct
Only the payer (management) account receives the consolidated invoice. Member accounts can view their own usage via Cost Explorer but do not receive a separate bill.
Mistake
You can change the management (payer) account after the organization is created.
Correct
The management account is fixed at creation time. To change it, you must create a new organization and migrate accounts, which is a complex process.
Mistake
Service Control Policies (SCPs) can grant permissions to accounts.
Correct
SCPs can only deny permissions; they cannot grant permissions. They act as a filter on top of IAM policies. Permissions must still be granted via IAM.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Sign in to the AWS Management Console with the account you want as the payer. Navigate to AWS Organizations and choose 'Create organization'. This automatically enables consolidated billing. Then invite existing accounts or create new ones. No additional configuration is needed for billing aggregation.
No, an organization has exactly one management (payer) account. All member accounts are billed through this single payer account. You cannot have multiple payer accounts within the same organization.
Reserved Instance discounts are automatically applied to any matching usage in any account within the organization. The account that purchased the RI still pays for it, but the discount benefits all accounts. No manual sharing configuration is required.
When a member account leaves the organization, its usage is no longer aggregated with the organization. The account becomes standalone and is billed separately. Any Reserved Instances or Savings Plans purchased by that account no longer benefit the organization.
Yes, AWS Control Tower automatically sets up AWS Organizations with consolidated billing when you create a landing zone. It also configures guardrails (SCPs) and account factory for automated account creation.
The payer account can use Cost Explorer to filter costs by linked account. Each member account can also view its own costs but cannot see other accounts' costs unless granted cross-account access via IAM roles.
You cannot disable consolidated billing for an organization. You can only remove accounts from the organization, which will stop their billing aggregation. To completely disable it, you must delete the organization.
You've just covered AWS Organizations Consolidated Billing — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?