📖 What is AWS Organizations?
AWS Organizations centralizes management and governance of multiple AWS accounts. It enables consolidated billing, automated policy enforcement via Service Control Policies (SCPs), and simplified account creation. Organizations facilitates a multi-account strategy for security, compliance, and resource isolation within a single AWS environment.
"Service Control Policies (SCPs) are paramount. Understand their restrictive nature and how they override IAM permissions. Exam questions frequently test your understanding of organizational units (OUs) and their role in applying policies. Distinguish between consolidated billing and consolidated management."
📚 Certification: AWS Certified Solutions Architect - Associate (SAA-C03)
🔑 What are the Key Concepts of AWS Organizations?
- ▸ Organizations uses a hierarchical structure with a root, organizational units (OUs), and accounts, enabling granular policy application.
- ▸ Service Control Policies (SCPs) are JSON documents that define permissions boundaries for accounts and OUs, overriding IAM.
- ▸ Consolidated billing simplifies payment by combining the usage of multiple accounts into a single bill, potentially unlocking volume discounts.
- ▸ Organizations facilitates automated account creation and management, streamlining onboarding and offboarding processes.
- ▸ Tagging policies can be applied through Organizations to enforce consistent tagging across all accounts for cost allocation and management.
🎯 How does AWS Organizations appear on the SAA-C03 Exam?
You may be asked to identify the best way to enforce a company-wide policy prohibiting the creation of S3 buckets in certain regions using Organizations features.
A scenario might describe a company needing to centrally manage billing and access control for multiple departments – determine how Organizations addresses this.
Expect questions about how SCPs interact with IAM policies, specifically which one takes precedence when there's a conflict.
❓ Frequently Asked Questions
Can I apply different SCPs to different accounts within the same OU?
No, SCPs are inherited down the hierarchy. An SCP applied to an OU applies to all accounts within that OU, but you can nest OUs to achieve different policy sets.
What happens if an SCP denies a permission that an IAM user would normally have?
The SCP always takes precedence. Even if an IAM policy grants a permission, the SCP can explicitly deny it, effectively blocking the action.
How does Organizations help with compliance requirements like PCI DSS?
Organizations allows you to isolate accounts handling sensitive data within dedicated OUs and apply restrictive SCPs to enforce compliance controls, simplifying auditing.