AWS Organisations is a free service that allows you to programmatically add and remove AWS accounts and group together AWS accounts into organisational units.
AWS Organizations helps you centrally manage and govern your AWS environment as you grow and scale your AWS resources. Using AWS Organizations, you can create accounts and allocate resources, group accounts to organize your workflows, apply policies for governance, and simplify billing by using a single payment method for all of your accounts.
AWS Organizations is integrated with other AWS services so you can define central configurations, security mechanisms, audit requirements, and resource sharing across accounts in your organization.
Before AWS Organisations, AWS accounts needed to be added manually which could be quite time consuming for large organisations with hundreds of users or high staff turnover.
The benefit of grouping together AWS accounts into organisational units (OU) is that it allows you to centrally manage the attached accounts and to apply security and other corporate policies to the managed accounts.
The billing for accounts grouped into organisational units can be consolidated and have budgets applied so you can centrally manage your cloud costs and monitor expenditure of the AWS accounts your organisation is managing.
An OU is effectively a container for AWS accounts created under a Root AWS account.
One AWS account can belong to only one OU however, an OU can be a member of another OU. So for instance you could have an Engineering OU that has subsets of AWS accounts in separate subservient OUs like DB Admins or DevOps
When you attach a policy to a node within this hierarchy, like for instance the Engineering OU, the policy flows down to the AWS accounts either directly attached to the Engineering OU or attached to downline OUs like DevOps in the diagram above.
Individual IAM policies, group policies and role policies can still be applied to AWS account users whose AWS account belongs to an OU. An IAM policy can only be applied to an IAM user or role, where as a service control policy can be applied to all users within an AWS account that belongs to an OU
AWS Organisations provides advantages in four key areas
Service Control Policies: (SCPs) which enable you to control access to AWS services using predetermined permissions.
Group-based Account Management: to ensure accounts created within the group receive predetermined access and permissions
APIs : To automate the creation of AWS accounts within an organisational unit using automation.
Consolidated Billing : Allows you create a single billing point for all the AWS accounts in your organisation units. Your AWS bill for all member AWS accounts will be consolidated onto one bill.
How to create an AWS Organisational Unit.
From the master or root AWS account, you create a new organisation which can be found on your AWS console under Governance / AWS Organisations
When you select the menu item, an organisation is immediately created with a root and system generated organisation ID with your AWS account at the top of the hierarchy as the management account.
The next stage is invite another AWS account to the organisation and to create a new AWS account as a member of the organisation.
Once you have some accounts attached to the organisation, you will be able to create OUs and place them in a logical hierarchy so they can be centrally managed.
Once you have your OUs created, you can use individual AWS service consoles to enable trusted access with AWS Organisations.
With the trust link established between a service and AWS Organisations, you can then define policies like backup, service control and tagging that may be attached to your organisational units.
To control your AWS Organisations you have a number of options.
AWS Management Console: You can use the AWS Org console or the individual service consoles to manage the associations and policies for your OUs
CLI: You can use the AWS command line to manipulate your OU setup.
SDKs: You can programmatically interact with AWS Organisations using multiple SDKs including Java, Ruby, Python, .Net, IOS and Android.
HTTPS Query API : You can also issue https requests directly to the service as long as you include code to digitally sign the requests using your credentials.
To recap, AWS Organisations allows you to programmatically create and manage AWS accounts and place them in a centrally managed organisation. This provides consolidated billing and centrally controlled account management capabilities that help deliver your business outcomes around budget, security and governance.
If you are building on AWS you probably already appreciate the value of accurate network topology diagrams. If you would like to see what your AWS environments look like with a set of automatically generated VPC diagrams that keep themselves updated and changes are detected, all hands-free then please take Hava for a free 14 day trial using the button below.