As businesses expand their footprint on AWS and utilize more services to build and deploy their applications, it becomes apparent that multiple AWS accounts are required to manage the environment and infrastructure.
A multi-account strategy is beneficial for a number of reasons as your organization scales. Some examples of why people use multi-account strategies include:
Cost optimization and billing
Security and governance
Defining business units
As you begin to expand with multiple accounts, it becomes increasingly difficult to manage them as separate entities. The more accounts you have, the more distributed your environment becomes and the associated risks multiply.
AWS Organizations provides a means of centrally managing and categorizing multiple AWS accounts that you own. This helps maintain your AWS environment from a security, compliance, and account management perspective.
To understand how AWS organizations works to simplify things, we first need to be aware of the hierarchy of service’s components.
AWS Organizations Components
AWS Organizations uses the following components:
Service Control Policies
An Organization is an element that serves to form a hierarchical structure of multiple AWS accounts. You could think of it as a family tree which provides a graphical view of your entire AWS account structure. At the very top of this Organization, there will be a Root container.
The Root object is simply a container that resides at the top of your Organization. All of your AWS accounts and Organizational units will sit underneath this Root. Within any Organization, there will only be one single Root object.
Organizational Units (OUs) provide a means of categorizing your AWS Accounts. Again, like the Root, these are simply containers that allow you to group together specific AWS accounts. An OU can connect directly below the Root or even below another OU (which can be nested up to 5 times). This allows you to create a hierarchical structure as