Links#
- What is AWS Organizations
- AWS Organizations policies
- Service control policies
- SCP examples
- AWS Organizations with other AWS services
- Management account best practices
- AWS Organizations quotas
- CloudTrail organization trail
1. Important Points#
AWS Organizations 是多账号治理服务,核心价值不是“创建账号”,而是把账号、权限边界、审计、账单和安全服务集中管理。
AWS Organizations 用来做:
centralized account management
OU-based account grouping
consolidated billing
organization-wide policy guardrails
delegated administrator for security / audit services
organization CloudTrail / GuardDuty / Security Hub / Config integration
AWS Organizations 不负责:
workload runtime
app-level permission
network isolation by itself
replacing IAM policy
replacing Control Tower account vending / landing zone automation核心原则:
management account:
only for organization, billing, identity center, emergency admin
do not run workload
do not create daily-use IAM users
member account:
one account = one strong blast-radius boundary
workload, environment, security tooling, logging should be separated
OU:
policy inheritance boundary
do not model company org chart blindly
model security and operational requirements
SCP:
guardrail only
never grants permission
applies to member accounts, not management account2. Core Concepts#
| Concept | Meaning | Production Note |
|---|---|---|
| Organization | 一组 AWS accounts 的管理边界 | usually one company has one main organization |
| Management account | 创建 organization 的账号 | keep empty, highly protected |
| Member account | organization 里的普通账号 | run workloads here |
| Root | organization 顶层节点 | can attach policies, but test first |
| OU | Organizational Unit | group accounts by security boundary |
| SCP | Service Control Policy | principal permission guardrail |
| RCP | Resource Control Policy | resource permission guardrail |
| Delegated admin | member account 管理某个 AWS service 的 org integration | avoid using management account daily |
| Trusted access | 允许 AWS service 访问 organization 信息 | enable only for required services |
effective permission mental model:
IAM identity/resource policy must allow
permissions boundary must allow, if used
SCP path must allow
RCP path must allow, if used
explicit deny always wins3. Recommended OU Layout#
Small to medium production baseline:
AWS Organizations
├── Security
│ ├── log-archive
│ └── security-tooling
├── Infrastructure
│ ├── network
│ └── shared-services
├── Workloads
│ ├── Dev
│ │ └── app-dev
│ ├── UAT
│ │ └── app-uat
│ └── Prod
│ └── app-prod
├── Sandbox
│ └── engineer-sandbox
└── Suspended
└── closed-or-quarantined-accountDesign rules:
separate by:
environment: dev / uat / prod
security criticality: security / log / network / workload
access model: sandbox vs production
lifecycle: active vs suspended
avoid:
one account for everything
OU based only on team name
attaching strict SCP to root without test OU
putting security logs in workload accountsAccount split examples:
| Account | Purpose |
|---|---|
| management | Organizations, billing, IAM Identity Center |
| log-archive | CloudTrail / Config / central immutable logs |
| security-tooling | GuardDuty / Security Hub / Detective / audit tooling |
| network | shared VPC, TGW, Route 53 private zones |
| shared-services | CI/CD, artifact, internal platform |
| app-dev | development workload |
| app-uat | pre-production workload |
| app-prod | production workload |
4. Policy Types#
Organizations policies are available when all features are enabled.
| Policy Type | What It Controls | Typical Use |
|---|---|---|
| SCP | maximum permissions for IAM users and roles | deny risky APIs, region guardrail, root guardrail |
| RCP | maximum permissions for resources | restrict resource exposure across accounts |
| Tag policy | tag key/value standardization | cost allocation, ownership, automation |
| Backup policy | AWS Backup plan across accounts | central backup baseline |
| Declarative policy | centrally configure supported AWS service attributes | service configuration governance |
| AI services opt-out policy | AI service data collection preference | organization-wide privacy setting |
SCP important:
does not grant permissions
applies to IAM users and roles in member accounts
also affects member account root user
does not affect management account
does not restrict service-linked roles
FullAWSAccess is attached by default
RCP important:
works on resources instead of principals
useful when resource exposure must be centrally constrained
use together with SCP when both principal and resource guardrails matter5. Baseline SCPs#
Start with deny-list guardrails. They are easier to operate than allow-list guardrails for most teams.
deny root user#
Attach to workload OUs after testing.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyRootUser",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::*:root"
}
}
}
]
}deny leaving organization#
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLeaveOrganization",
"Effect": "Deny",
"Action": "organizations:LeaveOrganization",
"Resource": "*"
}
]
}deny disabling security baseline#
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyDisableSecurityBaseline",
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail",
"cloudtrail:UpdateTrail",
"config:DeleteConfigurationRecorder",
"config:StopConfigurationRecorder",
"guardduty:DeleteDetector",
"guardduty:DisassociateFromAdministratorAccount",
"securityhub:DisableSecurityHub",
"securityhub:DisassociateFromAdministratorAccount",
"access-analyzer:DeleteAnalyzer"
],
"Resource": "*",
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/OrganizationSecurityAdmin",
"arn:aws:iam::*:role/AWSReservedSSO_BreakGlassAdmin_*"
]
}
}
}
]
}deny IAM users in prod#
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyIAMUsersAndAccessKeysInProd",
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:CreateLoginProfile",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:AttachUserPolicy",
"iam:PutUserPolicy"
],
"Resource": "*",
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/OrganizationSecurityAdmin",
"arn:aws:iam::*:role/AWSReservedSSO_BreakGlassAdmin_*"
]
}
}
}
]
}quarantine account#
Attach to Suspended OU.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QuarantineAccount",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/OrganizationSecurityAdmin",
"arn:aws:iam::*:role/AWSReservedSSO_BreakGlassAdmin_*"
]
}
}
}
]
}6. Delegated Administrator#
Delegated administrator lets a member account manage organization integration for a service. This keeps daily operations out of the management account.
Common delegated admin accounts:
| Service | Delegated Account |
|---|---|
| GuardDuty | security-tooling |
| Security Hub | security-tooling |
| Amazon Inspector | security-tooling |
| AWS Config Aggregator | security-tooling or log-archive |
| CloudTrail Lake / trails | log-archive or security-tooling |
| IAM Access Analyzer | security-tooling |
| AWS Backup | backup or security-tooling |
| CloudFormation StackSets | shared-services or platform |
Enable trusted access and delegated admin:
export SECURITY_ACCOUNT_ID="111122223333"
aws organizations enable-aws-service-access \
--service-principal guardduty.amazonaws.com
aws organizations register-delegated-administrator \
--account-id "$SECURITY_ACCOUNT_ID" \
--service-principal guardduty.amazonaws.comVerify:
aws organizations list-delegated-administrators
aws organizations list-aws-service-access-for-organizationOperational rule:
management account:
enable trusted access
register delegated administrator
emergency operation only
delegated admin account:
configure service
monitor findings
operate daily security controls7. Account Operations#
List organization:
aws organizations describe-organization
aws organizations list-roots
aws organizations list-accountsCreate OU:
export ROOT_ID="r-xxxx"
aws organizations create-organizational-unit \
--parent-id "$ROOT_ID" \
--name "Workloads"Create account:
aws organizations create-account \
--email "aws-prod@example.com" \
--account-name "app-prod" \
--role-name "OrganizationAccountAccessRole"Check create-account status:
aws organizations describe-create-account-status \
--create-account-request-id "car-example"Move account to OU:
export ACCOUNT_ID="444455556666"
export OLD_PARENT_ID="r-xxxx"
export NEW_OU_ID="ou-xxxx-yyyyyyyy"
aws organizations move-account \
--account-id "$ACCOUNT_ID" \
--source-parent-id "$OLD_PARENT_ID" \
--destination-parent-id "$NEW_OU_ID"Create and attach SCP:
aws organizations create-policy \
--name "DenyLeaveOrganization" \
--description "Deny member accounts from leaving the organization" \
--type SERVICE_CONTROL_POLICY \
--content file://deny-leave-org.json
aws organizations attach-policy \
--policy-id "p-example" \
--target-id "ou-xxxx-yyyyyyyy"Find policies attached to an OU or account:
aws organizations list-policies-for-target \
--target-id "ou-xxxx-yyyyyyyy" \
--filter SERVICE_CONTROL_POLICYFind accounts under an OU:
aws organizations list-accounts-for-parent \
--parent-id "ou-xxxx-yyyyyyyy"8. Security Best Practices#
management account:
root MFA enabled
no workload
very few administrators
use IAM Identity Center
break-glass role documented and monitored
billing and org operations only
member accounts:
no IAM users in production
no long-lived access keys for CI/CD
use OIDC assume role for deployment
use permission sets for human access
enable CloudTrail / GuardDuty / Security Hub / Config baseline
organization:
all features enabled
organization trail enabled
delegated admin for security services
SCP tested in a test OU first
account lifecycle documented9. Monitoring#
Must-have audit:
| Signal | Where |
|---|---|
| account created / invited / removed | CloudTrail management event |
| OU created / deleted / moved | CloudTrail management event |
| SCP attached / detached / updated | CloudTrail management event |
| delegated admin registered / deregistered | CloudTrail management event |
| trusted access enabled / disabled | CloudTrail management event |
| root user activity | CloudTrail + EventBridge alert |
| organization trail stopped | CloudTrail / Security Hub / custom alert |
CloudTrail organization trail:
purpose:
one central trail for management events from all member accounts
log delivery to central S3 bucket
easier Athena / SIEM / incident investigation
baseline:
multi-region organization trail
log file validation enabled
SSE-KMS if key policy is correct
S3 bucket in log-archive account
bucket policy allows CloudTrail delivery
lifecycle retention configuredExample EventBridge pattern for Organizations API changes:
{
"source": ["aws.organizations"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["organizations.amazonaws.com"],
"eventName": [
"CreateAccount",
"MoveAccount",
"CreateOrganizationalUnit",
"DeleteOrganizationalUnit",
"AttachPolicy",
"DetachPolicy",
"UpdatePolicy",
"EnableAWSServiceAccess",
"DisableAWSServiceAccess",
"RegisterDelegatedAdministrator",
"DeregisterDelegatedAdministrator"
]
}
}10. Production Checklist#
organization:
all features enabled
OU structure documented
account naming convention documented
account owner tag / metadata maintained
account vending process defined
access:
IAM Identity Center enabled
no daily management-account IAM users
break-glass access tested
production access uses permission sets / roles
guardrails:
baseline SCP attached to Workloads OU
stronger SCP attached to Prod OU
quarantine SCP attached to Suspended OU
SCP tested before attaching broadly
policy size checked before rollout
security services:
CloudTrail organization trail enabled
GuardDuty organization admin delegated
Security Hub organization admin delegated
AWS Config strategy decided
IAM Access Analyzer organization analyzer enabled
operations:
create / move / close account runbook exists
delegated admin inventory reviewed
trusted access inventory reviewed
CloudTrail alerts for org changes enabled
quota usage reviewed before large account expansion11. Common Mistakes#
mistake:
assume SCP grants permission
result:
user still has no access because IAM policy did not allow it
mistake:
run workloads in management account
result:
SCP cannot protect those workloads
mistake:
attach restrictive SCP to root without testing
result:
many accounts lose required service access at once
mistake:
use one prod account for every application
result:
weak blast-radius isolation and noisy permissions
mistake:
enable trusted access for many services without owner
result:
unclear service integrations and difficult incident response
mistake:
create accounts manually with no lifecycle process
result:
orphan accounts, unclear billing, stale access