Security

AWS Organizations

Suppose that company has multiple AWS accounts. Customer can use AWS Organizations to consolidate and manage multiple AWS accounts within a central location. When customer creates an organization, AWS Organizations automatically creates a root, which is the parent container for all the accounts in the organization.

In AWS Organizations, customer can centrally control permissions for the accounts in customer’s organization by using service control policies (SCPs). SCPs enable customer to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.

Organizational Units

In AWS Organizations, customer can group accounts into organizational units (OUs) to make it easier to manage accounts with similar business or security requirements. When customer applies a policy to an OU, all the accounts in the OU automatically inherit the permissions specified in the policy.

By organiznig separate accounts into OUs, customer can more easily isolate workloads or applications that have specific security requirements. For instance, if company has accounts that can access only the AWS services that meet certain regulatory requirements, these accounts can be put into one OU. Then, customer can attach a policy to the OU that blocks access to all other AWS services that do not meet the regulatory requirements.

Separate AWS Accounts

Imagine that your company has separate AWS accounts for the finance, information technology (IT), human resources (HR), and legal departments. You decide to consolidate these accounts into a single organization so that you can administer them from a central location. When you create the organization, this establishes the root.

In designing your organization, you consider the business, security, and regulatory needs of each department. You use this information to decide which departments group together in OUs.

Root AWS Accounts

The finance and IT departments have requirements that do not overlap with those of any other department. You bring these accounts into your organization to take advantage of benefits such as consolidated billing, but you do not place them into any OUs.

Root and OU AWS accounts

The HR and legal departments need to access the same AWS services and resources, so you place them into an OU together. Placing them into an OU enables you to attach policies that apply to both the HR and legal departments’ AWS accounts.

Previous Next

Leave a Reply

Your email address will not be published. Required fields are marked *