AWS Organization

If you have multiple AWS accounts and teams, cloud setup and governance can be complex and time consuming. And most important -

• Manage billing of all the accounts together.
• Manage permissions/access for AWS resouces from your master account for all other accounts.

And AWS organization provide this for you and easiest way to set up and govern multi-account AWS environment.

Lets go for setup details -

1. Currently there is limit of having max 2 account including root/master account in one organization. To increase the limit you have to raise aws support ticket or send email to aws support.
2. Fyi - The root/master account where you are creating organization is not mean that, that account is the root no, so root is you can say organization you created and your root/master account become of the account inside that organization and just hat your root account have different access and control to organization as compare to child account like setting up the console policy, billing control etc. It is recommended to keep master account on root/first level.

• To create aws organization, login to console and then search of aws organization service or from the login menu click on my organization.
• Create organization.
• You will get email on root/master aws account registered email and you have to confirm the same via email.
• Fyi - (Here it may take minutes or hours to complete the backend process and be ready to add accounts to organization, so wait till that time).
• To add existing account,
• click on add account and there is option to invite existing account(put registered email of that account and you will get email and there you have to confirm or simply login(existing added account) to aws console and go to my organization from login menu option and in left panel click on invitation link and there you will see the invitation you receipt. So accept the invitation and you are done and now you are part of that root/master aws organization.
• To add new account.
• click on add account and there is option to add account(put new unique email which is not already registered). Here you have IAM role option as well, so this is not mandatory you can leave it blank and your root account will manage/create for child account. Once you added new account, email will be send to new registered email and from there you can click on the link to reset pwd(or you can do forget pwd) and start login to aws control.
• To create organizational unit(OU), login to root/master organizational account and go to my organization and create OU(give name) and then select the accounts you want to move to OU. (you can create move nested and parallel OU and move account to OU created).

Fyi - AWS organization provide api's which you can use like .net sdk to create account as well instead of creating from console and similarly you can use power shell scripts.

**********************SCP service control policy for OU or root or specific account***********************

Notes:

• If you do not attach any policy then by default it have full access and all account works as per their own user iam policies.
• When you attach any policy to any level(OU or Root), then same get inherited to below OU and accounts.
• This policy override all the access what you already have/provided for any user via IAM.
• If you have multiple policy like (one policy "X" at root which having permissions of "A and "B") and (other policy "B" at OU level 1 which having permissions "B" and "C"), so
• All accounts and OU below OU level 1 will have (only common service access by comparing both policies), so in this case only "B" permission only).
• All other OU other than OU level 1 on below root will have "A" and "B" permission both as per policy "X" because other OU's only having policy at root level which getting inherit below.

To create policy,

• Go to my organization and from top tab go to policy and create your custom policies what to allow and what to deny.

To attach/apply policy on any level(root or OU),

• Select the specific OU or root and then in right side enable the policy and attach/detach policy.