One of the most amazing things about social media platforms is the throwback activity that reminds you of certain past data, pictures, or information you shared or stored. How often has that activity helped you relive some good memories and made you nostalgic?
What about the e-commerce apps where several transactions occur every day, yet they manage to get the correct orders from their customers and provide excellent customer experiences?
How are they able to navigate through their various services to bring forth a united front?
It’s simple - Amazon Web Services (AWS). AWS's user accounts often include data storage, billing, audits, policies, security permissions, and services related to business projects and divisions.
But, even better is the concept of AWS Organization – a collection of multiple accounts for different cloud-based services arranged hierarchically and managed centrally.
What is AWS Organization and How Does It Work?
Being the dominating platform in the computing world with 32.4%, AWS occupies 1/3rd of the market; this means that many big platforms on the internet have AWS accounts.
Accounts? Yes, a user can have multiple accounts for different services like billing, audit, data storage, etc.
But, if you have ever managed or tried to manage different social media accounts that offer different content, you’d agree it’s not a walk in the park. Similarly, managing different AWS service accounts can be daunting, but not without a solution - AWS Organization.
AWS Organization helps manage multiple accounts through one management account. It makes things easier, as there will be no need to switch between accounts (like we do with social media accounts).
Oh, and there’s more! With AWS Organization, you don’t only get to create new accounts, but also, you can link them, as well as share resources between them.
It does not end there… You can set certain policies to guide your AWS accounts' management and centralize the logs.
What Features Does the AWS Organization Offer?
How to Create an AWS Organization Management Account?
To create your organization, you will need a management account; this account cannot be changed or switched in your organization. Your management account is your ‘main’ or ‘base’ account from which you can create, manage, and invite other accounts to your organization.
Sometimes when you no longer need an account, you can delete or remove them from the organization; this removal is done through the management account.
Other responsibilities of the management account include; attaching policies to entities like the Organizational Units (OUs) and member accounts in your organization. It is also responsible for paying the charges accumulated by member accounts in the organization.
Now that we’ve seen what a management account brings to the table of AWS Organization, here’s how you can create one:
A1 will refer to the account you will use for creating the organization, thus, the management account.
A2 will refer to the account you are inviting to your organization.
The e-mail addresses for A1 and A2 will be different.
- 1
Sign in as an administrator of the A1 account. Then open the AWS Organization Console.
- 2
Select “Create an organization” in the confirmation dialog box
When your organization is created, all features are enabled by default. Still, you can enable only the consolidated billing features after creating an organization.
- 3
Verify your e-mail address.
What is the Pricing for the AWS Organizations?
With Amazon Web Services, there are charge support fees for every member account; which means that each account has a subscription that is independent of the other. Still, these subscriptions do not apply to the organization, thus; AWS organizations are provided at no added charge.
What Are the Main Benefits of AWS Organization?
Yes, some of the benefits of AWS organization are littered among its features, but of course, there are quite a few that we still need to discuss. These benefits include:
Best Practices for Organizing AWS Accounts in AWS Organizations
One of the important aspects of the AWS organization is the normal and hierarchical grouping of accounts; otherwise, there won’t be an “organization.”
So it’s safe to say that with this knowledge, there should be best practices for effectively managing accounts in the AWS organization.
Distinguish Between the Member and Management Accounts
While the management account can create OUs and manage member accounts and policies (including the service control policies and SCPs), these SCPs cannot be applied to the management account.
This, in turn, can create problems as users and roles will launch without the policies, starting issues for member accounts.
Distinguish between accounts by having only CloudTrail and CloudWatch in your management account; this will aid in monitoring your logging into the account and managing the organization. Be sure to move any other resources to the member accounts.
Manage Member Accounts Using OUs
An Organizational Unit, OU, contains member accounts in your organization. It helps you manage different accounts as a single unit; this way, you can easily apply policies and controls to separate accounts.
Move Member Accounts Between OUs
Member accounts don’t need to be stuck in one OU. OUs are only subject to the policies that specifically apply to them. You can move member accounts between different OUs, especially when certain policies in other OUs apply to the member accounts.
Root User Restriction in Member Accounts
Every organization often has a top-level node for all accounts; it is the root OU. Policies that apply to the root OU affect all accounts and OUs in the organization.
The best practice here is to disable the root OU since most of its tasks can also be performed by the management account. And no, the management account is not affected because the SCP does not apply.
AWS Organization Vs. AWS Control Tower: Which should you use?
So far, we have discussed the AWS organization, its features, and its benefits. But, interestingly, there’s another platform that serves almost the same purpose as the AWS organization – AWS Control Tower.
AWS Control Tower also provides tools for managing multiple accounts centrally. It is helpful with automating the setting up and configuration of many accounts. It was once known as AWS Landing Zone.
A company with a larger team and complex workloads can easily migrate to AWS with the help of Control Tower. It is an extension of the AWS organization.
However, while the AWS Control Tower shares deep ties with the AWS organization, we will be looking at some of the features that they share and a few differences between them:
- 1
AWS Organization makes provisions for centrally managing multiple AWS accounts in one environment/organization. Still, with AWS Control Tower, you save effort and time as it simplifies and automates a large part of managing your environment at scale.
- 2
The pricing for using both AWS Organization and Control Tower is free of additional costs.
Still, for the latter, you get billed by AWS for services such as the guardrails and landing zone. However, some other services are free with the Control Tower, e.g., single sign-on.
- 3
AWS organization requires certain best practices. At the same time, the AWS Control Tower helps apply preventive, and detective controls/guardrails to ensure that accounts remain within said best practices.
- 4
AWS Control Tower creates an easier platform for migrating large companies to AWS.
It provides a multi-architecture to accommodate different business functions and requirements such as access, compliance, etc. With AWS Organization, you are simply managing multiple AWS accounts.
Conclusion
AWS Organization is a service that manages multiple AWS accounts, workflows, and policies that apply to the accounts. You can also invite or remove existing AWS accounts into and from your organization. With AWS Organization, you will be able to:
“To whom much is given, much is expected” as such, a few best practices would help to ensure that your AWS Organization provides optimal assistance with your accounts.
