Organizations, Accouts, OU, SCP

In an organization there are two types of Accouts

• One Management Account: also called the Payer accout, this is the primary account that hosts and manages the organization

• Member Accounts: All other AWS accouts that belong to the organisation. You normally separates accounts by environments and team ownership.

Features:

• Consalidated Billing: Rolls all bills up to the payer account. Single payment method. You can use the Cost explore to view you billing in a granular fashion.

• Usage Discounts: Consolidated Billing allows for aggregate usage discounts.

• Shared Saving: Easily share Reserved instances and Saving Plans across the org.

Concepts:

• Multi-accounts Strategy: Allows to easily achive a multi-account design while maintaining centralised management.

• Tag enforcement: enforces specific tags for all AWS resources for categorization and tracking.

• Organization Unit (OU): Logical grouping of multiple accounts to allow for easy management and separation.

• Service Control Policies (SCPs): Json policies that get applied to OUs or accounts to restrict actions that are or are not allowed. SCPs have the ultimate say as to whether an API call goes through. SCPs are the only way to restrict what the root account can do.

• Management Account: SCPs do not affect the management account like they do all member accounts.

• Account Best Practices: Create a centralized logging account for organizational CloudTrail logs. Also leverage cross-account roles for accessing member accounts. You can have multiple accounts for the same application.