Organizational Hierarchy

Overview

In AWS, an organizational hierarchy is used to efficiently manage resources, accounts, permissions, and policies across multiple accounts within a business or enterprise. The key concept behind this hierarchy is AWS Organizations, a service that allows companies to centralize governance and simplify multi-account management.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html

This hierarchy offers a top-down structure where multiple AWS accounts can be grouped under a parent entity, with policies and controls inherited down the structure. Below are the key components of the AWS organizational hierarchy.

Key Components of the AWS Organizational Hierarchy

  1. Management Account (Root Account)

  2. Organizational Units (OUs)

  3. Member Accounts

  4. Service Control Policies (SCPs)

1. Management Account (Root Account)

  • The Management Account is the top-most account in the organization and acts as the root of the hierarchy.

  • This account is responsible for creating and managing the AWS organization and inviting or creating member accounts.

  • Key responsibilities of the Management Account:

    • Defining policies and guardrails for the entire organization.

    • Billing consolidation for all member accounts.

    • Delegating permissions for tasks like access to AWS Control Tower or AWS Config.

Note: This account has access to all resources across the organization by default, making it critical to secure it properly.

2. Organizational Units (OUs)

  • Organizational Units (OUs) allow you to create logical groupings of AWS accounts within the organization.

  • OUs provide a way to apply policies (SCPs) across multiple accounts with similar use cases (e.g., production accounts, development accounts, or sandbox environments).

Example Use Cases:

  • Production OU: Contains only production workloads with strict security policies.

  • Development OU: Contains non-production accounts with more relaxed policies for experimentation.

Each OU can contain multiple accounts or other nested OUs, making it possible to build multi-level hierarchies.

3. Member Accounts

  • Member Accounts are the AWS accounts that belong to an organization under the management account.

  • These accounts operate independently but are subject to the policies and controls set at the organizational level.

  • Member accounts are used to:

    • Isolate workloads or teams.

    • Ensure separation of duties between environments.

    • Implement billing separation or tracking for different departments or applications.

These accounts can inherit policies from OUs, but the individual account admins can also set specific IAM roles and permissions for resources within their own account.

4. Service Control Policies (SCPs)

  • SCPs are policies that apply at the OU or account level and allow organizations to restrict AWS services or actions that can be used.

  • They act as guardrails to prevent member accounts from performing actions that are outside of the organization's compliance rules.

Key Points About SCPs:

  • SCPs do not grant permissions; they only limit what can be done.

  • They are applied to OUs, member accounts, or even the entire organization.

  • SCPs can override permissions set at the individual account level, ensuring that organization-wide security rules are followed.

Example SCP:

  • Deny the ability to launch any service outside the us-east-1 region.

  • Prevent the use of specific services (e.g., restrict access to Amazon EC2 in certain accounts).

Example AWS Organizational Hierarchy Structure

AWS Organization (Management Account - Root)

├── OU: Production
│   ├── Account: Prod-App1
│   ├── Account: Prod-App2

├── OU: Development
│   ├── OU: Dev-Sandbox
│   │   ├── Account: Dev-Test1
│   │   ├── Account: Dev-Test2
│   ├── Account: Dev-App

├── OU: Security
│   ├── Account: Security-Monitoring
│   ├── Account: Security-Tools

In this example:

  • OU: Production contains multiple accounts used for production workloads.

  • OU: Development has a nested Sandbox OU for testing and a separate development account.

  • OU: Security houses accounts that manage security monitoring and tools.

Features and Benefits of AWS Organizational Hierarchy

  1. Centralized Management:

    • Manage multiple AWS accounts from one place, ensuring consistency in governance.

  2. Consolidated Billing:

    • All member accounts are billed through the management account, allowing cost tracking and optimization.

  3. Separation of Workloads:

    • OUs allow workloads to be separated based on environment or business unit (e.g., prod vs. dev).

  4. Governance and Compliance:

    • SCPs ensure accounts comply with organization-wide security and governance rules.

  5. Delegated Administration:

    • Services like AWS Control Tower allow designated administrators to manage parts of the organization without giving full access to the root account.

  6. Multi-Account Isolation:

    • Using multiple accounts within OUs ensures blast radius isolation, where the impact of a compromise is limited to the affected account.

PreviousAWS Shared Responsibility ModelNextAWS Principals

Last updated