AWS Resource Hierarchy: Organizational Units Explained 2024

The AWS resource hierarchy is a multi-level access management system that helps ensure the accounts in AWS Organizations remain compliant, secure and within budget. It typically features four entities: organizations, organizational units, member accounts and resources.

An AWS organization is a container that consolidates multiple AWS accounts. However, an organizational unit is a subdivision within an organization consisting of a smaller group of accounts.

Member accounts are regular AWS accounts that are added to or created in an organization. A resource is any service that makes up the cloud infrastructure, such as EC2 instances, AWS Lambda and so on.

What Is AWS Resource Hierarchy?

The AWS resource hierarchy is a multi-level system that groups different accounts in an AWS organization. It is an access management system that tailors the environments of the accounts in an organization to ensure they stay within budget, are compliant and follow security best practices.

An AWS resource hierarchy often features four elements: organizations, organizational units, accounts and resources.

  • Organization: An organization is a management unit for multiple AWS accounts.
  • Organizational unit: An organizational unit is a subgroup of AWS accounts in an AWS organization.
  • Account: An AWS account is a basic unit to access and manage resources and billing.
  • Resource: A resource is any service or tool that forms a part of your cloud environment.

Each account in an organization can belong to only one organizational unit at a time.

What Is an Organization in AWS?

An organization in Amazon Web Services (AWS) is a central unit that streamlines the management of multiple accounts as a single entity. It contains multiple AWS accounts, which work together as a single body.

AWS Org Start Menu

With AWS Organizations, you can use a single payment method for all member accounts.

An AWS organization is like any other organization: Employees are under a first-line manager, first-line managers are under a mid-level manager, mid-level managers are under top-level management and top-level management is under the CEO. Multiple accounts (employees) are divided into organizational units (management levels), but everyone works together.

The primary role of an organization in AWS is centralized management. AWS organizations can control and manage the billing, security and compliance of member accounts. They can also directly create accounts, which automatically become part of the organization. In addition, you can send an invitation to add an existing account to an AWS organization.

What Is a Root in AWS Organizations?

A root is the top-level entity that encompasses all other entities. It sits at the top of the organization tree, setting the tone for organization-wide configurations. In other words, accounts and resources inherit policies and configurations applied to the root. In Azure, the root is called a root management group, and in Google Cloud, it’s called the root node.

What Is a Management Account in AWS Organizations?

The management account creates an instance of an AWS organization. In other words, it is the AWS account used to create the organization.

As the name suggests, the management account manages the organization’s affairs. It pays the bills, invites accounts to the organization, creates accounts in the organization, removes accounts, assigns administrator accounts, enables cross-account services and applies policies to the units (root, organizational unit and member accounts).

What Is a Delegated Administrator for AWS Organizations?

Delegated administrators are accounts that help reduce use of the management account, making it less vulnerable. Delegated administrators also help streamline organizational insight and promote granular control. They execute specific tasks on behalf of the management account and are designated either for organizations or for AWS services.

Delegated administrator for organizations: These accounts handle policies in the organization. They create policies and apply them to the root, organizational units (OUs) and member accounts.

Delegated administrator for AWS services: These delegated administrator accounts deal with AWS services used in an AWS organization. Each of these accounts is granted administrative permissions for a specific service, which you’ll generally find in the management account.

What Are the Different Policies in AWS Organizations?

Policies in AWS Organizations are rule definitions that enable additional configurations, access control and resource management for the accounts in an organization. There are two main policy types in AWS Organizations: authorization policies and management policies.

  • Authorization policies: These types of policies deal with account security in an organization.
    • Service control policies (SCPs): Manage permissions for accounts in an organization, serving as a central station that describes the maximum permissions for each account.
  • Management policies: Management policies dictate the management of AWS services integrated into the environment. There are three subtypes: tag policies, backup policies and artificial intelligence (AI) services opt-out policies.
    • Tag policies: Harmonize the tags used with AWS resources in an organization.
    • Backup policies: Describe the management and application of backup for the AWS resources in an organization.
    • Artificial intelligence (AI) services opt-out policies: Provide the opportunity to retain fine-grained control over data that AWS AI services collect.
SCP Policies

AWS Organizations supports four types of policies: service control
policies (SCP), backup, tag and AI services opt-out.

What Is the Service Control Policy in AWS Organizations?

A service control policy (SCP) in an AWS organization defines the permitted actions and services for roles and users in an organization. Basically, a service control policy outlines the limits of an organization’s units.

An SCP does not necessarily assign permissions; instead, it specifies maximum limits for the entities (organization, organizational units and accounts). That said, the limits that an SCP defines supersede the IAM policy attached to users and roles. The service control policy attached to the organization’s root applies to every other unit.

What Is the Difference Between Allow Lists and Deny Lists?

When you use an allow list, only the permissions on the list are allowed. However, with a deny list, everything is permitted except for the restrictions on the list.

By default, the root, organizational units and accounts in an AWS organization have the FullAWSAccess policy, which grants full access. This makes for easy configuration when starting the organization. However, as you advance, you may need to restrict each entity’s access. This is where allow lists and deny lists come into play.

The allow list grants defined permissions to entities in an organization, replacing the FullAWSAccess policy. On the other hand, the deny list does not replace the FullAWSAccess policy. Instead, it removes the permissions the FullAWSAccess policy grants to an entity.

What Are the Features of AWS Organizations?

The main features of AWS Organizations are account management, security and monitoring, access control, resource sharing, consolidated billing, compliance and centralized resource management. The following features define these key roles:

  • Account management: With this feature, you can create new accounts, add existing accounts and manage them centrally. This is more efficient than managing multiple accounts individually.
  • Security and monitoring: This feature makes it possible to provide monitoring and security tools to the security team so they can manage the security for all accounts.
  • Access control: Service control policies (SCPs) alongside IAM policies are at the core of access control in an organization. They help prevent unauthorized access.
  • Resource sharing: Cross-account resource sharing makes it possible to share AWS services across multiple accounts.
  • Consolidated billing: This provides a single bill for all the resources the accounts in an organization use, making it easier to track and manage costs.
  • Compliance: Tools such as AWS Config, CloudTrail and AWS Backup combine to ensure the environment aligns with regulatory standards.
  • Organization definition and management: This feature is at the core of the orderliness that comes with AWS Organizations. Dividing accounts into management groups makes for better visibility.

What Are the Use Cases of AWS Organizations?

The main use cases for AWS Organizations are multi-account management, cost optimization, resource governance and delegation. 

  • Multi-account management: AWS Organizations allows you to create accounts or invite them to a unified environment, where you can manage each account’s permission levels.
  • Cost optimization: Thanks to consolidated billing, AWS Organizations presents a unified bill. This makes for easier viewing compared to checking bills for multiple accounts one at a time.
  • Resource governance: Grouping accounts into organizational units streamlines resource management, as you no longer have to grant resource access to designated accounts individually.
  • Delegation: AWS Organizations makes it easier to delegate duties to specific accounts and organizational units, easing the responsibility of the master account.

What Is the Pricing of AWS Organizations?

AWS Organizations is a free service. However, the resources available with the service – like S3 cloud storage buckets and EC2 instances — come at a cost.

What Is an Organizational Unit in AWS?

An organizational unit (OU) in Amazon Web Services is a cohesive group of accounts — a subunit of the larger group of accounts under the root. Organizational units make for better visibility and modularity when managing an organization.

OU

An organizational unit can have other organizational units within it.

With an organizational unit, you can apply the same SCPs to a group of accounts with common roles. You can also enable service access only to the accounts in the OU. Basically, an OU helps efficiently achieve granular access.

When setting up your organization, a security OU and an infrastructure OU would come in handy. Aside from those two, you can also create deployments OUs, workloads OUs, sandbox OUs, individual business users OUs and so on.

AWS recommends 11 OUs, including two foundational OUs: the security OU and the infrastructure OU. Of course, you may not need all of these OUs when setting up your organization, and you can even create custom OUs. Below is a list of the organizational units that AWS recommends:

  • Security OU: This OU encompasses accounts that manage security services.
  • Infrastructure OU: The infrastructure OU contains accounts that manage the core cloud infrastructure, including services like EC2 and VPC.
  • Sandbox OU: The accounts in this OU are meant for testing and development.
  • Workloads OU: This features accounts that contain production or non-production business workloads.
  • Policy staging OU: The accounts here serve as the testing environment for new policies.
  • Suspended OU: This OU houses flagged or inactive accounts.
  • Individual business users OU: In this OU, the accounts manage resources outside business-specific environments.
  • Exceptions OU: This serves as a container for accounts exempted from certain SCPs.
  • Deployments OU: This unit features resources and workloads that support deployment.
  • Transitional OU: Transitional OUs temporarily contain accounts before they’re properly integrated into the organization.
  • Business continuity OU: The main purpose of this OU is disaster recovery.

What Is a Member Account in an AWS Organization?

A member account is like any regular AWS account, with the only difference being that it is part of an AWS organization. A member account is the smallest unit required for access to services and billing in an AWS organization.

How to Invite Other Accounts to an AWS Organization Using Invitations

Below are the steps to invite an existing account to an AWS organization.

  1. Sign in to the Management Account

    To invite an existing account to an organization, sign in to the management account with an IAM user. You can also sign in as the root user, but it’s not the best option. If the management account is new, the email address is likely unverified. Verify the address to proceed. If your email address is already verified, move on to the next step.

    AWS Org Start Menu
  2. Go to AWS Accounts

    Navigate to the AWS accounts page and click on “add an AWS account.”

    Add an AWS account
  3. Choose “Invite an Existing AWS Account”

    On the ensuing page, select “invite an existing AWS account.” Then, enter the email address or account ID of the account you want to invite in the provided field. To invite multiple accounts at once, click “add another account” and enter the email addresses or account IDs in the provided fields.

    Invite
  4. Send the Invitation

    Before sending the invitation, you can choose to add a message. Otherwise, scroll down and click “send invitation.”

    Send

What Are the Resources That Can Be Created in an AWS Organization?

An organization’s member accounts can create any type of AWS resource, depending on the limits the organization sets, such as EC2 instances, Lambda instances or S3 buckets.

Services

Though AWS Organizations does not directly provision AWS resources, you can set up services like Amazon Inspector to perform actions in your organization.

That said, AWS organizations do not create resources themselves. Instead, the accounts within them create resources. However, by using service control policies, an organization can control the resources its member accounts can create.

What Are the Different Services That Can Be Used in an AWS Organization?

Services like AWS CloudTrail, AWS Identity and Access Management (IAM) and AWS Cost Explorer integrate with the AWS Organizations service so you can use them in an AWS organization.

How to Manage the Resources in an AWS Organization

Resources in an AWS organization are managed through a combination of cost optimization, access management, and security and monitoring tools.

  • Cost optimization: To ensure resource usage stays within budget, you can manage billing with features like consolidated billing and AWS Cost Explorer. In addition, use pricing models like savings plans and reserved instances to get great deals on certain services.
  • Access management: The delegated administrator feature is useful for granular access control. Instead of one account managing a large volume of resources, different accounts manage portions of the resource pool. AWS IAM is also helpful for access management; it offers multi-factor authentication while enforcing least-privilege access.
  • Security and monitoring: Service control policies are one of the main security features in an AWS organization. However, you can also use AWS IAM policies to prevent unauthorized access to organization resources. For security monitoring, AWS Security Hub, AWS CloudTrail and AWS Config come in handy.
What Are Resource Groups?

AWS Resource Groups is a service used to manage and automate the functions of multiple resources simultaneously. It promotes efficiency by allowing you to perform bulk tasks on multiple resources at a time.

How Does Cloud Security Work in an AWS Organization?

Cloud security in an AWS organization follows the shared responsibility model: AWS provides physical and operational security for the underlying infrastructure while you secure data and applications in the cloud.

To achieve data and application security in the cloud, AWS Organizations uses various tools. For example, an organization can use service control policies alongside Identity and Access Management (IAM) to control access.

Furthermore, you can assess compliance with AWS Security Hub and AWS Audit Manager while monitoring for threats with Amazon GuardDuty. You can also minimize the organization’s attack surface by privately connecting to its services with AWS PrivateLink.

What Is the Role of IAM in AWS Organizations?

IAM is the base access management tool for the accounts in AWS Organizations. It defines the primary permissions of the accounts. However, in an organization, permissions limits defined by service control policies supersede an account’s IAM policies.

Final Thoughts

An AWS organization makes it easier to manage multiple accounts in AWS while ensuring security, compliance and cost optimization. A resource group also offers centralized management, and unlike AWS organizations, it also manages resources.

Have you used AWS Organizations or Resource Groups? Have you used similar services on another cloud platform? We’d love to hear about your experiences with the AWS resource hierarchy or multi-account management in cloud computing in general, so leave a comment down below. Thank you for reading.

FAQ: AWS Resource Groups

  • The AWS resource hierarchy structure includes organizations, organizational units, accounts and resources.

  • By default, AWS resources are organized by service. However, when in Resource Groups, you can organize them by their tags or CloudFormation stack.

  • AWS organizational structure uses the AWS Organizations service for centralized security, compliance and billing management.

  • Resource hierarchy in Google Cloud Platform focuses on project resources and workload, but in AWS, it focuses on resources and accounts. Basically, an organization resource exists at the top of the GCP hierarchy. However, in AWS, accounts are on top.


Let us know if you liked the post. That’s the only way we can improve.