AWS Resource Hierarchy: Organizational Units Explained 2024
The AWS resource hierarchy is a multi-level access management system that helps ensure the accounts in AWS Organizations remain compliant, secure and within budget. It typically features four entities: organizations, organizational units, member accounts and resources.
An AWS organization is a container that consolidates multiple AWS accounts. However, an organizational unit is a subdivision within an organization consisting of a smaller group of accounts.
Member accounts are regular AWS accounts that are added to or created in an organization. A resource is any service that makes up the cloud infrastructure, such as EC2 instances, AWS Lambda and so on.
What Is AWS Resource Hierarchy?
The AWS resource hierarchy is a multi-level system that groups different accounts in an AWS organization. It is an access management system that tailors the environments of the accounts in an organization to ensure they stay within budget, are compliant and follow security best practices.
An AWS resource hierarchy often features four elements: organizations, organizational units, accounts and resources.
- Organization: An organization is a management unit for multiple AWS accounts.
- Organizational unit: An organizational unit is a subgroup of AWS accounts in an AWS organization.
- Account: An AWS account is a basic unit to access and manage resources and billing.
- Resource: A resource is any service or tool that forms a part of your cloud environment.
What Is an Organization in AWS?
An organization in Amazon Web Services (AWS) is a central unit that streamlines the management of multiple accounts as a single entity. It contains multiple AWS accounts, which work together as a single body.
An AWS organization is like any other organization: Employees are under a first-line manager, first-line managers are under a mid-level manager, mid-level managers are under top-level management and top-level management is under the CEO. Multiple accounts (employees) are divided into organizational units (management levels), but everyone works together.
The primary role of an organization in AWS is centralized management. AWS organizations can control and manage the billing, security and compliance of member accounts. They can also directly create accounts, which automatically become part of the organization. In addition, you can send an invitation to add an existing account to an AWS organization.
What Are the Features of AWS Organizations?
The main features of AWS Organizations are account management, security and monitoring, access control, resource sharing, consolidated billing, compliance and centralized resource management. The following features define these key roles:
- Account management: With this feature, you can create new accounts, add existing accounts and manage them centrally. This is more efficient than managing multiple accounts individually.
- Security and monitoring: This feature makes it possible to provide monitoring and security tools to the security team so they can manage the security for all accounts.
- Access control: Service control policies (SCPs) alongside IAM policies are at the core of access control in an organization. They help prevent unauthorized access.
- Resource sharing: Cross-account resource sharing makes it possible to share AWS services across multiple accounts.
- Consolidated billing: This provides a single bill for all the resources the accounts in an organization use, making it easier to track and manage costs.
- Compliance: Tools such as AWS Config, CloudTrail and AWS Backup combine to ensure the environment aligns with regulatory standards.
- Organization definition and management: This feature is at the core of the orderliness that comes with AWS Organizations. Dividing accounts into management groups makes for better visibility.
What Are the Use Cases of AWS Organizations?
The main use cases for AWS Organizations are multi-account management, cost optimization, resource governance and delegation.
- Multi-account management: AWS Organizations allows you to create accounts or invite them to a unified environment, where you can manage each account’s permission levels.
- Cost optimization: Thanks to consolidated billing, AWS Organizations presents a unified bill. This makes for easier viewing compared to checking bills for multiple accounts one at a time.
- Resource governance: Grouping accounts into organizational units streamlines resource management, as you no longer have to grant resource access to designated accounts individually.
- Delegation: AWS Organizations makes it easier to delegate duties to specific accounts and organizational units, easing the responsibility of the master account.
What Is the Pricing of AWS Organizations?
AWS Organizations is a free service. However, the resources available with the service – like S3 cloud storage buckets and EC2 instances — come at a cost.
What Is an Organizational Unit in AWS?
An organizational unit (OU) in Amazon Web Services is a cohesive group of accounts — a subunit of the larger group of accounts under the root. Organizational units make for better visibility and modularity when managing an organization.
With an organizational unit, you can apply the same SCPs to a group of accounts with common roles. You can also enable service access only to the accounts in the OU. Basically, an OU helps efficiently achieve granular access.
When setting up your organization, a security OU and an infrastructure OU would come in handy. Aside from those two, you can also create deployments OUs, workloads OUs, sandbox OUs, individual business users OUs and so on.
What Organizational Units Are Recommended by AWS?
AWS recommends 11 OUs, including two foundational OUs: the security OU and the infrastructure OU. Of course, you may not need all of these OUs when setting up your organization, and you can even create custom OUs. Below is a list of the organizational units that AWS recommends:
- Security OU: This OU encompasses accounts that manage security services.
- Infrastructure OU: The infrastructure OU contains accounts that manage the core cloud infrastructure, including services like EC2 and VPC.
- Sandbox OU: The accounts in this OU are meant for testing and development.
- Workloads OU: This features accounts that contain production or non-production business workloads.
- Policy staging OU: The accounts here serve as the testing environment for new policies.
- Suspended OU: This OU houses flagged or inactive accounts.
- Individual business users OU: In this OU, the accounts manage resources outside business-specific environments.
- Exceptions OU: This serves as a container for accounts exempted from certain SCPs.
- Deployments OU: This unit features resources and workloads that support deployment.
- Transitional OU: Transitional OUs temporarily contain accounts before they’re properly integrated into the organization.
- Business continuity OU: The main purpose of this OU is disaster recovery.
What Is a Member Account in an AWS Organization?
A member account is like any regular AWS account, with the only difference being that it is part of an AWS organization. A member account is the smallest unit required for access to services and billing in an AWS organization.
How to Invite Other Accounts to an AWS Organization Using Invitations
Below are the steps to invite an existing account to an AWS organization.
- Sign in to the Management Account
To invite an existing account to an organization, sign in to the management account with an IAM user. You can also sign in as the root user, but it’s not the best option. If the management account is new, the email address is likely unverified. Verify the address to proceed. If your email address is already verified, move on to the next step.
- Go to AWS Accounts
Navigate to the AWS accounts page and click on “add an AWS account.”
- Choose “Invite an Existing AWS Account”
On the ensuing page, select “invite an existing AWS account.” Then, enter the email address or account ID of the account you want to invite in the provided field. To invite multiple accounts at once, click “add another account” and enter the email addresses or account IDs in the provided fields.
- Send the Invitation
Before sending the invitation, you can choose to add a message. Otherwise, scroll down and click “send invitation.”
What Are the Resources That Can Be Created in an AWS Organization?
An organization’s member accounts can create any type of AWS resource, depending on the limits the organization sets, such as EC2 instances, Lambda instances or S3 buckets.
That said, AWS organizations do not create resources themselves. Instead, the accounts within them create resources. However, by using service control policies, an organization can control the resources its member accounts can create.
How Does Cloud Security Work in an AWS Organization?
Cloud security in an AWS organization follows the shared responsibility model: AWS provides physical and operational security for the underlying infrastructure while you secure data and applications in the cloud.
To achieve data and application security in the cloud, AWS Organizations uses various tools. For example, an organization can use service control policies alongside Identity and Access Management (IAM) to control access.
Furthermore, you can assess compliance with AWS Security Hub and AWS Audit Manager while monitoring for threats with Amazon GuardDuty. You can also minimize the organization’s attack surface by privately connecting to its services with AWS PrivateLink.
What Is the Role of IAM in AWS Organizations?
IAM is the base access management tool for the accounts in AWS Organizations. It defines the primary permissions of the accounts. However, in an organization, permissions limits defined by service control policies supersede an account’s IAM policies.
Final Thoughts
An AWS organization makes it easier to manage multiple accounts in AWS while ensuring security, compliance and cost optimization. A resource group also offers centralized management, and unlike AWS organizations, it also manages resources.
Have you used AWS Organizations or Resource Groups? Have you used similar services on another cloud platform? We’d love to hear about your experiences with the AWS resource hierarchy or multi-account management in cloud computing in general, so leave a comment down below. Thank you for reading.
FAQ: AWS Resource Groups
-
The AWS resource hierarchy structure includes organizations, organizational units, accounts and resources.
-
By default, AWS resources are organized by service. However, when in Resource Groups, you can organize them by their tags or CloudFormation stack.
-
AWS organizational structure uses the AWS Organizations service for centralized security, compliance and billing management.
-
Resource hierarchy in Google Cloud Platform focuses on project resources and workload, but in AWS, it focuses on resources and accounts. Basically, an organization resource exists at the top of the GCP hierarchy. However, in AWS, accounts are on top.