AWS Organizations

Home » AWS Certification Cheat Sheets » AWS Certified SysOps Administrator Associate Cheat Sheets » AWS Organizations


AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS.

AWS Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.

Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance.

You can also simplify billing by setting up a single payment method for all of your AWS accounts.

Through integrations with other AWS services, you can use Organizations to define central configurations and resource sharing across accounts in your organization.

AWS Organizations is available to all AWS customers at no additional charge.

The AWS Organizations API enables automation for account creation and management.

Available in two feature sets:

  • Consolidated billing.
  • All features.

By default, organizations support consolidated billing features.

Consolidated billing separates paying accounts and linked accounts.

You can use AWS Organizations to set up a single payment method for all the AWS accounts in your organization through consolidated billing.

With consolidated billing, you can see a combined view of charges incurred by all your accounts.

Can also take advantage of pricing benefits from aggregated usage, such as volume discounts for Amazon EC2 and Amazon S3.

Limit of 20 linked accounts for consolidated billing (default).

Policies can be assigned at different points in the hierarchy.

Can help with cost control through volume discounts.

Unused reserved EC2 instances are applied across the group.

Paying accounts should be used for billing purposes only.

Billing alerts can be setup at the paying account which shows billing for all linked accounts.

AWS Organizations Concepts

Some of the core concepts you need to understand are listed here:

  • AWS Organization – An organization is a collection of AWS accounts that you can organize into a hierarchy and manage centrally.
  • AWS Account – An AWS account is a container for your AWS resources.
  • Master Account – A master account is the AWS account you use to create your organization.
  • Member Account – A member account is an AWS account, other than the master account, that is part of an organization.
  • Administrative Root – An administrative root is the starting point for organizing your AWS accounts. The administrative root is the top-most container in your organization’s hierarchy.
  • Organizational Unit (OU) – An organizational unit (OU) is a group of AWS accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy.
  • Policy – A policy is a “document” with one or more statements that define the controls that you want to apply to a group of AWS accounts.

Service Control Policies

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.

SCPs offer central control over the maximum available permissions for all accounts in your organization.

SCPs help you to ensure your accounts stay within your organization’s access control guidelines.

SCPs are available only in an organization that has all features enabled.

SCPs aren’t available if your organization has enabled only the consolidated billing features.

SCPs are similar to AWS Identity and Access Management (IAM) permission policies and use almost the same syntax.

However, an SCP never grants permissions. Instead, SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU).

You still need to attach identity-based or resource-based policies to principals or resources in your organization’s accounts to actually grant permissions to them.

The following example SCP restricts any instance launches that do not use the t2.micro instance type:
"Version": "2012-10-17",
"Statement": [
"Sid": "RequireMicroInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {

More example SCPs can be found here.

Resource Groups

You can use resource groups to organize your AWS resources.

In AWS, a resource is an entity that you can work with.

Resource groups make it easier to manage and automate tasks on large numbers of resources at one time.

Resource groups allow you to group resources and then tag them.

The Tag Editor assists with finding resources and adding tags.

You can access Resource Groups through any of the following entry points:

  • On the navigation bar of the AWS Management Console.
  • In the AWS Systems Manager console, from the left navigation pane entry for Resource Groups.
  • By using the Resource Groups API, in AWS CLI commands or AWS SDK programming languages.

A resource group is a collection of AWS resources that are all in the same AWS region, and that match criteria provided in a query.

In Resource Groups, there are two types of queries on which you can build a group.

Both query types include resources that are specified in the format AWS::service::resource.

  • Tag-based – Tag-based queries include lists of resources and tags. Tags are keys that help identify and sort your resources within your organization. Optionally, tags include values for keys.
  • AWS CloudFormation stack-based – In an AWS CloudFormation stack-based query, you choose an AWS CloudFormation stack in your account in the current region, and then choose resource types within the stack that you want to be in the group. You can base your query on only one AWS CloudFormation stack.

Resource groups can be nested; a resource group can contain existing resource groups in the same region.