# Plan your Amazon Web Services account governance structure
Plan your governance structure



Although you might have started your Amazon journey with a single account, Amazon recommends that you set up multiple accounts as your workloads grow in size and complexity. Whether you are a medium business or a large enterprise, you'll want to create a governance structure plan that will ensure your data and your workload needs are met. 

This section covers the benefits and governance services available in Amazon to help enable a multi-account governance structure.

**Topics**
+ [

# Benefits of using multiple Amazon Web Services accounts
](welcome-multiple-accounts.md)
+ [

# When to use Amazon Organizations
](using-orgs.md)
+ [

# When to use Amazon Control Tower
](when-to-use-control-tower.md)
+ [

# Understanding API modes of operation
](manage-acct-api-modes-of-operation.md)

# Benefits of using multiple Amazon Web Services accounts


Amazon Web Services accounts form the foundational security boundary in the Amazon Web Services Cloud. They serve as a container for resources, providing a critical layer of isolation that is essential for creating a secure, well-governed environment. For more information, see [What is an Amazon Web Services account?](accounts-welcome.md).

Separating your resources into separate Amazon Web Services accounts helps you to support the following principles in your cloud environment:
+ **Security control** – Different applications can have different security profiles, requiring different control policies and mechanisms around them. For example, it’s far easier to talk to an auditor and be able to point to a single Amazon Web Services account that hosts all elements of your workload that are subject to [Payment Card Industry (PCI) Security Standards](https://www.pcisecuritystandards.org/pci_security/).
+ **Isolation** – An Amazon Web Services account is a unit of security protection. Potential risks and security threats should be contained within an Amazon Web Services account without affecting others. There could be different security needs due to different teams or different security profiles.
+ **Many teams** – Different teams have their different responsibilities and resource needs. You can prevent teams from interfering with each other by moving them to separate Amazon Web Services accounts.
+ **Data isolation** – In addition to isolating the teams, it's important to isolate the data stores to an account. This can help limit the number of people that can access and manage that data store. This helps contain exposure to highly private data and therefore can help in compliance with the [European Union's General Data Protection Regulation (GDPR)](https://gdpr.eu).
+ **Business process** – Different business units or products may have completely different purposes and processes. With multiple Amazon Web Services accounts, you can support a business unit's specific needs.
+ **Billing** – An account is the only true way to separate items at a billing level. Multiple accounts help separate items at a billing level across business units, functional teams, or individual users. You can still get all of your bills consolidated to a single payer (using Amazon Organizations and consolidated billing) while having line items separated by Amazon Web Services account.
+ **Quota allocation** – Amazon service quotas are enforced separately for each Amazon Web Services account. Separating workloads into different Amazon Web Services accounts prevents them from consuming quotas for each other.

All of the recommendations and procedures described in this document are in compliance with the [Amazon Well-Architected Framework](https://aws.amazon.com/architecture/well-architected). This framework is intended to help you design a flexible, resilient, and scalable cloud infrastructure. Even when you are starting small, we recommend that you proceed in compliance with this guidance in the framework. Doing so can help you scale your environment securely and without impacting your ongoing operations as you grow.

## Managing multiple Amazon Web Services accounts


Before you start adding multiple accounts, you'll want to develop a plan to manage them. For that, we recommend that you use [Amazon Organizations](https://www.amazonaws.cn/organizations), which is a free Amazon service to manage all of the Amazon Web Services accounts in your organization.

Amazon also offers Amazon Control Tower, which adds layers of Amazon managed automation to Organizations and automatically integrates it with other Amazon services like Amazon CloudTrail, Amazon Config, Amazon CloudWatch, Amazon Service Catalog, and others. These services can incur additional costs. For more information, see [Amazon Control Tower pricing](https://www.amazonaws.cn/controltower/pricing).

### See also

+ [When to use Amazon Organizations](using-orgs.md)
+ [When to use Amazon Control Tower](when-to-use-control-tower.md)

# When to use Amazon Organizations


Amazon Organizations is an Amazon service that you can use to manage your Amazon Web Services accounts as a group. This provides features like consolidated billing, where all of your accounts' bills are grouped together and handled by a single payer. You can also centrally manage the security of your organization by using policy based controls. For more information about Amazon Organizations, see the [Amazon Organizations User Guide](https://docs.amazonaws.cn/organizations/latest/userguide/).

**Trusted access**

When you use Amazon Organizations to manage your accounts as a group, most administrative tasks for the organization can be performed by only the organization's *management account*. By default, this includes only operations related to managing the organization itself. You can extend this additional functionality to other Amazon services by enabling *trusted access* between Organizations and that service. Trusted access grants permissions to the specified Amazon service to access information about the organization and the accounts it contains. When you enable trusted access for Account Management, the Account Management service grants Organizations and its management account permissions to access the metadata, such as the primary or alternate contact information, for all of the organization's member accounts. 

For more information, see [Enable trusted access for Amazon Account Management](using-orgs-trusted-access.md).

**Delegated admin**

After you enable trusted access, you can also choose to designate one of your member accounts as a *delegated admin* account for Amazon Account Management. This allows the delegated admin account to perform the same Account Management metadata management tasks for the member accounts in your organization that previously only the management account could do. The delegated admin account can access only the management tasks for the Account Management service. The delegated admin account doesn't have all of the administrative access to the organization that the management account has.

For more information, see [Enable a delegated admin account for Amazon Account Management](using-orgs-delegated-admin.md).

# Enable trusted access for Amazon Account Management
Enable trusted access

Enabling trusted access for Amazon Account Management allows the administrator of the management account to modify the information and metadata (for example, primary or alternate contact details) specific to each member account in Amazon Organizations. For more information, see [Amazon Account Management and Amazon Organizations](https://docs.amazonaws.cn/organizations/latest/userguide/services-that-can-integrate-account.html#integrate-enable-ta-account) in the *Amazon Organizations User Guide*. For general information about how trusted access works, see [Using Amazon Organizations with other Amazon services](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_integrate_services.html).

After trusted access has been enabled, you can use the `accountID` parameter in those [Account Management API operations](API_Operations.md) that support it. You can use this parameter successfully only if you call the operation using credentials from the management account, or from the delegated admin account for your organization if you enable one. For more information, see [Enable a delegated admin account for Amazon Account Management](using-orgs-delegated-admin.md).

Use the following procedure to enable trusted access for Account Management in your organization.

**Minimum permissions**  
To perform these tasks, you must meet the following requirements:  
You can perform this only from the organization's management account.
Your organization must have [all features enabled](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_org_support-all-features.html).

------
#### [ Amazon Web Services Management Console ]

**To enable trusted access for Amazon Account Management**

1. Sign in to the [Amazon Organizations console](https://console.amazonaws.cn/organizations). You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

1. Choose **Services** in the navigation pane.

1. Choose **Amazon Account Management** in the list of services.

1. Choose **Enable trusted access**.

1. In the **Enable trusted access for Amazon Account Management** dialog box, type **enable** to confirm it, and then choose **Enable trusted access**.

------
#### [ Amazon CLI & SDKs ]

**To enable trusted access for Amazon Account Management**  
After running the following command, you can use credentials from the organization's management account to call Account Management API operations that use the `--accountId` parameter to reference member accounts in an organization.
+ Amazon CLI: [enable-aws-service-access](https://docs.amazonaws.cn/cli/latest/reference/organizations/enable-aws-service-access.html)

  The following example enables trusted access for Amazon Account Management in the calling account's organization.

  ```
  $ aws organizations enable-aws-service-access \
      --service-principal account.amazonaws.com
  ```

  This command produces no output if it's successful.

------

# Enable a delegated admin account for Amazon Account Management
Enable a delegated admin account

You enable a delegated admin account so you can call the Amazon Account Management API operations for other member accounts in Amazon Organizations. After you register a delegated admin account for your organization, users and roles in that account can call the Amazon CLI and Amazon SDK operations in the `account` namespace that can work in the Organizations mode by supporting an optional `AccountId` parameter.

To register a member account in your organization as a delegated admin account, use the following procedure.

------
#### [ Amazon CLI & SDKs ]

**To register a delegated admin account for the Account Management service**  
You can use the following commands to enable a delegated admin for the Account Management service.

**Minimum permissions**  
To perform these tasks, you must meet the following requirements:  
You can perform this only from the organization's management account.
Your organization must have [all features enabled](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_org_support-all-features.html).
You must have [enabled trusted access for Account Management in your organization](using-orgs-trusted-access.md).

You must specify the following service principal:

```
account.amazonaws.com
```
+ Amazon CLI: [register-delegated-administrator](https://docs.amazonaws.cn/cli/latest/reference/organizations/register-delegated-administrator.html)

  The following example registers a member account of the organization as a delegated admin for the Account Management service. 

  ```
  $ aws organizations register-delegated-administrator \
      --account-id 123456789012 \
      --service-principal account.amazonaws.com
  ```

  This command produces no output if it's successful.

  After you run this command, you can use credentials from account 123456789012 to call Account Management Amazon CLI and SDK API operations that use the `--account-id` parameter to reference member accounts in an organization.

------
#### [ Amazon Web Services Management Console ]

This task isn't supported in the Amazon Account Management management console. You can perform this task only by using the Amazon CLI or an API operation from one of the Amazon SDKs.

------

# When to use Amazon Control Tower


Amazon Organizations is the foundational service that enables you to centrally manage and secure your entire Amazon environment. A crucial component of this Amazon Organizations-centric approach is Amazon Control Tower. Amazon Control Tower acts as a management console within Organizations, providing a streamlined way to set up and govern a secure, multi-account Amazon environment by applying prescriptive best practices.

This security best practices approach provided by Amazon Control Tower extends the core capabilities of Amazon Organizations. Amazon Control Tower applies a set of preventive and detective guardrails to help ensure your organization and accounts remain aligned with recommended security and compliance standards.

By establishing a well-architected Amazon Organizations structure with Amazon Control Tower, you can quickly deploy a scalable, secure, and compliant Amazon environment. This centralized approach to cloud management and governance is essential for enterprises looking to harness the full power of the Amazon Web Services Cloud while maintaining the highest standards of security and compliance.

For more information, see [What is Amazon Control Tower?](https://docs.amazonaws.cn/controltower/latest/userguide/what-is-control-tower.html) in the *Amazon Control Tower User Guide*.

# Understanding API modes of operation


The API operations that work with an Amazon Web Services account's attributes always work in one of two modes of operation:
+ **Standalone context** – this mode is used when a user or role in an account accesses or changes an account attribute in the ***same account***. The standalone context mode is automatically used when you ***don't*** include the `AccountId` parameter when you call one of the Account Management Amazon CLI or Amazon SDK operations.
+ **Organizations context** – this mode is used when a user or role in one account in an organization accesses or changes an account attribute in a different member account in the same organization. The organizations context mode is automatically used when you ***do*** include the `AccountId` parameter when you call one of the Account Management Amazon CLI or Amazon SDK operation. You can call the operations in this mode from only the management account of the organization, or the delegated admin account for Account Management.

The Amazon CLI and Amazon SDK operations can work in either standalone or organizations context.
+  If you ***don't*** include the `AccountId` parameter, then the operation runs in the standalone context and automatically applies the request to the account you used to make the request. This is true whether or not the account is a member of an organization.
+ If you do include the `AccountId` parameter, then the operation runs in the organizations context, and the operation works on the specified Organizations account.
  + If the account calling the operation is the management account or the delegated admin account for the Account Management service, then you can specify any member account of that organization in the `AccountId` parameter to update the specified account.
  + The only account in an organization that can call one of the alternate contact operations and specify its own account number in the `AccountId` parameter is the account specified as the [delegated admin account](using-orgs-delegated-admin.md) for the Account Management service. Any other account, including the management account, receives an `AccessDenied` exception.
+ If you run an operation in standalone mode, then you must be permitted to run the operation with an IAM policy that includes a `Resource` element of either `"*"` to allow all resources, or an [ARN that uses the syntax for a standalone account](#account-arn-standalone).
+ If you run an operation in organizations mode, then you must be permitted to run the operation with an IAM policy that includes a `Resource` element of either `"*"` to allow all resources, or an [ARN that uses the syntax for a member account in an organization](#account-arn-organizations).

## Granting permissions to update account attributes


As with most Amazon operations, you grant permissions to add, update, or delete account attributes for Amazon Web Services accounts by using [IAM permission policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html). When you attach an IAM permission policy to an IAM principal (either a user or role), you specify which actions that principal can perform on which resources, and under what conditions.

The following are some Account Management specific considerations for creating a permissions policy.

### Amazon Resource Name format for Amazon Web Services accounts

+ The [Amazon Resource Name (ARN)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) for an Amazon Web Services account that you can include in the `resource` element of a policy statement is constructed differently based on whether the account you want to reference is a standalone account or an account that is in an organization. See the previous section on [Understanding API modes of operation](#manage-acct-api-modes-of-operation).
  + <a name="account-arn-standalone"></a>An account ARN for a standalone account:

    ```
    arn:aws-cn:account::{AccountId}:account
    ```

    You must use this format when you run an account attributes operation in standalone mode by not including the `AccountID` parameter.
  + <a name="account-arn-organizations"></a>An account ARN for a member account in an organization:

    ```
    arn:aws-cn:account::{ManagementAccountId}:account/o-{OrganizationId}/{AccountId}
    ```

    You must use this format when you run an account attributes operation in organizations mode by including the `AccountID` parameter.

### Context keys for IAM policies


The Account Management service also provides several [Account Management service-specific condition keys](security_iam_service-with-iam.md#security_iam_service-with-iam-id-based-policies-conditionkeys) that provide fine-grained control over the permissions you grant.

#### `account:AccountResourceOrgPaths`


The context key `account:AccountResourceOrgPaths` lets you specify a path through your organization's hierarchy to a specific organizational unit (OU). Only member accounts that are contained by that OU match the condition. The following example snippet restricts the policy to apply to only accounts that are in either of two specified OUs.

Because `account:AccountResourceOrgPaths` is a multi-valued string type, you must use the [`ForAnyValue` or `ForAllValues` multi-value string operators](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multi-key-or-value-conditions). Also, note that the prefix on the condition key is `account`, even though you're referencing paths to OUs in an organization.

```
"Condition": {
    "ForAnyValue:StringLike": {
        "account:AccountResourceOrgPaths": [
            "o-aa111bb222/r-a1b2/ou-a1b2-f6g7h111/*", 
            "o-aa111bb222/r-a1b2/ou-a1b2-f6g7h222/*"
        ]
    }
}
```

#### `account:AccountResourceOrgTags`


The context key `account:AccountResourceOrgTags` lets you reference the tags that can be attached to an account in an organization. A tag is a key/value string pair that you can use to categorize and label the resources in your account. For more information about tagging, see [Tag Editor](https://docs.amazonaws.cn/ARG/latest/userguide/tag-editor.html) in the *Amazon Resource Groups User Guide*. For information about using tags as part of an attribute-based access control strategy, see [What is ABAC for Amazon](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. The following example snippet restricts the policy to apply to only accounts in an organization that have the tag with the key `project` and a value of either `blue` or `red`.

Because `account:AccountResourceOrgTags` is a multi-valued string type, you must use the [`ForAnyValue` or `ForAllValues` multi-value string operators](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multi-key-or-value-conditions). Also, note that the prefix on the condition key is `account`, even though you're referencing the tags on an organization's member account.

```
"Condition": {
    "ForAnyValue:StringLike": {
        "account:AccountResourceOrgTags/project": [
            "blue", 
            "red"
        ]
    }
}
```

**Note**  
You can attach tags to only an account in an organization. You can't attach tags to a standalone Amazon Web Services account.