Amazon services that you can use with Amazon Organizations
With Amazon Organizations you can perform account management activities at scale by consolidating multiple Amazon Web Services accounts into a single organization. Consolidating accounts simplifies how you use other Amazon services. You can leverage the multi-account management services available in Amazon Organizations with select Amazon services to perform tasks on all accounts that are members of your organization.
The following table lists Amazon services that you can use with Amazon Organizations, and the benefit of using each service on an organization-wide level.
Trusted access – You can enable a compatible Amazon service to perform operations across all of the Amazon Web Services accounts in your organization. For more information, see Using Amazon Organizations with other Amazon services.
Delegated administrator for Amazon services – A compatible Amazon service can register an Amazon member account in the organization as an administrator for the organization's accounts in that service. For more information, see Delegated administrator for Amazon services that work with Organizations.
| Amazon service | Benefits of using with Amazon Organizations | Supports trusted access | Supports delegated administrator |
|---|---|---|---|
|
Manage the details and metadata for all of the Amazon Web Services accounts for your organization. |
You can create, update, and delete the alternate contact information for all of the accounts in your organization. |
|
|
|
Amazon Application Migration Service Amazon Application Migration Service allows companies to lift-and-shift to Amazon a large number of physical, virtual, or cloud servers without compatibility issues, performance disruption, or long cutover windows. |
You can manage large-scale migrations across multiple accounts. |
|
|
|
Download Amazon security compliance reports such as ISO and PCI reports. |
You can accept agreements on behalf of all accounts within your organization. |
|
|
|
Automate the continuous collection of evidence to help you audit your use of cloud services. |
Continuously audit your Amazon use across multiple accounts in your organization to simplify how you assess risk and compliance. |
|
|
|
Manage and monitor backups across all of the accounts in your organization. |
You can configure and manage backup plans for your entire organization, or for groups of accounts in your organization units (OUs). You can centrally monitor backups for all of your accounts. |
|
|
|
Amazon Billing and Cost Management Provides an overview of your Amazon cloud financial management data and to help you make faster and more informed decisions. |
Allows split cost allocation data to retrieve Amazon Organizations information, if applicable, and collect telemetry data for the split cost allocation data services that you has opted into. For more information, see What is Amazon Billing and Cost Management? in the Billing and Cost Management user guide. |
|
|
|
Amazon CloudFormation Stacksets Create, update, or delete stacks across multiple accounts and Regions with a single operation. |
A user in the management account or a delegated administrator account can create a stack set with service-managed permissions that deploys stack instances to accounts in your organization. |
|
|
|
Enable governance, compliance, and operational and risk auditing of your account. |
A user in a management account or delegated administrator account can create an organization trail or event data store that logs all events for all accounts in the organization. |
|
|
|
Get Amazon compute optimization recommendations. |
You can analyze all resources that are in your organization's accounts to get optimization recommendations. For more information, see Accounts Supported by Compute Optimizer in the Amazon Compute Optimizer User Guide. |
|
|
|
Assess, audit, and evaluate the configurations of your Amazon resources. |
You can get an organization-wide view of your compliance status. You can also use Amazon Config API operations to manage Amazon Config rules and conformance packs across all Amazon Web Services accounts in your organization. You can use a delegated administrator account to aggregate resource configuration and compliance data from all member accounts of an organization in Amazon Organizations. For more information, see Register a delegated administrator in the Amazon Config Developer Guide. |
|
Learn more: |
|
Set up and govern a secure, compliant, multi-account Amazon environment. |
You can set up a landing zone, a multi-account environment for all of your Amazon resources. This environment includes an organization and organization entities. You can use this environment to enforce compliance regulations on all of your Amazon Web Services accounts. For more information, see How Amazon Control Tower and Manage Accounts Through Amazon Organizations in the Amazon Control Tower User Guide. |
|
|
|
Gather cost recommendations across Amazon optimization products. |
You can easily identify, filter, and aggregate Amazon cost optimization recommendations across your Amazon Organizations member accounts and Amazon Regions. For more information, see Cost Optimization Hub in the Cost Optimization Hub user guide. |
|
|
|
Generate visualizations from your log data to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. |
You can integrate Amazon Detective with Amazon Organizations to ensure that your Detective behavior graph provides visibility into the activity for all of your organization accounts. |
|
|
|
Analyze operational data and application metrics and events to identify behaviors that deviate from normal operating patterns. Users are notified when DevOps Guru detects an operational issue or risk. |
You can integrate with Amazon Organizations to manage insights from all accounts across your entire organization. You delegate an administrator to view, sort, and filter insights from all accounts to obtain organization-wide health of all monitored applications. |
|
|
|
Set up and run directories in the Amazon Cloud or connect your Amazon resources with an existing on-premises Microsoft Active Directory. |
You can integrate Amazon Directory Service with Amazon Organizations for seamless directory sharing across multiple accounts and any VPC in a Region. |
|
|
|
Monitor your Amazon resources and the applications that you run on Amazon in real time. |
You can enable sharing of all Amazon EventBridge events, formerly Amazon CloudWatch Events, across all accounts in your organization. For more information, see Sending and receiving Amazon EventBridge events between Amazon Web Services accounts in the Amazon EventBridge User Guide. |
|
|
|
Centrally configure and manage firewall rules for web applications across your accounts and applications. |
You can centrally configure and manage Amazon WAF rules across the accounts in your organization. |
|
|
|
GuardDuty is a continuous security monitoring service that analyzes and processes information from a variety of data sources. It uses threat intelligence feeds and machine learning to identify unexpected and potentially unauthorized and malicious activity within your Amazon environment. |
You can designate a member account to view and manage GuardDuty for all of the accounts in your organization. Adding member accounts automatically enables GuardDuty for those accounts in the selected Amazon Web Services Region. You can also automate GuardDuty activation for new accounts added to your organization. For more information, see GuardDuty and Organizations in the Amazon GuardDuty User Guide. |
|
|
|
Get visibility into events that might affect your resource performance or availability issues for Amazon services. |
You can aggregate Amazon Health events across accounts in your organization. |
|
|
|
Amazon Identity and Access Management Securely control access to Amazon resources. |
You can use service last accessed data in IAM to help you better understand Amazon activity across your organization. You can use this data to create and update service control policies (SCPs) that restrict access to only the Amazon services that your organization's accounts use. For an example, see Using Data to Refine Permissions for an Organizational Unit in the IAM User Guide. |
|
|
|
Analyze resource-based policies in your Amazon environment to identify any policies that grant access to a principal outside of your zone of trust. |
You can designate a member account to be an administrator for IAM Access Analyzer. For more information, see Enabling Access Analyzer in the IAM User Guide. |
|
|
|
Automatically scan your Amazon workloads for vulnerabilities to discover Amazon EC2 instances and container images that reside in Amazon ECR for software vulnerabilities and unintended network exposure. |
Delegate an administrator to enable or disable scans for member accounts, view aggregated finding data from the entire organization, create and manage suppression rules. For more information, see Managing multiple accounts with Amazon Organizations in the Amazon Inspector User Guide. |
|
|
|
Streamline the process of bringing software licenses to the cloud. |
You can enable cross-account discovery of computing resources throughout your organization. |
|
|
|
Discovers and classifies your business-critical content using machine learning to help you meet data security and privacy requirements. It continuously evaluates your content stored in Amazon S3 and notifies you of potential issues. |
You can configure Amazon Macie for all of the accounts in your organization to get a consolidated view of all of your data in Amazon S3, across all accounts from a designated Macie administrator account. You can configure Macie to automatically protect resources in new accounts as your organization grows. You are alerted to remediate policy misconfigurations across S3 buckets throughout your organization. |
|
|
|
Amazon Web Services Marketplace A curated digital catalog that you can use to find, buy, deploy, and manage third-party software, data, and services that you need to build solutions and run your businesses. |
You can share licenses for your Amazon Web Services Marketplace subscriptions and purchases across the accounts in your organization. |
|
|
|
Amazon Web Services Marketplace Private Marketplace Provides you with a broad catalog of products available in Amazon Web Services Marketplace, along with fine-grained control of those products. |
Enables you to create multiple private marketplace experiences that are associated with your entire organization, one or more OUs, or one or more accounts in your organization, each with its own set of approved products. Your Amazon administrators can also apply company branding to each private marketplace experience with your company or team’s logo, messaging, and color scheme. |
|
|
|
Enables you to centrally manage your Amazon Cloud WAN core network and your Amazon Transit Gateway network across Amazon accounts, Regions, and on-premises locations. |
You can centrally manage and monitor your global networks with transit gateways and their attached resources in multiple Amazon accounts within your organization. |
|
|
|
Amazon Q Developer is a generative artificial intelligence (AI) powered conversational assistant that can help you understand, build, extend, and operate Amazon applications. |
The paid subscription version of Amazon Q Developer requires Organizations integration. |
|
|
|
Amazon Resource Access Manager Share specified Amazon resources that you own with other accounts. |
You can share resources within your organization without exchanging additional invitations. Resources you can share include Route 53 Resolver rules, on-demand capacity reservations, and more. For information about sharing capacity reservations, see the Amazon EC2 User Guide or the Amazon EC2 User Guide. For a list of shareable resources, see Shareable Resources in the Amazon RAM User Guide. |
|
|
|
Explore your resources using an internet search engine-like experience. |
Enable multi-account search. |
|
|
|
View your security state in Amazon and check your environment against security industry standards and best practices. |
You can automatically enable Security Hub for all of your organization's accounts, including new accounts as they are added. This increases the coverage for Security Hub checks and findings, which provides a more accurate picture of your overall security posture. |
|
|
|
Get visibility into your Amazon S3 storage usage and activity metrics with actionable recommendations to optimize storage. |
Configure Amazon S3 Storage Lens to gain visibility into Amazon S3 storage usage and activity trends, and recommendations for all member accounts in your organization. |
|
|
|
Amazon Security Lake centralizes security data from cloud, on-premises, and custom sources into a data lake that's stored in your account. |
Create a data lake that collects logs and events across your accounts. |
|
|
|
Create and manage catalogs of IT services that are approved for use on Amazon. |
You can share portfolios and copy products across accounts more easily, without sharing portfolio IDs. |
|
|
|
View and manage your service quotas, also referred to as limits, from a central location. |
You can create a quota request template to automatically request a quota increase when accounts in your organization are created. |
|
|
|
Provide single sign-on access for all of your accounts and cloud applications. |
Users can sign in to the Amazon access portal with their corporate credentials and access resources in their assigned management account or member accounts. |
|
|
|
Enable visibility and control of your Amazon resources. |
You can synchronize operations data across all Amazon Web Services accounts in your organization by using Systems Manager Explorer. You can manage change templates, approvals and reporting for all member accounts in your organization from a delegated administrator account by using Systems Manager Change Manager. |
|
|
|
Use standardize tags across resources in your organization's accounts. |
You can create tag policies to define tagging rules for specific resources and resource types and attach those policies to organization units and accounts to enforce those rules. |
|
|
|
Trusted Advisor inspects your Amazon environment and makes recommendations when opportunities exist to save money, to improve system availability and performance, or to help close security gaps. |
Run Trusted Advisor checks for all of the Amazon Web Services accounts in your organization. |
|
|
|
The Amazon Well-Architected Tool helps you document the state of your workloads and compares them to the latest Amazon architectural best practices. |
Enables both Amazon WA Tool and Organizations customers to simplify the process of sharing Amazon WA Tool resources with other members of their organization. |
|
|
|
Amazon VPC IP Address Manager (IPAM) IPAM is a VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your Amazon workloads. |
Monitor IP address usage throughout your organization and share IP address pools across member accounts. |
|
|
|
Amazon VPC Reachability Analyzer Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs). |
Trace paths across accounts in your organizations. |
|
|