What is Amazon Organizations? - Amazon Organizations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is Amazon Organizations?

Amazon Organizations is an account management service that enables you to consolidate multiple Amazon Web Services accounts into an organization that you create and centrally manage. Amazon Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organization.

This user guide defines key concepts for Amazon Organizations, provides tutorials, and explains how to create and manage an organization.

Amazon Organizations features

Amazon Organizations offers the following features:

Centralized management of all of your Amazon Web Services accounts

You can combine your existing accounts into an organization that enables you to manage the accounts centrally. You can create accounts that automatically are a part of your organization, and you can invite other accounts to join your organization. You also can attach policies that affect some or all of your accounts.

Consolidated billing for all member accounts

Consolidated billing is a feature of Amazon Organizations. You can use the management account of your organization to consolidate and pay for all member accounts. In consolidated billing, management accounts can also access the billing information, account information, and account activity of member accounts in their organization. This information may be used for services such as Cost Explorer, which can help management accounts improve their organization’s cost performance.

Hierarchical grouping of your accounts to meet your budgetary, security, or compliance needs

You can group your accounts into organizational units (OUs) and attach different access policies to each OU. For example, if you have accounts that must access only the Amazon services that meet certain regulatory requirements, you can put those accounts into one OU. You then can attach a policy to that OU that blocks access to services that do not meet those regulatory requirements. You can nest OUs within other OUs to a depth of five levels, providing flexibility in how you structure your account groups.

Policies to centralize control over the Amazon services and API actions that each account can access

As an administrator of the management account of an organization, you can use service control policies (SCPs) to specify the maximum permissions for member accounts in the organization. In SCPs, you can restrict which Amazon services, resources, and individual API actions the users and roles in each member account can access. You can also define conditions for when to restrict access to Amazon services, resources, and API actions. These restrictions even override the administrators of member accounts in the organization. When Amazon Organizations blocks access to a service, resource, or API action for a member account, a user or role in that account can't access it. This block remains in effect even if an administrator of a member account explicitly grants such permissions in an IAM policy.

For more information, see Service control policies (SCPs).

Policies to standardize tags across the resources in your organization's accounts

You can use tag policies to maintain consistent tags, including the preferred case treatment of tag keys and tag values.

For more information, see Tag policies

Policies to control how Amazon artificial intelligence (AI) and machine learning services can collect and store data.

You can use AI services opt-out policies to opt out of data collection and storage for any of the Amazon AI services that you don't want to use.

For more information, see AI services opt-out policies

Policies that configure automatic backups for the resources in your organization's accounts

You can use backup policies to configure and automatically apply Amazon Backup plans to resources across all your organization's accounts.

For more information, see Backup policies

Integration and support for Amazon Identity and Access Management (IAM)

IAM provides granular control over users and roles in individual accounts. Amazon Organizations expands that control to the account level by giving you control over what users and roles in an account or a group of accounts can do. The resulting permissions are the logical intersection of what is allowed by Amazon Organizations at the account level and the permissions that are explicitly granted by IAM at the user or role level within that account. In other words, the user can access only what is allowed by both the Amazon Organizations policies and IAM policies. If either blocks an operation, the user can't access that operation.

Integration with other Amazon services

You can leverage the multi-account management services available in Amazon Organizations with select Amazon services to perform tasks on all accounts that are members of an organization. For a list of services and the benefits of using each service on an organization-wide level, see Amazon services that you can use with Amazon Organizations.

When you enable an Amazon service to perform tasks on your behalf in your organization's member accounts, Amazon Organizations creates an IAM service-linked role for that service in each member account. The service-linked role has predefined IAM permissions that allow the other Amazon service to perform specific tasks in your organization and its accounts. For this to work, all accounts in an organization automatically have a service-linked role. This role enables the Amazon Organizations service to create the service-linked roles required by Amazon services for which you enable trusted access. These additional service-linked roles are attached to IAM permission policies that enable the specified service to perform only those tasks that are required by your configuration choices. For more information, see Using Amazon Organizations with other Amazon services.

Global access

Amazon Organizations is a global service with a single endpoint that works from any and all Amazon Web Services Regions. You don't need to explicitly select a region to operate in.

Data replication that is eventually consistent

Amazon Organizations, like many other Amazon services, is eventually consistent. Amazon Organizations achieves high availability by replicating data across multiple servers in Amazon data centers within its Region. If a request to change some data is successful, the change is committed and safely stored. However, the change must then be replicated across the multiple servers. For more information, see Changes that I make aren't always immediately visible.

Free to use

Amazon Organizations is a feature of your Amazon Web Services account offered at no additional charge. You are charged only when you access other Amazon services from the accounts in your organization. For information about the pricing of other Amazon products, see the Amazon Web Services pricing page.

Amazon Organizations pricing

Amazon Organizations is offered at no additional charge. You are charged only for Amazon resources that users and roles in your member accounts use. For example, you are charged the standard fees for Amazon EC2 instances that are used by users or roles in your member accounts. For information about the pricing of other Amazon services, see Amazon Pricing.

Accessing Amazon Organizations

You can work with Amazon Organizations in any of the following ways:

Amazon Web Services Management Console

The Amazon Organizations console is a browser-based interface that you can use to manage your organization and your Amazon resources. You can perform any task in your organization by using the console.

Amazon Command Line Tools

With the Amazon command line tools, you can issue commands at your system's command line to perform Amazon Organizations and Amazon tasks. Working with the command line can be faster and more convenient than using the console. The command line tools also are useful if you want to build scripts that perform Amazon tasks.

Amazon provides two sets of command line tools:

Amazon SDKs

The Amazon SDKs consist of libraries and sample code for various programming languages and platforms (for example, Java, Python, Ruby, .NET, iOS, and Android). The SDKs take care of tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For more information about the Amazon SDKs, including how to download and install them, see Tools for Amazon Web Services.

Amazon Organizations HTTPS Query API

The Amazon Organizations HTTPS Query API gives you programmatic access to Amazon Organizations and Amazon. The HTTPS Query API lets you issue HTTPS requests directly to the service. When you use the HTTPS API, you must include code to digitally sign requests using your credentials. For more information, see Calling the API by Making HTTP Query Requests and the Amazon Organizations API Reference.

Support and feedback for Amazon Organizations

We welcome your feedback. You can send your comments to feedback-awsorganizations@amazon.com. You also can post your feedback and questions in Amazon Organizations support forum. For more information about the Amazon Support forums, see Forums Help.

Other Amazon resources

  • Amazon Training and Courses – Links to role-based and specialty courses as well as self-paced labs to help sharpen your Amazon skills and gain practical experience.

  • Amazon Developer Tools – Links to developer tools and resources that provide documentation, code examples, release notes, and other information to help you build innovative applications with Amazon.

  • Amazon Web Services Support Center – The hub for creating and managing your Amazon Support cases. Also includes links to other helpful resources, such as forums, technical FAQs, service health status, and Amazon Trusted Advisor.

  • Amazon Support – The primary webpage for information about Amazon Support, a one-on-one, fast-response support channel to help you build and run applications in the cloud.

  • Contact Us – A central contact point for inquiries concerning Amazon billing, account, events, abuse, and other issues.

  • Amazon Site Terms – Detailed information about our copyright and trademark; your account, license, and site access; and other topics.