What is Amazon Organizations? - Amazon Organizations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is Amazon Organizations?

Centrally manage your environment as you scale your Amazon resources

Amazon Organizations helps you centrally manage and govern your environment as you grow and scale your Amazon resources. Using Organizations, you can create accounts and allocate resources, group accounts to organize your workflows, apply policies for governance, and simplify billing by using a single payment method for all of your accounts.

Organizations is integrated with other Amazon Web Services services so you can define central configurations, security mechanisms, audit requirements, and resource sharing across accounts in your organization. For more information, see Using Amazon Organizations with other Amazon Web Services services.

The following diagram shows a high-level explanation of how you can use Amazon Organizations:

  • Add accounts

  • Group accounts

  • Apply policies

  • Enable Amazon Web Services services.

This image displays how Amazon Organizations works: add accounts, group accounts, apply policies, and enable Amazon Web Services services.

Features for Amazon Organizations

Amazon Organizations offers the following features:

Manage your Amazon Web Services accounts

Amazon Web Services accounts are natural boundaries for permission, security, costs, and workloads. Using a multi-account environment is a recommended best-practice when scaling your cloud environment. You can simplify account creation by programmatically creating new accounts using the Amazon Command Line Interface (Amazon CLI), SDKs, or APIs, and centrally provision recommended resources and permissions to those accounts with Amazon CloudFormation StackSets.

Define and manage your organization

As you create new accounts, you can group them into organizational units (OUs), or groups of accounts that serve a single application or service. Apply tag polices to classify or track resources in your organization, and provide attribute-based access control for users or applications. In addition, you can delegate responsibility for supported Amazon Web Services services to accounts so users can manage them on behalf of your organization.

Secure and monitor your accounts

You can centrally provide tools and access for your security team to manage security needs on behalf of the organization. For example, you can provide read-only security access across accounts, detect and mitigate threats with Amazon GuardDuty, review unintended access to resources with IAM Access Analyzer, and secure sensitive data with Amazon Macie.

Control access and permissions

Set up Amazon IAM Identity Center to provide access to Amazon Web Services accounts and resources using your active directory, and customize permissions based on separate job roles. You can also apply organization policies to users, accounts, or OUs. For example, service control policies (SCPs) enable you to to control access to Amazon resources, services, and Regions within your organization. Chatbot policies enable you to control access to your organization's accounts from chat applications such as Slack and Microsoft Teams.

Share resources across accounts

You can share Amazon resources within your organization using Amazon Resource Access Manager (Amazon RAM). For example, you can create your Amazon Virtual Private Cloud (Amazon VPC) subnets once and share them across your organization. You can also centrally agree to software licenses with Amazon License Manager, and share a catalog of IT services and custom products across accounts with Amazon Service Catalog.

Audit your environment for compliance

You can activate Amazon CloudTrail across accounts, which creates a log of all activity in your cloud environment that cannot be turned off or modified by member accounts. In addition, you can set policies to enforce backups on your specified cadence with Amazon Backup, or define recommended configuration settings for resources across accounts and Amazon Web Services Regions with Amazon Config.

Centrally manage billing and costs

Organizations provides you with a single consolidated bill. In addition, you can view usage from resources across accounts and track costs using Amazon Cost Explorer, and optimize your usage of compute resources using Amazon Compute Optimizer.

Use cases for Amazon Organizations

The following are some use cases for Amazon Organizations:

Automate the creation of Amazon Web Services accounts and categorize workloads

You can automate the creation of Amazon Web Services accounts to quickly launch new workloads. Add the accounts to user-defined groups for instant security policy application, touchless infrastructure deployments, and auditing. Create separate groups to categorize development and production accounts and use Amazon CloudFormation StackSets to provision services and permissions to each group.

Define and enforce audit and compliance policies

You can apply service control policies (SCPs) to ensure that your users perform only the actions that meet your security and compliance requirements. Create a central log of all actions performed across your organization using Amazon CloudTrail. View and enforce standard resource configurations across accounts and Amazon Web Services Regions using Amazon Config. Automatically apply regular backups using Amazon Backup. Use Amazon Control Tower to apply pre-packaged governance rules for security, operations, and compliance for your Amazon workloads.

Provide tools and access for your Security teams while encouraging development

Create a Security group and provide it with read-only access to all of your resources to identify and mitigate security concerns. You can allow that group to manage Amazon GuardDuty so they can actively monitor and mitigate threats to your workloads, and IAM Access Analyzer to quickly identify unintended access to your resources.

Share common resources across accounts

Organizations makes it easy for you to share critical central resources across your accounts. For example, you can share your central Amazon Directory Service for Microsoft Active Directory so that applications can access your central identity store.

Share critical central resources across your accounts

Share your Amazon Directory Service for Microsoft Active Directory as a central identity store for your applications. Use Amazon Service Catalog to share IT services in designated accounts so users can quickly discover and deploy approved services. Ensure that application resources are created on your Amazon Virtual Private Cloud (Amazon VPC) subnets by centrally defining them once and sharing them across your organization using Amazon Resource Access Manager (Amazon RAM).