AWS Organizations SCPs
Multi-Account Management
Centralized governance across thousands of AWS accounts.
Organizations Structure
Organization: - Management Account (payer) - Organizational Units (OUs) - Accounts (production/dev/security) Service Control Policies (SCPs): - Deny specific actions (no-root, no-public-s3) - Guardrails (prevent deletion) - Mandatory tags enforcement - Regional restrictions Consolidated Billing: - Volume discounts across accounts - Single payment method
Best Practices
- Separate environments (prod/dev/test)
- Security tooling account
- Log archive account
- Workshop accounts (sandbox)