For companies, organizations, and individuals with multiple AWS accounts, managing these accounts can be quite challenging and expensive. Fortunately, Amazon has made it easy with the AWS Organizations which helps to handle such accounts in a scalable way.
What is AWS Organizations?
AWS Organizations is an Amazon service that enables you to centrally manage multiple AWS accounts by consolidating them into an organization. The organizations enables you to create groups of accounts and apply policies to these groups. This will help you to centrally manage the accounts without the need for custom scripts and manual processes. This new AWS service includes consolidated billing and account management capabilities which help you to better manage the security, budget, and compliance requirements of your business.
AWS Organizations Terminology and Concepts
- Organization – It’s an entity that you create by combining a set of AWS accounts. All the member accounts are managed within the organization.
- Root – The parent container for all the accounts consolidated in an organization. The account is automatically created by AWS when you create an organization, and you only have one.
- Organization Unit – A container for accounts within a root. An Organization Unit can also contain other Organization Units, enabling you to create a hierarchy. This hierarchy resembles an inverted tree, with a root at the top, the OUs as the branches, and accounts as the leaves.
- Account – A normal AWS account that contains your AWS resources. You can create a new account or invite others to join your organization. The account that creates the organization is the master account while the other accounts are known as member accounts.
- Invitation – The process of inviting another account to join an organization. Only a master account can issue an invitation. The invited account becomes a member account once it accepts the invitation. Invitations can also be sent to current members when an organization wants to change something such as enabling all features.
- Handshake – A process through which two parties (the handshake initiator and the recipient) exchange information.
AWS Organization Feature Sets
AWS Organizations has two feature options:
- Consolidated Billing
- All Features
Consolidated Billing
This plan provides shared billing functionality which enables you to manage the billing for all accounts in the organization and benefit from volume discounts. Each organization has a master account that pays the charges for all the member accounts. Therefore, you can use the master account to consolidate and pay the charges incurred by member accounts of your organization. You can also get a cost report for each member account. However, each member account is independent of the other member accounts, and each account owner uses their own IAM username and password. Always secure the master account using a strong password and AWS Multi-Factor Authentication.
Consolidated Billing Process
The following steps present a summary of how to create an organization and how to view your consolidated bill:
- Open the AWS Billing and Cost Management console and choose Consolidated Billing, then click on Get started. You will be redirected to the AWS Organizations console
- On the AWS Organizations console, select Create Organization.
- Choose the master account and create an organization from that account
- Create member accounts for the organization. You can also invite existing accounts to join your organization.
- Each month, your master account will be charged for all the member accounts in a consolidated bill.
Benefits of Consolidated Billing
- Easy tracking – You can track the charges of all the member accounts in your organization, and also get a cost report for each
- One bill – Consolidated billing means you only get one bill for all the member accounts
- No extra fee – Consolidated billing does not come at an additional cost
- Combined usage – AWS offers volume pricing discounts by combining usage from all accounts in your organization.
However, the combined billing plan doesn’t include the advanced features of AWS Organizations. To access these features, you’ll need the ‘All Features’ plan.
All Features
With this plan, you get access to all the features of AWS Organizations. These include the shared billing functionality of the consolidated billing plan, plus advanced features that give you more control over your accounts. To enable all the features, you need the approval of all the invited member accounts.
Enabling All Features
When you begin the process of enabling all features, AWS Organizations sends a request for approval to each member account that you invited. You can only complete the process to enable all features once all the member accounts approve the request. If a member account declines the request, you can either remove the account or resend the request. You don’t need approval from the other accounts that you created using AWS Organizations, hence no requests are sent to them.
The Features
- Centralized management of all your member accounts – Just like under the consolidated billing plan, you can create new accounts or invite other accounts to be part of your organization. You can then centrally attach policies to the accounts to comply with the regulatory requirements.
- Consolidated billing – You can centrally manage the billing of your accounts and take advantage of volume discounts.
- AWS Identity and Access Management (IAM) integration and support – Member accounts users can access only what is allowed by both the IAM policies and AWS Organizations policies. A user cannot access an operation if any of the policies block it.
- Hierarchical grouping of your accounts – You can group accounts into Organizational Units (OUs) and attach different policies to each OU in order to meet your budgetary, security, and compliance needs.
- Control over the AWS services and API actions – You can control the AWS services and API actions that each account can access by ensuring the IAM Users and Groups in each account have restricted access. The Organization policies can override the administrators of members’ accounts.
- Integration with other AWS services – You can integrate other AWS services by granting them access to the accounts in your organization. The services can also perform actions on the accounts’ resources using IAM service-linked role.
- Data replication that is eventually consistent – AWS Organizations is eventually consistent. Therefore, you have to watch out for this when making changes to policies in your organizations.