Using SCPs as Deny Lists AWS Organizations, by default, attaches a managed SCP named FullAWSAccess to every root and OU structure upon creation. It is up to you to define additional SCPs at each level to limit the permissions as needed, by adding deny statements in the policies of these SCPs. For example, the following […]

Setting up SCPs As mentioned earlier, the intention behind SCPs is similar to that of IAM permissions boundaries, that is, to limit the perimeter of what is allowed to be done at an account level, an OU level, or an organization level. SCPs offer central control over that maximum set of permissions that accounts in […]

Organizing Accounts into OUs AWS Organizations also offers the possibility to organize your AWS accounts in a logical and hierarchical structure that best reflects your own internal organizational structure. This can be done by creating OUs that follow the structural model of your choice. Consider the following examples of different structures. In Figure 3.3, the […]

Tag Policies Tag policies provide a means to centrally decide which tags are attached to the AWS resources across your organization. A tag policy consists of rules that define for each tag the tag key, including the capitalization preference (for example, costcenter or CostCenter), tag values that are valid (this is optional), and whether non-compliant […]

AI Services Opt-Out Policies This type of policy lets you decide whether you allow AI services to collect data when they’re being used across your organization. Some AI services provided by AWS, such as Amazon Lex, Amazon Polly, Amazon Rekognition, and more (for a complete list, please consult the AWS documentation) may store and collect […]

Management Policies The other type of policy handled by AWS Organizations is management policies, which later subdivides into artificial intelligence (AI) services opt-out policies, backup policies, and tag policies. Management policies are inherited from the root of your organization down to the account level. The effective policy being applied at the account level is the […]

Introducing AWS Organizations As was mentioned earlier, AWS Organizations is an account management service. Its role is to help large and complex organizations handle their AWS environment more efficiently. You can use AWS Organizations to manage security policies across accounts and filter out unwanted access, automate the creation of new accounts through its application programming […]

One Bill or Multiple Bills By default, when you create a standalone AWS account, you must provide a payment method (for instance, a credit card). For large organizations, it usually doesn’t make sense for them to receive as many bills as they have AWS accounts. They usually demand a consolidated bill across all the accounts […]

Account An AWS account (an account, in short) is a virtual environment where you access AWS services and deploy and use AWS resources. The resources you deploy in one account are isolated from the resources deployed in any other account unless you explicitly provide cross-account access (for more on cross-account access, see Chapter 1, Determining […]

Further Reading You can check out the following links for more information about the topics that were covered in this chapter: . Chapter 3 Designing a Multi-Account AWS Environment for Complex Organizations Determining a strategy to deploy your resources across multiple Amazon Web Services (AWS) accounts is essential for governance purposes. This can bring benefits not […]