AWS offers services that allow you to manage access into your cloud resources from outside accounts and authentication services. In this section, you will learn about AWS Organizations, which allows you to combine management and administration of multiple AWS accounts under a single administrative domain.
You will also review the Resource Access Manager service from AWS. This was covered in Chapter 7 and is used in configuring networking connections from one account to another.
AWS Organizations is used to create and manage accounts, provision resources, manage security, govern access, centrally manage your accounts using policies, enforce compliance policies, control costs, consolidate billing, and configure AWS services over multiple accounts. AWS Organizations is an account management service that enables consolidating multiple AWS accounts into an organization that can be created and centrally managed. An organization is a collection of AWS accounts that are organized into a hierarchy for ease of management. The AWS Organizations service is available in all AWS regions worldwide and is a global service, meaning that accounts can reside in any region and be managed under a single organization. An organization is a single management location used to create new AWS accounts, link the existing accounts, and share resources among the accounts. It also allows you to centralize all your accounts logs and is a single point to set policies on how their AWS accounts will be managed. AWS Organizations is a no-charge offering, and users are only be billed for the resources utilized and consumed in each account.
By consolidating multiple accounts into a single organization, your company consolidates billing into a single payment for all your AWS accounts. Organizations can share and isolate resources between accounts, and the service centrally enforces security policies.
Each account is a container that contains your resources in AWS. The account structure allows you to create and manage AWS resources and provides administrative capabilities to use for access and billing.
There is added flexibility when a company creates multiple accounts and manages them with AWS Organizations, including billing boundaries, resource isolation, division of resources, and management of groups and teams.
The organization’s management account is the master account used to create and administer the service. It allows you to create accounts, invite and manage invitations for other accounts to join your organization, and delete accounts from your organization. The management account is where you attach policies to entities such as root administrative accounts, organizational units (OUs), and other accounts within your organization, as shown in Figure 8.10. The management account is the master billing account for all accounts in the organization. It has ultimate control over the security settings, infrastructure operations, and financial policies that may be assigned. When you create the management account, you cannot change it later. Member accounts are all the accounts that are managed by the single management account in an organization. The administrator of the management account creates the member accounts by inviting existing accounts to join or by creating new accounts. Note that a member account is allowed to belong to only one organization. However, member accounts can be moved to other organizations by first removing them from the current organization and then migrating them to a different organization. The management account contains the administrative root. The administrative root sits at the top of the hierarchy and is used for all management activities such as creating organizational units. The OUs are used to group accounts. OUs are commonly used to group departments, business units, or application types such as security or monitoring together and allow all OU members to be managed as a single entity. OUs can be nested up to five deep for more granular functions such as development, test, and operations.
FIGURE 8.10 AWS organizations
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
