AWS Organizations, OUs, and Service Control Policies

Learn how AWS Organizations enables multi-account management with Organizational Units, Service Control Policies, and cross-account resource sharing with RAM.

12 min

Introductory

Learning outcomes

By the end of this lesson, the learner can:

Explain what AWS Organizations does and why companies use it.
Describe Organizational Units (OUs) and how they group accounts.
Explain Service Control Policies (SCPs) and how they differ from IAM policies.
Connect Organizations to consolidated billing.

Why multiple accounts?

Most companies do not run everything in a single AWS account. Instead, they create separate accounts for different purposes:

Production account, live customer-facing workloads
Development account, experimentation and testing
Security account, centralized logging and audit tools
Billing account, the management (payer) account

Separate accounts provide blast radius isolation, a misconfiguration in development cannot affect production resources.

Note

AWS Organizations is the service that ties all these accounts together under one roof.

What AWS Organizations does

AWS Organizations lets you:

Create and manage multiple AWS accounts from a central management account
Group accounts into Organizational Units (OUs) for logical structure
Apply policies (like SCPs) across accounts or OUs
Consolidate billing, one bill for all accounts, with potential volume discounts

The account that creates the organization is the management account (formerly called the "master" account). It is the payer and the root of the organization tree.

Organizational Units (OUs)

An OU is a container for grouping AWS accounts within an organization. OUs can be nested inside other OUs, forming a tree structure.

Example structure:

Root (Management Account)
├── Production OU
│   ├── Prod-App-A account
│   └── Prod-App-B account
├── Development OU
│   ├── Dev-Team-1 account
│   └── Dev-Team-2 account
└── Security OU
    └── Security-Audit account

Why OUs matter: You can attach policies to an OU, and every account inside that OU inherits the policy. This is much more scalable than managing policies account by account.

Service Control Policies (SCPs)

SCPs are permission guardrails that you attach to OUs or individual accounts in AWS Organizations. They define the maximum permissions available to accounts.

Key rules about SCPs

SCPs do not grant permissions; they only restrict what is allowed
An action must be allowed by both the SCP and the IAM policy for it to work
SCPs apply to all IAM users and roles in the affected accounts (including the account's root user)
SCPs do not affect the management account itself

Warning

SCPs are guardrails, not grants. If an SCP denies an action, no IAM policy in that account can override it.

Example: Region restriction

A common SCP use case is restricting which Regions accounts can use:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["us-east-1", "eu-west-1"]
        }
      }
    }
  ]
}

This SCP, attached to the Development OU, would prevent any account in that OU from launching resources outside us-east-1 and eu-west-1.

SCPs vs IAM policies

	Service Control Policy (SCP)	IAM Policy
Scope	Applies across entire accounts or OUs	Applies to specific users, groups, or roles within one account
What it does	Sets maximum permission boundaries	Grants or denies specific permissions
Can grant access?	No, only restricts	Yes, can explicitly allow actions
Managed in	AWS Organizations	IAM within each account
Affects root user?	Yes (in member accounts)	No, root user is not restricted by IAM policies

Think of it this way: SCPs set the outer fence. IAM policies define what you can do inside that fence.

Connection to consolidated billing

AWS Organizations also provides consolidated billing:

All accounts in the organization share a single bill
Usage across accounts is aggregated, which can unlock volume pricing discounts (e.g., S3 or EC2 tiered pricing)
The management account is the payer

Tip

The billing and governance features of Organizations are covered in more detail in Module 5.3: Billing, Pricing, and Support. The key point here is that Organizations connects account governance (SCPs, OUs) with billing consolidation.

AWS Resource Access Manager (RAM) lets you share specific AWS resources with other accounts in your organization (or external accounts) without requiring complex cross-account IAM roles.

VPC subnets — allow other accounts to launch EC2 instances in your shared subnets
Transit Gateways — share network connectivity across accounts
License Manager licenses — share software licenses across your organization
Route 53 Resolver rules — share DNS resolution configurations

Note

RAM complements Organizations: Organizations provides account governance and consolidated billing; RAM provides fine-grained resource sharing between accounts.

RAM vs cross-account IAM roles

Approach	Use when	Complexity
RAM	Sharing specific resources (subnets, Transit Gateways) with known accounts	Lower — resource owner retains control
Cross-account IAM roles	Programmatic access to services across accounts	Higher — requires trust policy configuration

Organizations, OUs, and SCPs define the guardrails. RAM enables practical resource sharing within those guardrails.

Summary

AWS Organizations centrally manages multiple AWS accounts
OUs group accounts logically (Production, Development, Security, etc.)
SCPs set maximum permission guardrails across accounts; they restrict, never grant
Both the SCP and the IAM policy must allow an action for it to succeed
Organizations also provides consolidated billing with potential volume discounts
AWS RAM enables cross-account resource sharing (subnets, Transit Gateways, licenses) within organization guardrails
The management account is the payer and organization root; SCPs do not restrict it

Quiz

Knowledge Check

1 / 4

What is the primary purpose of AWS Organizations?