Centrally manage and govern your environment as you scale your AWS resources
AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts.
In addition, AWS Organizations is integrated with other AWS services so you can define central configurations, security mechanisms, audit requirements, and resource sharing across accounts in your organization. AWS Organizations is available to all AWS customers at no additional charge.
Quickly scale your workloads
AWS Organizations helps you quickly scale your environment by allowing you to programmatically create new AWS accounts. An AWS account is a container for your resources. Using multiple accounts gives you built-in security boundaries. It also empowers your teams by providing them designated accounts, and you can automatically provision resources and permissions using AWS CloudFormation StackSets.
Provide custom environments for different workloads
You can use Organizations to apply policies that give your teams the freedom to build with the resources they need, while staying within the safe boundaries you set. By organizing accounts into organizational units (OUs), which are groups of accounts that serve an application or service, you can apply service control policies (SCPs) to create targeted governance boundaries for your OUs.
Centrally secure and audit your environment across accounts
Manage auditing at scale using AWS CloudTrail to create an immutable log of all events from accounts. You can enforce and monitor backup requirements with AWS Backup, or centrally define your recommended configuration criteria across resources, AWS Regions, and accounts with AWS Config. You can also use AWS Control Tower to establish cross-account security audits, or manage and view policies applied across accounts.
In addition, you can protect your resources by centrally managing security services, such as detecting threats with Amazon GuardDuty, or reviewing unintended access with AWS IAM Access Analyzer.
Simplify permission management and access control
Simplify user-based permission management for everyone in your organization with AWS Single Sign-On (SSO) and your Active Directory. You can apply least-privilege practices by creating custom permissions for job categories. You can also control access to AWS services by applying service control policies (SCPs) to users, accounts, or OUs.
Efficiently provision resources across accounts
You can reduce resource duplication by sharing critical resources within your organization using AWS Resource Access Manager (RAM). Organizations also helps you meet your software license agreements with AWS License Manager, and maintain a catalog of IT services and custom products with AWS Service Catalog.
How it Works
Automate the creation of AWS accounts and categorize workloads using groups
You can automate the creation of new AWS accounts when you need to quickly launch new workloads, adding them to user-defined groups in your organization for instant security policy application, touchless infrastructure deployments and auditing. For example, you can create separate groups to categorize development and production accounts, and then use AWS CloudFormation StackSets to provision services and permissions to each group.
Implement and enforce audit and compliance policies
You can apply SCPs to ensure that users in your accounts only perform actions that meet your security and compliance requirements. Additionally, you can create a central log of all actions performed across your organization using AWS CloudTrail, view and enforce standard resource configurations across accounts and AWS Regions with AWS Config, and automatically apply regular backups with AWS Backup. You can also use AWS Control Tower to apply pre-packaged governance rules for security, operations, and compliance for ongoing governance of your AWS workloads.
Provide tools and access for your security teams while encouraging development
You can use AWS Organizations to create a Security group and provide them read-only access to all of your resources to identify and mitigate security concerns. In addition, you can provide them permissions to manage Amazon GuardDuty so they can actively monitor and mitigate threats to your workloads, and IAM Access Analyzer to quickly identify unintended access to your resources.
Share common resources across accounts
AWS Organizations makes it easy for you to share critical central resources across your accounts. For example, you can share your central AWS Directory Service Managed Microsoft Active Directory so that applications can access your central identity store. Use AWS Service Catalog to share IT services hosted in designated accounts so users can quickly discover and deploy approved services. Additionally, you can ensure application resources are created on your Amazon Virtual Private Cloud (VPC) subnets by centrally defining them once and sharing them across your organization using AWS Resource Access Manager.