Centrally manage and govern your environment as you scale your AWS resources
AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts.
In addition, AWS Organizations is integrated with other AWS services so you can define central configurations, security mechanisms, audit requirements, and resource sharing across accounts in your organization. AWS Organizations is available to all AWS customers at no additional charge.
Quickly scale your workloads
AWS Organizations helps you quickly scale your environment by allowing you to programmatically create new AWS accounts. An AWS account is a container for your resources. Using multiple accounts gives you built-in security boundaries. It also empowers your teams by providing them designated accounts, and you can automatically provision resources and permissions using AWS CloudFormation StackSets.
Provide custom environments for different workloads
You can use Organizations to apply policies that give your teams the freedom to build with the resources they need, while staying within the safe boundaries you set. By organizing accounts into organizational units (OUs), which are groups of accounts that serve an application or service, you can apply service control policies (SCPs) to create targeted governance boundaries for your OUs.
Centrally secure and audit your environment across accounts
Manage auditing at scale using AWS CloudTrail to create an immutable log of all events from accounts. You can enforce and monitor backup requirements with AWS Backup, or centrally define your recommended configuration criteria across resources, AWS Regions, and accounts with AWS Config. You can also use AWS Control Tower to establish cross-account security audits, or manage and view policies applied across accounts.
In addition, you can protect your resources by centrally managing security services, such as detecting threats with Amazon GuardDuty, or reviewing unintended access with AWS IAM Access Analyzer.
Simplify permission management and access control
Simplify user-based permission management for everyone in your organization with AWS IAM Identity Center (successor to AWS SSO) and your Active Directory. You can apply least-privilege practices by creating custom permissions for job categories. You can also control access to AWS services by applying service control policies (SCPs) to users, accounts, or OUs.
Efficiently provision resources across accounts
You can reduce resource duplication by sharing critical resources within your organization using AWS Resource Access Manager (RAM). Organizations also helps you meet your software license agreements with AWS License Manager, and maintain a catalog of IT services and custom products with AWS Service Catalog.
How it Works
Automate the creation of AWS accounts and categorize workloads using groups
You can automate the creation of new AWS accounts when you need to quickly launch new workloads, adding them to user-defined groups in your organization for instant security policy application, touchless infrastructure deployments and auditing. For example, you can create separate groups to categorize development and production accounts, and then use AWS CloudFormation StackSets to provision services and permissions to each group.
Implement and enforce audit and compliance policies
You can apply SCPs to ensure that users in your accounts only perform actions that meet your security and compliance requirements. Additionally, you can create a central log of all actions performed across your organization using AWS CloudTrail, view and enforce standard resource configurations across accounts and AWS Regions with AWS Config, and automatically apply regular backups with AWS Backup. You can also use AWS Control Tower to apply pre-packaged governance rules for security, operations, and compliance for ongoing governance of your AWS workloads.
Provide tools and access for your security teams while encouraging development
You can use AWS Organizations to create a Security group and provide them read-only access to all of your resources to identify and mitigate security concerns. In addition, you can provide them permissions to manage Amazon GuardDuty so they can actively monitor and mitigate threats to your workloads, and IAM Access Analyzer to quickly identify unintended access to your resources.
Share common resources across accounts
AWS Organizations makes it easy for you to share critical central resources across your accounts. For example, you can share your central AWS Directory Service Managed Microsoft Active Directory so that applications can access your central identity store. Use AWS Service Catalog to share IT services hosted in designated accounts so users can quickly discover and deploy approved services. Additionally, you can ensure application resources are created on your Amazon Virtual Private Cloud (VPC) subnets by centrally defining them once and sharing them across your organization using AWS Resource Access Manager.
“Using AWS Organizations, we’re able to accelerate development by giving teams their own environments in separate accounts, allowing them to progress simultaneously without impacting other teams or pipelines. We’re able to group accounts by business units using organizational units, and we can support three common development stages for applications. As a result, we were able to accelerate projects onboarded to cloud by 5X, reduce number of IAM permission tickets by 10X, and experienced 3X fewer stability issues. This is all made possible using simple APIs from AWS Organizations.”
Gaurav Jain, Director, Cloud Platform - FactSet
“Using AWS Organizations, GoDaddy is able to implement consistent security guardrails across accounts, while giving our application teams the flexibility to build at their own accelerated pace. For example, we utilize AWS Config at the organization level to monitor and collect infrastructure configuration details. We can view and maintain costs as teams develop new applications, and provision specific development environments by giving teams accounts for sandbox, test, and production stages. We’ve built custom applications that help developers confidently deploy resources to GoDaddy compliance standards, and can easily distribute them to accounts using the AWS Service Catalog integration."
Ketan Patel, Senior Director, Software Development - GoDaddy
“GE uses AWS Identity Services to support their global enterprise and allow their businesses to operate securely in the cloud. AWS Organizations and Service Control Policies (SCP) provide top-down governance and allows for the delegation of identity based and resource-based policy administration to each business unit. This model allows the businesses to move independently and operate at scale to solve today’s industrial challenges.”
Matthew Green, Senior Director Cloud Architecture - GE
“We made it easier for our finance department to track cloud costs using AWS Organizations, as it provided them with a single bill and allowed us to qualify for volume discounts and lower pricing from AWS savings plans. In addition, using AWS IAM Identity Center with AWS Organizations allowed us to centralize authentication to our Identity provider (IdP), which has been a massive improvement on a daily basis for our employees so they don't have different sets of credentials for accessing multiple AWS accounts. Our infrastructure security team was also able to centralize access management, resulting in an increase in platform security and a decrease in operational costs."
Rocco Zanni, CTO - Spreaker
“We started using AWS Organizations to manage the accounts for our multi-account environment and simplify our billing. We have also greatly simplified our access management with the AWS IAM Identity Center integration. AWS Organizations enables us to isolate workloads with similar risk profiles within their own account, to identify ownership of accounts via account tags, and enforce controls with Service Control Policies that cannot be overridden by the administrators of the member accounts. We now deliver new accounts quickly and securely freeing our developers to focus on business solutions.”
Jaime Villegas, Head of Corporative Services - Bancolombia