1.2 AWS Organizations, SCPs, and Multi-Account Strategy
Key Takeaways
- AWS Organizations consolidates multiple accounts into a hierarchy of Organizational Units (OUs) with consolidated billing.
- Service Control Policies (SCPs) set maximum-permission guardrails at the OU or account level — they restrict, never grant.
- SCPs never affect the management (payer) account — only member accounts are subject to them.
- AWS Control Tower automates landing zones, guardrails, and account vending on top of Organizations.
- A multi-account strategy delivers blast-radius isolation, security boundaries, and clean cost attribution.
Quick Answer: AWS Organizations governs many accounts from one management account. Service Control Policies (SCPs) set the maximum permission ceiling for member accounts — they only restrict, never grant, and they never touch the management account. AWS Control Tower automates the whole landing zone. Use a multi-account design to isolate blast radius and simplify billing.
AWS Organizations
AWS Organizations is a free governance service that groups accounts into an organization rooted at a single management (payer) account. Accounts are arranged in Organizational Units (OUs) — a tree up to five levels deep below the root.
| Feature | What It Delivers |
|---|---|
| Consolidated billing | One invoice; volume tiers and Reserved Instance / Savings Plan discounts shared across accounts |
| Organizational Units | Hierarchical grouping (Prod OU, Dev OU, Security OU) |
| Service Control Policies | Permission guardrails attached to root, OUs, or accounts |
| Programmatic accounts | CreateAccount API and Account Factory provisioning |
| Resource sharing | Cross-account sharing via AWS Resource Access Manager (RAM) |
Root (Management Account)
├── Security OU
│ ├── Log Archive Account
│ └── Security Tooling Account
├── Production OU
│ ├── Prod-App-A └── Prod-App-B
├── Development OU
│ └── Dev-Sandbox
└── Suspended OU (quarantine)
A recommended pattern keeps a dedicated Log Archive and Security Tooling account in a Security OU so audit logs are isolated from workload accounts.
Service Control Policies (SCPs)
SCPs define the maximum set of permissions for principals in member accounts. They are a ceiling, not a grant — an action still needs an IAM Allow to actually run.
SCP Rules to Memorize
| Rule | Why It Matters on the Exam |
|---|---|
| SCPs restrict, never grant | A user with an SCP-only setup can do nothing |
| Management account is immune | SCPs apply to member accounts only — never the payer |
| Apply to all principals | Includes each member account's root user |
Deny beats any IAM Allow | The standard explicit-deny precedence |
FullAWSAccess is attached by default | Remove or replace it to start denying |
SCPs come in two strategies: deny lists (allow everything, then explicitly deny — the default starting point) and allow lists (deny everything, then explicitly allow only approved services).
Region-Restriction SCP (classic question)
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyNonApprovedRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": { "StringNotEquals": {
"aws:RequestedRegion": ["us-east-1", "us-west-2", "eu-west-1"]
}}
}]
}
On the Exam: "Prevent member accounts from launching resources outside approved Regions" or "block any instance type larger than
t3.large" → an SCP on the relevant OU. AWS Config rules are detective (they flag drift after the fact); SCPs are preventive.
AWS Control Tower
AWS Control Tower sits on top of Organizations and automates a best-practice landing zone.
| Capability | Detail |
|---|---|
| Landing zone | Preconfigured multi-account baseline (management, log archive, audit) |
| Guardrails / Controls | Preventive (SCPs) and detective (AWS Config rules); also proactive (CloudFormation hooks) |
| Account Factory | Self-service, policy-compliant account vending |
| Dashboard | Org-wide compliance and drift visibility |
Use Organizations alone when you need only basic consolidated billing and a few SCPs; choose Control Tower when you want an automated, audited landing zone with account vending.
Multi-Account Strategy Benefits
| Benefit | Explanation |
|---|---|
| Security isolation | A compromised account cannot reach the others |
| Blast-radius reduction | A bad deploy is contained to one account |
| Cost attribution | Per-team / per-project spend is unambiguous |
| Independent quotas | Each account has its own service limits |
| Compliance segmentation | PCI workloads sit in their own controlled account |
Common trap: SCPs do not replace IAM. A new account with a restrictive SCP and no IAM policies still cannot do anything — both layers must allow.
SCP Inheritance and Evaluation
SCPs are inherited down the OU tree, and the effective permission set at any account is the intersection of every SCP from the root down to that account, then intersected with IAM. Picture an account three levels deep: if the root SCP allows services A, B, and C, the parent OU's SCP allows only A and B, and the account-level SCP allows only A, then the account can use only service A — and even then only where IAM also allows it. This is why an over-tight SCP high in the tree can silently break every account beneath it, a frequent troubleshooting scenario ("users suddenly lost access in all accounts after an SCP change at the root").
A second subtlety: SCPs filter principal permissions but never affect resource-based policy grants made by AWS service-linked roles, and they do not apply to the service-linked roles AWS uses on your behalf for some operations. They also never restrict the management account, which is the deliberate escape hatch that keeps you from locking yourself out of the entire organization.
Cross-Account Access Patterns
Multi-account designs need controlled cross-account access. The two exam-favored mechanisms are IAM roles assumed via sts:AssumeRole (a workload in account A assumes a role in account B) and AWS Resource Access Manager (RAM) for sharing actual resources such as subnets, Transit Gateways, and License Manager configurations. A shared-services account commonly hosts central networking and shares its VPC subnets to workload accounts through RAM, avoiding duplicate VPCs.
Tagging, Cost, and Governance Glue
A mature organization layers complementary services on top of the account structure:
| Service | Role in a Multi-Account Org |
|---|---|
| Consolidated billing | One payer; shared volume and commitment discounts |
| AWS Config aggregator | Org-wide configuration and drift visibility |
| CloudTrail organization trail | Single immutable audit trail across all accounts |
| Tag policies | Enforce consistent cost-allocation tags |
| Backup policies | Centrally mandate AWS Backup plans |
Exam framing: When a prompt mixes "central governance," "consistent guardrails," and "automated new-account provisioning," the layered answer is Organizations (structure) + SCPs (guardrails) + Control Tower (automation) — not a single service doing everything.
An organization wants to guarantee that no IAM user or role in any development account can launch EC2 instances larger than t3.large, regardless of the user's IAM permissions. What is the BEST control?
Which statement about Service Control Policies is TRUE?