AWS Resource Hierarchy Explained: Organizations, Accounts, Regions, AZs, and ARNs
Every AWS resource lives somewhere specific: inside an account, in a region, sometimes in an Availability Zone. Understanding this layered structure is how you reason about who can access what, which account gets the bill, and why a resource seems to disappear when you switch regions in the console.
Beginners often hit confusing moments. A resource is “missing.” A permission that should work does not. A bill shows up in the wrong place. Almost always, the answer is in the resource hierarchy. By the end of this page, you will understand how AWS Organizations, accounts, regions, Availability Zones, and ARNs fit together so you can avoid those mistakes from day one.
Simple explanation
A mailing address goes from broad to specific: country, state, city, street, building number. AWS works the same way. Organization, account, region, Availability Zone, resource. Each layer narrows the scope until you arrive at one specific thing.
From largest to smallest, here is the full hierarchy:
- Organization: an optional wrapper that groups multiple AWS accounts under one roof
- Organizational Units (OUs): folders inside an Organization that group accounts by purpose (like “Production” or “Security”)
- AWS Accounts: the main boundary, where each account has its own users, roles, billing, and resources
- Regions: geographic locations where you deploy resources (like
us-east-1oreu-west-2) - Availability Zones: isolated data centers within a region (like
us-east-1a) - Individual resources: the actual things you create, such as EC2 instances, S3 buckets, and Lambda functions
- ARNs: the unique address for every resource, encoding where it sits in this hierarchy
Each layer inherits rules from the layers above it. An account inside an OU inherits the policies applied to that OU. A resource inside a region inherits the account’s billing and IAM boundaries. This nesting is what makes the hierarchy powerful, and what makes it confusing when you skip a layer.
How AWS resource hierarchy works
AWS Organizations
AWS Organizations is an optional service that lets you manage multiple accounts as a group. You create a management account (the root of the Organization), then create or invite member accounts into it.
Organizations is not required. Many individuals and small teams use a single AWS account with no Organization at all. But as soon as you need consolidated billing, centralized access policies, or account-level isolation between workloads, Organizations becomes essential.
From the management account, you can apply Service Control Policies (SCPs) that restrict what member accounts are allowed to do. SCPs set a ceiling on permissions. They do not grant access; they only limit it.
Think of an SCP like a locked gate around a building. The gate controls which doors you can reach, but it does not unlock any of them. You still need IAM policies to actually open doors (grant permissions). An SCP that allows s3:* does not give anyone S3 access. It just means S3 access is not blocked at the Organization level.
Organizational Units (OUs)
OUs are folders inside an Organization. They let you group accounts by purpose so you can apply policies to many accounts at once instead of one at a time.
A common setup is to have OUs like “Production,” “Development,” “Security,” and “Sandbox.” You apply strict SCPs to the Production OU and more permissive ones to Sandbox. OUs can be nested, so an OU can contain other OUs.
OUs do not own resources. They have no IAM users or roles. They exist only inside AWS Organizations and serve purely as a grouping and policy-attachment mechanism.
AWS Accounts
The AWS account is the most important boundary in the hierarchy. Each account is a hard isolation boundary by default:
- IAM namespace: users, roles, and policies exist within one account and are not visible to other accounts
- Billing boundary: charges are attributed to the account where resources run (even under consolidated billing)
- Network boundary: the default VPC in each account is independent
- Resource boundary: resources in one account cannot be accessed from another account without explicit cross-account configuration
Common patterns include one account per environment (dev, staging, production), one per team, or one per workload. The accounts-as-boundaries model is the foundation of least-privilege architecture at scale.
Each AWS account is like a separate apartment in a building. Every apartment has its own lock, its own electricity meter, and its own furniture. A person in apartment A cannot walk into apartment B unless the tenant in B explicitly hands over a key. That is exactly how cross-account access works in AWS.
Regions
Within an account, resources are deployed to specific regions. Each region is an independent cluster of data centers in a geographic area, such as us-east-1 (Northern Virginia), eu-west-1 (Ireland), or ap-southeast-1 (Singapore).
Regions are separate deployment scopes. A Lambda function in us-east-1 does not exist in eu-west-2. When you switch regions in the AWS Console or change the --region flag in the AWS CLI, you see a completely different set of resources.
A few services are global and not tied to a region. Most notably, IAM, Route 53, and CloudFront. The rest are regional or zonal.
Imagine your company has warehouses in New York, London, and Singapore. Each warehouse has its own inventory and its own staff. If you ship a product to the New York warehouse, it does not appear in London. You have to go to the right warehouse to find it. AWS regions work the same way. Switching regions in the console is like walking into a different warehouse.
Availability Zones
Within a region, AWS operates multiple Availability Zones (AZs). Each AZ is one or more physically separate data centers with independent power, networking, and cooling.
Some resources are tied to a specific AZ. When you launch an EC2 instance, it runs in one AZ. When you create an EBS volume, it exists in one AZ and can only be attached to instances in that same AZ. Subnets in a VPC each belong to exactly one AZ.
Deploying across multiple AZs is how you build high availability on AWS. If one AZ goes down, the resources in other AZs keep running.
A region is a campus. Each AZ is a separate building on that campus, with its own power supply and its own entrance. If one building has a power outage, the other buildings keep running. That is why production workloads spread across at least two AZs.
Individual resources and ARNs
At the bottom of the hierarchy are the actual resources: an EC2 instance, an S3 bucket, a DynamoDB table, a Lambda function. Every resource belongs to a service, an account, and (for most services) a region.
Every AWS resource has a unique ARN (Amazon Resource Name) that encodes its position in the hierarchy:
arn:partition:service:region:account-id:resourceReal examples:
# An S3 bucket (region is omitted because bucket names are globally unique)
arn:aws:s3:::my-company-assets
# An IAM role (IAM is global, so region is omitted)
arn:aws:iam::123456789012:role/MyAppRole
# An EC2 instance in us-east-1
arn:aws:ec2:us-east-1:123456789012:instance/i-0abc123def456
# A Lambda function in eu-west-1
arn:aws:lambda:eu-west-1:123456789012:function:my-function
# An RDS database instance in us-west-2
arn:aws:rds:us-west-2:123456789012:db:my-postgres-dbARNs are used in IAM policy statements to specify exactly which resources a permission applies to. Using specific ARNs rather than wildcards is a core part of least-privilege access control.
The ARN arn:aws:ec2:us-east-1:123456789012:instance/i-0abc123def456 reads as: “In the AWS partition, in the EC2 service, in the us-east-1 region, in account 123456789012, there is an instance called i-0abc123def456.” If any part is wrong in your IAM policy, the permission will not match. Missing the region or using the wrong account ID are the two most common ARN mistakes.
# Get the ARN of your current IAM identity
aws sts get-caller-identity --query Arn --output text
# List all S3 buckets (ARNs can be inferred from the names)
aws s3api list-buckets --query 'Buckets[*].Name'Quick reference table
| Level | What it contains | Why it matters | Example |
|---|---|---|---|
| Organization | OUs and accounts | Consolidated billing, centralized policy control via SCPs | Acme Corp Organization |
| OU | Accounts (and nested OUs) | Group accounts for policy inheritance | Production OU, Sandbox OU |
| Account | Regions, resources, IAM identities | Hard isolation boundary for billing, IAM, and networking | Account 123456789012 (prod) |
| Region | Availability Zones and regional resources | Separate deployment scope, data residency, latency | us-east-1, eu-west-2 |
| Availability Zone | Zonal resources (EC2, EBS, subnets) | Physical isolation for high availability | us-east-1a, us-east-1b |
| Resource | The actual AWS resource | The thing you are building with, identified by an ARN | i-0abc123def456 (EC2 instance) |
Global vs regional vs zonal services
Not every AWS service works at the same scope. Knowing whether a service is global, regional, or zonal tells you where to find its resources and how to reference them in policies and CLI commands.
| Scope | Examples | What this means |
|---|---|---|
| Global | IAM, Route 53, CloudFront, AWS Organizations | No region in the ARN. Changes apply across all regions in the account. |
| Regional | S3, Lambda, SQS, DynamoDB, API Gateway, RDS | Resources exist in one specific region. You must specify the region in CLI commands. |
| Zonal | EC2 instances, EBS volumes, subnets | Tied to a specific AZ within a region. EBS volumes can only attach to EC2 instances in the same AZ. |
S3 bucket names are globally unique, meaning no two accounts anywhere in the world can share the same name. But the bucket itself is regional. When you create an S3 bucket, you choose a region and your data is stored there. It does not replicate to other regions unless you explicitly configure cross-region replication. Think of it like a phone number: the number is globally unique, but the phone itself sits in one physical location.
How this affects permissions, billing, and architecture
Permissions
IAM permissions are evaluated within an account. When someone makes an API call, AWS checks in this order:
- Do any SCPs from the Organization deny this action? If so, it is denied regardless of IAM policies.
- Does the principal have an IAM policy (identity-based or resource-based) that allows this action on this resource?
- Are there permission boundaries, session policies, or VPC endpoint policies that further restrict access?
An IAM policy that looks correct can still be blocked by an SCP at the Organization level. If you are debugging an AccessDenied error, always check SCPs first when the account is inside an Organization.
Think of every AWS API call as a door with three locks. The SCP is the first lock (Organization level). The IAM policy is the second lock (account level). Permission boundaries are the third lock (identity level). All three must allow the action for it to succeed. If even one says “deny,” the door stays shut.
Billing
AWS billing follows the account boundary. Each account accumulates its own charges. Under AWS Organizations with consolidated billing, all member accounts roll up into a single invoice on the management account, but the per-account cost breakdown is preserved.
Resource tags let you add further granularity. You can tag resources by team, project, or cost center and use Cost Explorer to break down spending by tag, account, region, or service.
Each account gets its own electricity meter (its own charges). Consolidated billing is like a landlord receiving one combined bill for the building but still seeing each tenant’s usage. Tags are like labeling each appliance so you know exactly what is driving the cost up.
Isolation
Accounts are the strongest isolation boundary in AWS. Resources in one account cannot reach resources in another account by default. This separation applies to IAM, networking, and data. You must explicitly configure cross-account access (using IAM roles, resource policies, or services like AWS RAM) to allow it.
Regions add another layer of isolation. A VPC in us-east-1 is entirely separate from a VPC in eu-west-1, even in the same account. Cross-region communication requires explicit networking configuration.
“I created a security group but it is not showing up.” Before you re-create anything, check your region. The AWS Console remembers your last-used region, and it might not be the one you expect. This single mistake causes more wasted debugging time than almost any other beginner issue.
Troubleshooting
Most “missing resource” confusion comes from being in the wrong region or the wrong account. Before you assume a resource was deleted:
- Check which account you are signed into (
aws sts get-caller-identity) - Check which region your console or CLI is pointing at
- Remember that global services (like IAM roles) appear in all regions, but regional resources do not
When to use this mental model
The resource hierarchy is not abstract theory. It is the mental model you need for everyday AWS work. Use it when you are:
- Designing a multi-account setup: deciding how many accounts to create and how to organize them with OUs. See AWS Organizations for patterns.
- Debugging why a role works in one account but not another: IAM roles are per-account. A role in account A does not exist in account B. Cross-account access requires explicit trust configuration.
- Choosing the right region: consider latency, compliance, and service availability.
- Figuring out why a resource is “missing”: check your account and region first. This solves most cases.
- Understanding a cost spike: billing is per-account. Use tags and Cost Explorer to trace unexpected charges to the right account, region, and service.
- Writing IAM policies: ARNs encode the hierarchy. A well-scoped policy uses specific ARNs, not wildcards. See principle of least privilege.
1. Which account am I in? and 2. Which region am I looking at? These two questions resolve the majority of “it is not working” and “I cannot find it” situations in AWS. Make them your default first step before investigating anything else.
AWS Organizations vs OUs vs accounts vs regions vs AZs
These five layers serve different purposes. Here is how they compare side by side:
| Layer | Required? | Owns resources? | Has IAM? | Has billing? | Primary purpose |
|---|---|---|---|---|---|
| Organization | No | No | No (managed through management account) | Consolidated billing | Multi-account governance and policy |
| OU | No | No | No | No | Group accounts for shared policy |
| Account | Yes (at least one) | Yes | Yes (own IAM namespace) | Yes (own charges) | Isolation, billing, and access boundary |
| Region | Yes (resources must be somewhere) | Contains regional resources | No (IAM is global) | Costs tracked per region | Geographic deployment scope |
| AZ | Depends on service | Contains zonal resources | No | No (rolled into region) | Physical fault isolation |
Organization = the company. OU = a department. Account = an office with its own locked door. Region = which city the office is in. AZ = which building in that city. If you can keep this mental map, the rest falls into place.
Common beginner mistakes
Confusing OUs with accounts. OUs do not own resources or have IAM users. They are folders for grouping accounts inside an Organization. You deploy workloads into accounts, not OUs.
Confusing accounts with environments. An account is not the same as an environment. You can run production inside a single account alongside dev, but using separate accounts gives much stronger isolation. The recommended practice is one account per environment.
Looking in the wrong region. Creating a resource in
us-east-1and then searching for it ineu-west-1is one of the most common beginner confusions. Always check that your console and CLI are set to the correct region.Assuming IAM is regional. IAM is a global service. Users, roles, and policies you create are available across all regions in your account. You do not need to recreate them in each region.
Using wildcard ARNs too broadly. Writing
“Resource”: ”*”in an IAM policy grants access to all resources of that type. Use specific ARNs to limit the blast radius of a compromised credential. See least-privilege for guidance.Misunderstanding S3 scope. S3 bucket names are globally unique across all AWS accounts worldwide, but buckets are regional. You cannot create a bucket with a name someone else is already using, even in a different account or region.
Assuming an SCP grants access. SCPs only restrict. They set a maximum permission boundary. You still need IAM policies to actually grant access within that boundary.
Example scenario
A startup called Acme uses AWS Organizations to manage three accounts:
- Dev account (111111111111), in the “Development” OU
- Staging account (222222222222), in the “Development” OU
- Production account (333333333333), in the “Production” OU
The Production OU has a strict SCP that denies all actions outside us-east-1 and eu-west-1. This prevents anyone from accidentally deploying production workloads to the wrong region, even if their IAM policy allows it.
In the production account, the main web application runs in us-east-1. EC2 instances are spread across us-east-1a and us-east-1b for high availability. An Application Load Balancer distributes traffic between them.
The application stores data in an S3 bucket named acme-prod-assets (globally unique, created in us-east-1) and reads from a DynamoDB table in the same region.
Organization (Acme) > Production OU > Production account (333333333333) > Region (us-east-1) > AZ (us-east-1a) > EC2 instance (i-0abc123def456). Every layer narrows the scope. The ARN captures this full address: arn:aws:ec2:us-east-1:333333333333:instance/i-0abc123def456.
Here is where each part of the hierarchy fits:
- IAM: the
WebAppRolerole exists in the production account (global within that account). Its policy grants read access to the S3 bucket and DynamoDB table using specific ARNs. - SCPs: the Production OU’s SCP limits all member accounts to two regions. Even an admin in the production account cannot launch resources in
ap-southeast-1. - Billing: the production account’s charges (EC2, S3, DynamoDB) appear on the consolidated bill under the management account, tagged by resource tags like
team:backendandenv:production. - ARNs: the EC2 instance is
arn:aws:ec2:us-east-1:333333333333:instance/i-0abc123def456. The S3 bucket isarn:aws:s3:::acme-prod-assets. The IAM role isarn:aws:iam::333333333333:role/WebAppRole.
A developer in the Dev account cannot access the production S3 bucket unless a cross-account bucket policy or IAM role trust is configured. This is the account boundary at work.
Frequently asked questions
What is the AWS resource hierarchy?
The AWS resource hierarchy is the layered structure that determines where resources live and how permissions, billing, and isolation are scoped. From top to bottom: an optional Organization contains Organizational Units (OUs), which contain accounts. Each account deploys resources into regions, and within a region, some resources are placed into specific Availability Zones. Every resource gets a unique ARN that encodes its position in this hierarchy.
What is the difference between an AWS account and an Organizational Unit?
An AWS account is an isolation boundary that owns resources, has its own IAM namespace, and receives its own bill. An Organizational Unit (OU) is a grouping mechanism inside AWS Organizations that lets you apply Service Control Policies to multiple accounts at once. OUs do not own resources and do not have their own IAM users. They are purely an organizational container for accounts.
Are AWS resources global or regional?
It depends on the service. Most AWS resources are regional, meaning they exist in a specific region and are not visible from other regions. A few services like IAM, Route 53, and CloudFront are global. Some resources like EC2 instances and EBS volumes are zonal, tied to a specific Availability Zone within a region. S3 bucket names are globally unique, but the buckets themselves are regional.
Why can I not see my resource in another region or account?
AWS resources are scoped to specific accounts and regions. If you created a resource in us-east-1, it will not appear when you are viewing eu-west-1. Similarly, resources in one account are invisible to another account by default. Always check that your console or CLI is pointed at the correct account and region before assuming a resource is missing.
What is an ARN and why does it matter?
An ARN (Amazon Resource Name) is a unique identifier for any AWS resource. The format is arn:partition:service:region:account-id:resource-type/resource-id. ARNs matter because IAM policies use them to specify exactly which resources a permission applies to. Using specific ARNs instead of wildcards is essential for least-privilege access control.