What Is AWS Organizations? Accounts, OUs, SCPs Explained
AWS Organizations is the service that lets you manage multiple AWS accounts under one roof. You get one bill, a shared policy layer for guardrails, and a hierarchy of accounts grouped by team, environment, or compliance boundary. If you have more than one AWS account (or plan to), Organizations is how you keep them governed and connected.
Simple explanation
Think of AWS Organizations like a company org chart, but for AWS accounts instead of people. There is one headquarters (the management account) that oversees everything, departments (OUs) that group teams together, and company-wide policies (SCPs) that flow from the top down.
The whole model comes down to five pieces:
- One management account that created the organization. It handles billing and administrative control. You do not run workloads here.
- Multiple member accounts, each a fully separate AWS environment with its own IAM, resources, and security boundary.
- Organizational Units (OUs) for grouping accounts. You might have a “Production” OU, a “Security” OU, and a “Non-Production” OU.
- Service Control Policies (SCPs) that cap what any account or OU can do. SCPs restrict permissions but never grant them. Attach one to an OU and every account inside inherits that restriction.
- One consolidated bill so all accounts share a single payment method. Usage across accounts combines toward volume pricing tiers, and Reserved Instances can apply across accounts.
If you remember nothing else: Organizations is the container that holds your accounts, OUs group them, and SCPs set the rules. Everything else (delegated administration, cross-account roles, Control Tower) builds on that foundation.
Why teams use AWS Organizations
A single AWS account is like one big open-plan office. Everyone shares the same space, the same budget line, and the same security perimeter. A developer who accidentally deletes a database table could wipe out production data. A billing spike from one team’s experiment hits the whole company. A compromised application puts every resource at risk.
Multiple accounts fix this by giving each team or environment its own locked room. Resources in one account are invisible to another account unless you explicitly set up cross-account access through role assumption. There is no accidental path from dev to production.
Organizations makes multi-account setups practical:
- Account isolation: a misconfigured security group in a dev account cannot affect a production account. The blast radius of any mistake or breach stays contained.
- Centralized governance: instead of configuring guardrails account by account, you apply Service Control Policies once at the OU level. Every account underneath inherits the restriction.
- Cost visibility: consolidated billing gives you one invoice, but Cost Explorer still breaks spending down per account. You can see exactly how much each team or environment costs without tagging gymnastics.
- Compliance and separation of duties: regulated workloads (HIPAA, PCI-DSS, SOC 2) can live in dedicated accounts with stricter controls, while less sensitive workloads stay in separate accounts with lighter guardrails.
- Blast radius reduction: if an attacker compromises one account, they get that account’s resources only. They cannot pivot to other accounts without explicitly granted cross-account access.
For a broader view of where account isolation fits in the AWS security model, see the shared responsibility model.
How AWS Organizations works
Management account
The management account is the account that created the organization. It is the only account that can create or remove member accounts, manage OUs, attach SCPs, and view the consolidated bill. Think of it as the building manager who holds the master keys but does not live in any of the apartments.
The management account has elevated privileges over every member account. Protect it aggressively: require MFA for all human access, keep workloads out of it entirely, and audit access regularly. A compromise of the management account puts every account in the organization at risk.
Here is the critical detail most beginners miss: SCPs do not apply to the management account itself. Any SCP you attach at the Root or OU level restricts member accounts but not the management account. This is the single biggest reason to keep the management account empty of workloads. You simply cannot enforce guardrails on it the same way you can on member accounts.
Member accounts
Every account other than the management account is a member account. Each member account is a fully independent AWS environment with its own IAM users and roles, its own resources, and its own root user. Member accounts are subject to SCPs applied at the OU or Root level above them.
You can create new member accounts directly from the management account, or invite existing standalone accounts to join. Invited accounts keep their existing resources and configuration. They simply gain an organizational relationship and become subject to SCPs.
Root and Organizational Units (OUs)
Every organization has a single Root, the top-level container. Below the Root, you create Organizational Units (OUs) to group accounts by purpose. OUs can be nested, so you can build a hierarchy that mirrors your company structure.
Policies applied to an OU inherit downward. If you attach a deny-region SCP to the Production OU, every account inside that OU (and every account inside any child OU) inherits the restriction. This makes OUs the natural grouping mechanism for governance. See restricting resource locations for a practical example of region restriction SCPs.
OUs are about governance, not just organization. The real power is that attaching a policy to an OU automatically applies it to every account inside. When you add a new account to that OU later, it inherits the same rules instantly.
Service Control Policies (SCPs)
Service Control Policies are the governance tool in Organizations. An SCP defines the maximum permissions any identity in a member account can have, including administrators and even the root user of that member account.
A good analogy: IAM policies are like giving someone a keycard to specific rooms in a building. SCPs are like locking certain floors entirely. Even if your keycard works for every room on floor 5, the SCP that locks floor 5 means you cannot get there at all.
Two things beginners commonly misunderstand:
- SCPs restrict but never grant. An SCP that allows
s3:*does not give anyone S3 access. It means S3 actions are not blocked by the SCP. The principal still needs an IAM policy that explicitly grants the action. SCPs and IAM work through intersection: both must allow the action. - SCPs do not apply to the management account. Every SCP you create only restricts member accounts. The management account is always exempt. This is not configurable.
The difference between IAM and Organizations is straightforward: IAM controls who can do what inside a single account. Organizations controls what entire accounts are allowed to do. IAM is the permissions layer. SCPs are the guardrails layer. Both must allow an action for it to succeed, following the principle of least privilege.
Consolidated billing
All accounts in the organization share a single payment method attached to the management account. The management account receives one consolidated bill. Two practical benefits come from this:
- Volume pricing: usage across all accounts aggregates toward AWS pricing tiers. Ten accounts each using 100 GB of S3 get priced as 1 TB, not ten separate 100 GB buckets.
- RI and Savings Plan sharing: Reserved Instances and Savings Plans purchased in any account can apply to matching usage in other accounts, maximizing utilization.
Each account still appears separately in Cost Explorer. You get one bill but full per-account visibility. For more on cost management, see how billing works.
Delegated administration
You do not have to log into the management account for day-to-day operations. AWS lets you delegate administration of specific services (like AWS Config, Security Hub, or GuardDuty) to a designated member account. Your security team can manage Security Hub from a dedicated security account instead of needing management account access.
Delegated administration reduces how often anyone needs to touch the management account. The less you log into it, the smaller your attack surface.
How it works in practice
Here is the typical workflow from “I have one account” to “I have a governed multi-account setup”:
- Create or invite accounts. Start by creating dedicated accounts for your core needs: a security/audit account, a log archive account, and at least one workload account per environment.
- Group accounts into OUs. Create OUs that reflect how you govern. Typically this means Security, Infrastructure, and Workloads OUs. Under Workloads, separate Production and Non-Production.
- Apply baseline guardrails with SCPs. Attach SCPs at the Root level that apply everywhere: deny leaving the organization, deny disabling CloudTrail, deny creating resources in unapproved regions. These are your non-negotiable safety nets.
- Set up security and log archive accounts. Route CloudTrail logs, AWS Config data, and GuardDuty findings to a centralized log archive account. Run security tooling from a dedicated security account.
- Enable cross-account access with roles. Use role assumption for access between accounts. Use the
aws:PrincipalOrgIDcondition key in trust policies so new accounts automatically get access without policy updates. - Monitor and govern centrally. Use delegated administration to run Security Hub, AWS Config, and GuardDuty from your security account. Review the consolidated bill and per-account spending regularly.
This operating model scales from a 3-account startup to a 300-account enterprise. The structure stays the same. You add more accounts and OUs as your organization grows. For a deeper look at separating environments, see dev vs staging vs production.
Example AWS Organizations structure
Here is a realistic account layout for a small-to-mid-sized company. Notice how the structure mirrors governance boundaries, not team reporting lines:
Root (management account: org-management@company.com)
│
├── Security OU
│ ├── log-archive (centralized CloudTrail, Config, and access logs)
│ └── security-tooling (Security Hub, GuardDuty, delegated admin)
│
├── Infrastructure OU
│ ├── shared-networking (Transit Gateway, DNS, VPN)
│ └── shared-services (CI/CD tooling, container registries)
│
└── Workloads OU
├── Production OU
│ ├── prod-api (backend services)
│ └── prod-frontend (web application)
│
└── Non-Production OU
├── dev-api (development environment)
├── staging-api (pre-production testing)
└── sandbox (experimentation, strict budget alerts)In this layout, SCPs on the Production OU enforce stricter controls (deny unapproved regions, deny deleting critical resources), while Non-Production accounts have lighter guardrails to allow experimentation. The Security OU accounts are locked down tightly and managed by a dedicated team.
You do not need this many accounts on day one. Start with four or five (management, security, log archive, production workload, non-production workload) and expand when real complexity justifies it.
When to use AWS Organizations
Many teams start with a single AWS account and eventually hit its limits. Here are the clearest signals that you need Organizations:
| Situation | Why Organizations helps |
|---|---|
| Dev and production resources in the same account | Separate accounts provide hard isolation. A dev mistake cannot touch production. |
| Multiple teams sharing one account | Per-team accounts give clear cost attribution and independent blast radius. |
| Regulated workloads (HIPAA, PCI-DSS, SOC 2) | Dedicated accounts with strict SCPs isolate compliance scope from other workloads. |
| Centralized logging and security tooling | Dedicated security and log archive accounts with cross-account collection. |
| Need to restrict regions or services globally | One SCP on the Root applies to every account. No per-role configuration needed. |
| Cost visibility across teams or products | Consolidated billing with per-account breakdown in Cost Explorer. |
| Third-party vendor or partner access | Separate sandbox accounts with limited SCPs reduce risk of vendor overreach. |
If any of these situations apply, Organizations is the right tool. If you only have one account and one small team, you may not need it yet, but plan for it.
AWS Organizations vs IAM vs Control Tower
These three services are commonly confused because they all relate to access control and governance. The simplest way to think about them: Organizations is the building, IAM is the lock on each door, and Control Tower is the property management company that sets up the building for you.
| Service | What it does | Scope |
|---|---|---|
| AWS Organizations | Multi-account governance layer that manages accounts, OUs, SCPs, and consolidated billing | Across all accounts in the organization |
| IAM | Identity and permissions inside a single account: users, roles, policies | Within one account |
| AWS Control Tower | Opinionated landing zone built on top of Organizations that automates account provisioning, applies pre-built guardrails, and manages baseline configuration | Across all accounts, using Organizations underneath |
Organizations gives you the building blocks. IAM handles permissions within each block. Control Tower is an optional automation layer that sets up Organizations, OUs, guardrails, and account provisioning with opinionated defaults. You can use Organizations without Control Tower. You cannot use Control Tower without Organizations.
For teams just starting with multiple accounts, Organizations alone is enough. Add Control Tower later if you want automated account vending and pre-built guardrails. To understand the IAM side in depth, see the IAM overview.
Common mistakes
Running workloads in the management account. The management account has elevated privileges and SCPs do not apply to it. Any application compromise there puts the entire organization at risk.
Safer practice: Keep the management account empty. Run all workloads in member accounts.Overcomplicating the account structure too early. Creating dozens of OUs and accounts before you have real workloads creates management overhead with no benefit.
Safer practice: Start simple with Security, Infrastructure, and Workloads OUs. Add complexity when your organization actually needs it.Misunderstanding what SCPs can and cannot do. SCPs restrict permissions but never grant them. An SCP that allows
s3:*does not give anyone S3 access. It just means the SCP is not blocking it.
Safer practice: Always pair SCPs with IAM policies. Use SCPs for deny-based guardrails and IAM for actual permission grants.Forgetting the management account exception. SCPs do not restrict the management account. Teams assume their deny-region SCP applies everywhere, but the management account is exempt.
Safer practice: Treat the management account as a special case. Apply IAM-level controls there manually, and minimize who has access.No baseline guardrails from day one. Without a Root-level SCP that denies dangerous actions (leaving the org, disabling CloudTrail, creating resources in unapproved regions), new accounts start with no safety net.
Safer practice: Apply a baseline deny SCP at the Root immediately. It is much harder to add guardrails after accounts have been running without them.No delegated administration strategy. If every administrative action requires logging into the management account, you increase risk and create a bottleneck.
Safer practice: Delegate administration of services like Security Hub, AWS Config, and GuardDuty to a dedicated security account. Minimize management account logins.
CLI examples
Create a new member account
Account creation is asynchronous. You get a request ID to check the status.
aws organizations create-account \
--email prod-api@company.com \
--account-name "prod-api"Check the creation status:
aws organizations describe-create-account-status \
--create-account-request-id car-exampleidList all accounts in the organization
aws organizations list-accounts \
--query 'Accounts[*].[Name,Id,Status]' \
--output tableMove an account to an OU
# Find the Root ID and OU IDs
aws organizations list-roots
aws organizations list-organizational-units-for-parent \
--parent-id r-xxxx
# Move the account
aws organizations move-account \
--account-id 123456789012 \
--source-parent-id r-xxxx \
--destination-parent-id ou-xxxx-yyyyyyyyAttach an SCP to an OU
aws organizations attach-policy \
--policy-id p-examplescpid \
--target-id ou-xxxx-yyyyyyyySummary
- AWS Organizations manages multiple accounts under centralized governance and one consolidated bill.
- The management account is the administrative hub. Keep workloads out of it and protect it aggressively.
- Organizational Units group accounts hierarchically. Policies on an OU apply to all accounts inside it.
- Service Control Policies set maximum permissions for member accounts. They restrict but never grant.
- SCPs do not apply to the management account. This is the most important exception to understand.
- Consolidated billing combines usage across accounts for volume discounts and RI/Savings Plan sharing.
- Delegated administration lets you manage security services from a dedicated account instead of the management account.
- IAM handles permissions inside an account. Organizations handles governance across accounts. Control Tower automates the setup.
Frequently asked questions
Is AWS Organizations free?
Yes. AWS Organizations itself has no additional charge. You pay only for the AWS resources used in each member account. Consolidated billing, OUs, and SCPs are all included at no extra cost.
Can I add an existing AWS account to an organization?
Yes. You send an invitation from the management account, and the existing account owner accepts it. Once accepted, the account becomes a member and is subject to any SCPs you apply. The account keeps its existing resources and configuration.
What is the management account?
The management account (formerly called the master account) is the account that created the organization. It has special privileges: it can create and remove member accounts, apply SCPs, and manages consolidated billing. SCPs do not restrict the management account itself, which is why you should keep workloads out of it.
What is the difference between IAM policies and SCPs?
IAM policies grant permissions to individual users and roles inside a single account. SCPs set the maximum permissions that any identity in a member account can ever have. SCPs restrict but never grant. A principal still needs an IAM policy to do anything. Think of IAM as the permissions layer and SCPs as the guardrails layer.
Do I need AWS Control Tower if I use AWS Organizations?
Not necessarily. AWS Organizations gives you the building blocks (accounts, OUs, SCPs, and consolidated billing). Control Tower is an opinionated layer on top that automates landing zone setup, applies pre-built guardrails, and manages account provisioning. Small teams can start with Organizations alone and add Control Tower later if they want more automation.