Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Work Together Using AWS Organizations

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain the uses and benefits of AWS Organizations.
  • Explain the uses and benefits of Consolidated Billing.

In a large organization, you might have multiple IT groups working independently. Each group has its own AWS account, complete with Reserved Instances, AWS CloudTrail logs, and a monthly bill. What if you could consolidate and manage all of that in one place?

Bring Accounts Together with AWS Organizations

AWS Organizations icon depicting a cube with three smaller squares connected to it against a pink background

AWS Organizations is a free account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.

AWS Organizations enables you to:

  • Group accounts into organizational units (OUs).
  • Create service control policies (SCPs) that centrally allow or deny access to specified AWS services at the OU or individual account level.
  • Simplify account management by using application programming interfaces (APIs) to automate the creation and management of new AWS accounts.
  • Combine service usage across accounts to share volume pricing discounts, Reserved Instance discounts, and Savings Plans.
  • Simplify the billing process by setting up a single payment method for all AWS accounts in your organization.
  • ​​Centrally secure and monitor your accounts.
  • Audit your environment for compliance across accounts.

One Account to Rule Them All

The AWS account you use to create your organization is the management account. With this account, you can create other accounts in your organization, invite and manage invitations for other accounts, and remove accounts from your organization.

Other accounts that are part of an organization are called member accounts. A member account can belong to only one organization at a time.

Control Access with Service Control Policies

The management account can use service control policies (SCPs) to allow or deny access to AWS services for individual AWS accounts or for groups of accounts in an OU. The specified actions from a SCP are applied to all AWS Identity and Access Management (IAM) users, groups, and roles for an account, including the AWS account root user.

Note

With AWS Organizations, you still associate IAM policies with users, groups, and roles within an AWS account. With IAM policies, you can allow or deny access to AWS services, resources, or API actions. An IAM policy can be applied to IAM users, groups, or roles. Unlike a SCP, it can never restrict the AWS account root user.

Track Cost for Multiple Accounts with Consolidated Billing

A stack of three coins

AWS Organizations provides consolidated billing so you can track the combined costs of all the linked accounts in your organization. The master account receives the consolidated bill.

With consolidated billing, you can combine service usage from multiple accounts into a single invoice. This enables you to reach utilization discounts faster than each account would reach individually. You can also apply unused reserved instances from one account to another account’s instance usage.

Another benefit to consolidated billing—use the AWS Cost Management services discussed in the previous unit to analyze costs and create budgets for all of the linked accounts in the organization in one place.

In the next unit, you explore AWS Support plans.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback