The benefits are there for a company, but what about you?
What Is An AWS Organization
Amazon doesn’t expect you only to use one account, especially if you’re a business. So, in 2017, AWS released their Organizations service from beta. Organizations introduced many requested features, such as shared billing and service control policies. Since then, more services have added features compatible with the entire organization. CloudFormation StackSets, S3 Storage Lens, and AWS Config Aggregators, to name a few.
An organization consists of a management account, one or more organizational units (OUs), and children accounts:
- A management account can be any AWS account, though it is strongly suggested to have no other resources in the management account. Its only responsibility is to be the organization head and consolidated billing point.
- Organizational units are logical grouping of accounts. You can use them how you see fit to organize your accounts, even nesting OUs if you’d like.
Obviously, there are benefits to organizations with a dozen production workloads and hundreds of developers. But what about the single Amazon Web Services enthusiast?
How Does It Help You?
As a single person toying with AWS, it can be helpful to leverage Organizations for your benefit. When combined with services such as Control Tower and Cloud Formation, you have a robust set of tools at your disposal. With minimal effort, I can create a new account with my preferred VPC configuration using Account Factory in Control Tower. Then using Cloud Formation, I can make any resources I want in all my accounts or even just a particular OU. For example, I can automatically deploy an IAM user to use Terraform to all my accounts.
But why do I need more than one account?
For the same exact reason, a company would: Account segmentation and security. If I host my static S3 site in AWS, I want to keep it when I purge all the resources that I might use while prototyping or exploring a new AWS service. I may have two or three apps built in Amplify or a serverless app that I want other people to be able to contribute and manage, but I don’t want those people to be able to access my S3 bucket that I use for personal photo cold storage.
If you have more than one account, it is a no-brainer also to use AWS Organizations to manage them. Instead of maintaining several IAM users across the accounts (or worse, using the root user! 😱), you can use AWS Identity Center (SSO) for free, which makes both Console and CLI interactions across accounts a breeze.
This is to name a few; the sky is the limit.
Setting Up Your Organization
Setting up an Organization is easy. Navigate the AWS Organization service page and click “Create an Organization”:
After you create the organization, you can see the structure that is created:
After you do this, Amazon creates a basic organization with your management account. From there, you can invite other accounts to join your organization, create a new AWS account, and manage your organization’s policies and services.
When inviting an existing AWS account, the email address of the root user will get an invitation email with a link to the AWS Organizations page for that account. You’ll see an invitation that looks like this:
After that, the setup is done. You can create a landing zone in Control Tower, enable Security Hub, etc.
How I Have My Organization Setup
My organization is pretty simple. I have three OUs — one for Security, one for Production, and one for Sandbox or toy accounts. I enabled Control Tower and Identity Center (Formally SSO) to make management even more effortless. Each OU is governed by the basic guardrails that Control Tower provides. The default ones enabled involve ensuring the continued operation of Control Tower. However, I also enable many of the ones in the “Optimize Costs” control objective, such as ensuring EBS volumes are attached to EC2 to prevent billing surprises.
The benefits of having an AWS Organization are countless, and the service is free. When adding in Control Tower, which leverages several other AWS services (such as Lambda, Config, and S3, to name a few), there are some increased costs depending on your resource usage since you pay for Config recording. Still, even then, it’s usually pennies per month. Even if you don’t use Control Tower with your new organization, using Amazon’s free SSO option is quite nice.
I encourage everyone to look at using AWS Organizations for your own personal AWS accounts in the near future and take advantage of a feature that looks like something that is only good for enterprises but is actually good for all of us.