Centrally manage policies across multiple AWS accounts
AWS Organizations helps you manage policies for multiple AWS accounts. With Organizations, you can create groups of accounts, and then attach policies to a group to ensure the correct policies are applied across the accounts. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.
Control access to AWS services
With AWS Organizations, you can create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts. SCPs put bounds around the permissions that AWS Identity and Access Management (IAM) policies can grant to entities in an account, such as IAM users and roles. For example, IAM policies for an account in your organization cannot grant access to AWS Direct Connect if access is not also allowed by the SCP for the account. Entities can only use the services allowed by both the SCP and the IAM policy for the account.
Automate AWS account creation and management
You can use the AWS Organizations APIs to automate the creation and management of new AWS accounts. The Organizations APIs enable you to create new accounts programmatically, and to add the new accounts to a group. The policies attached to the group are automatically applied to the new account. For example, you can automate the creation of sandbox accounts for developers and grant entities in those accounts access only to the necessary AWS services.
Consolidate billing across multiple AWS accounts
AWS Organizations enables you to set up a single payment method for all the AWS accounts in your organization through consolidated billing. With consolidated billing, you can see a combined view of charges incurred by all your accounts, as well as take advantage of pricing benefits from aggregated usage, such as volume discounts for Amazon EC2 and Amazon S3.
What can you do with AWS Organizations?
Control the use of AWS services to help comply with corporate security and compliance policies
AWS Organizations’ Service Control Policies (SCPs) help you centrally control AWS service use across multiple AWS accounts in your organization. With Organizations, you can ensure that entities in your accounts can use only the services that meet your corporate security and compliance policy requirements. For example, you can restrict the use of AWS services that can modify settings for shared resources, such as AWS Direct Connect or Amazon Virtual Private Cloud (VPC) settings.
Automate the creation of AWS accounts for different resources
AWS Organizations makes it easy for you to automate the creation of new AWS accounts used for different resources. With a few simple API calls, you can create a new account and add the new account to a group. You can attach a Service Control Policy (SCP) to that group that only allows the use of the necessary AWS services. Through consolidated billing, you can automatically link the new accounts to a single payment method for simplified billing.
Create different groups of accounts for development and production resources
Creating groups of AWS accounts helps you manage policies across your accounts centrally. For example, you can create separate groups of accounts used for development and production resources, and then apply different policies to each group. You can attach a Service Control Policy (SCP) to the development group that allows the use of all AWS services for testing, and attach a different SCP to the production group that only allows access to authorized services.