Day 5- AWS Organizations - Part 1
An AWS Organizations is an account management service that helps you to enable centralized management of multiple AWS accounts.
- Centralized management of the account.
- Drive the cost down by taking advantage of features like reserved instances and credits.
- Flexible management as now AWS accounts can be grouped into Organizational Units(OUs).
- Consolidated Billing as a single master account is now responsible for all accounts charges.
- Work around for any hard or soft limits on an account
- Free of charge
Before we create our first AWS Organization, there is one term we should be aware of called Master Account. It’s a standard account that we use to create an organization. It’s just a standard account, but we will refer as master when we create an organization. Some of its characteristics:
- Creates accounts in an organization.
- Invites other accounts via email to the organization.
- Removes accounts from the organization.
- Manages policies within the organization.
- Pays for all the charges for the member accounts.
Creating an AWS Organization
- Go to the AWS Organization page on the console https://console.aws.amazon.com/organizations/?org_product_gs_console.
- Click on “Create Organization.” Your organization is now created
- The final step, verify the email address of the management account. Before adding any new account or inviting a new account, please perform this step.
- AWS Organization can be created using a root user(not recommended). The recommended way is via IAM user with minimum permission of organizations:CreateOrganization.
- You can switch from “only consolidated billing” to “all features,” but not vice-versa.
- 20 invitations are allowed per day in an organization.
- Another account owner must accept or reject the invite within 15 days; else, the invitation will expire.
Creating new account
- On the same AWS organization page, click on Add an AWS account.
- You have an option to create an AWS account or Invite an existing AWS account. First, let’s start with creating an AWS account. Give that account some meaningful name, Email address of the account, and create an IAM Role to access the resources of that account. Click on create an AWS account.
- In the next few minutes, you will see an account created and is now part of the AWS Organization.
- The email id you provided to create an account, you will receive an email.
NOTE: We have created the account, but we don’t have the password. To get the password, you need to reset the password with the email you have provided while creating the account.
- Similarly, you can invite the existing AWS account by typing the account id or email address.
- Check your email as you need to accept the invite.
Organizational Units(OUs): It’s used to group accounts within the root container or another OU. Once you have the account grouped, it’s easier to assign policies to them. It helps to simplify the management of multiple accounts. It creates a hierarchy with the root at the top and ending with an account at the bottom.
- It can be nested up to 5 level deep
- Can have 1000 OUs within an organization
- All OUs must have a unique name within a parent container
To demonstrate that, let’s create one new OU. Click on the Root of the Organizational structure and then Create new.
- Please give it some name and click on Create organizational unit.
- Click on the account and click on Move.
- Move this account under MyDemoOU.
- The advantage of moving accounts under OU is it’s easier to assign policies to them. We are going to check about Service Control Policies in the next part.