AWS Organizations, Control Tower, and Service Catalog

Explore key AWS services used to streamline cloud governance, account management, and service provisioning.

AWS Organizations

AWS Organizations is an account management tool that allows us to consolidate multiple AWS accounts into an organization that we create and manage. With AWS Organizations, we can centralize billing, apply policies across multiple accounts, and automate account and resource creation. This makes it easier to manage multiple AWS accounts and ensures compliance with our organization’s policies.


Let’s look at the features of the AWS Organizations service.

  • AWS Organizations is a global service.
  • It’s free to use.
  • Each AWS Organization has a main account and various member accounts.
    • The default maximum number of member accounts in an AWS Organization is 10. However, this limit can be increased by contacting AWS support.
    • Member accounts can only belong to one AWS Organization at a time.
  • It allows centralized management of all member accounts.
  • It allows consolidated billing for all member accounts. We can use the main account of an AWS Organization to consolidate and pay for all member accounts.
  • It allows for hierarchical grouping of accounts using organization units (OUs) to meet budgetary, security, or compliance requirements.
  • We can implement service control policies (SCPs) to specify the maximum permissions for member accounts in the organization.
    • SCPs can be applied at an OU level.
    • SCPs can be used to restrict access to AWS resources and services and API actions.
    • SCP restrictions even override the administrator privileges of users in member accounts.
  • AWS Organizations lets us implement policies to:
    • Standardize tags in all member AWS accounts.
    • Control how AWS artificial intelligence (AI) and machine learning services collect and store data.
    • Configure automatic backups for resources in all accounts.

The following illustration shows how an AWS Organization can have member accounts under multiple organizational units. OUs allow users to group member accounts for management purposes, such as applying policies and settings.

Any SCPs applied at a higher OU level are automatically applied to lower OUs and member accounts. For example, in the illustration below, an SCP applied for the OU Technology will automatically be applied to the DEV and PROD OUs and their accounts.

Get hands-on with 1200+ tech skills courses.