AWS Organizations and SCP Design
Explore how to design a scalable multi-account governance structure using AWS Organizations and Service Control Policies. Understand organizational units, SCPs as permission guardrails, centralized billing, and delegated administration to enforce security and compliance efficiently across complex AWS environments.
At enterprise scale, managing dozens or hundreds of AWS accounts without a unified governance layer leads to policy drift, billing fragmentation, and security blind spots. The AWS Certified Solutions Architect – Professional exam expects you to design multi-account architectures where security boundaries, compliance enforcement, and operational control are structurally embedded rather than bolted on after the fact. This lesson establishes the governance foundation that every subsequent architectural decision, including networking, compute, data, and security, depends on.
Multi-account governance foundations
AWS Organizations is the control-plane service that brings multiple AWS accounts under a single management umbrella. Rather than treating each account as an independent silo with its own billing, policies, and access controls, organizations unify these concerns into a hierarchical structure governed from a management account. This account sits at the root of the organization and holds authority over all member accounts beneath it.
The AWS-preferred approach for enterprise environments is a multi-account strategy, not a single-account model with resource-level isolation. Each account provides a hard security boundary because IAM principals in one account cannot access resources in another unless explicitly granted cross-account trust. This isolation model limits the blast radius of a compromised credential, a misconfigured policy, or a runaway workload. Organizations layer centralized policy management and consolidated billing atop this natural isolation, creating a governance architecture that scales with organizational complexity while preserving per-account autonomy.
Attention: The management account is not subject to SCPs. Any principal in the management account retains full permissions regardless of attached policies. This is why AWS strongly recommends running minimal workloads in the management account and delegating operational tasks to dedicated accounts.
From an exam perspective, SAP-C02 scenarios frequently test whether you can design governance structures that enforce compliance without requiring manual intervention in each account. Organizations provide the structural foundation; the sections that follow cover how to shape that structure effectively.
Designing organizational unit hierarchies
A well-architected organizational unit structure is the foundation of scalable multi-account governance, allowing you to map AWS accounts directly to your business and security requirements.
OU structure and inheritance model
Organizational units (OUs) are logical containers within AWS Organizations that group accounts based on business function, environment type, or compliance requirements. OUs form a tree hierarchy beneath the organization's root, and each OU can contain member accounts or nested child OUs. ...