AWS Organizations centrally manages multiple AWS accounts under one organization with consolidated billing and policy guardrails—essential as teams grow beyond a single sandbox account.
Key features
- Organizational Units (OUs) — group accounts (Prod, Dev, Security)
- Service Control Policies (SCPs) — maximum permissions for member accounts
- Consolidated billing — one bill; allocate costs by account
- Account creation — vending new accounts with baseline guardrails
Typical layout
Organization ├── Security OU (log archive, audit) ├── Workloads OU │ ├── Production account │ └── Staging account └── Sandbox OU (individual learner accounts)
SCP vs IAM policy
SCP sets guardrails for an entire account—cannot grant permissions IAM lacks, but can deny services (e.g. disable us-east-1 regions). IAM still assigns roles inside each account.
Preview only
Organizations setup requires management account access—learners typically use one free-tier account first. When you join a company, expect separate dev/staging/prod accounts linked under Organizations.
Important interview questions and answers
- Q: What is an OU?
A: Organizational Unit—a container for AWS accounts in Organizations hierarchy. - Q: SCP purpose?
A: Account-level guardrail limiting what actions member accounts can perform even if IAM allows.
Self-check
- Why use multiple AWS accounts instead of one?
- How does an SCP differ from an IAM user policy?
Tip: In companies, expect separate accounts for prod, staging, and sandboxes under Organizations.
Interview prep
- SCP?
Service Control Policy sets maximum permissions guardrail for member accounts.
- Multi-account why?
Isolates blast radius and billing between prod, staging, and sandboxes.