AWS Organisations allow programmatic creation and centralised management of AWS accounts. They can be used to consolidate billing across a number of distinct organisational units
- Organisations can be modelled as a tree made up of organisational units and AWS accounts. The organisation creates a Root container for OUs and accounts.
- Organisational units are containers for accounts within the root, and can be nested to model organisational hierarchy.
- Accounts belong to organisational units.
- The Management account (formerly known as the Master account) is privileged, and is able to manage the Organisation. It's also the payer account.
- Service Control Policies can be applied at account or organisational unit and flow down, apply guardrails which restrict access to AWS services or permissible configurations for each account.
Accessing a member account
Account -> Switch Roles, enter the account ID and the name of the created role (it defaults to
OrganizationAccountAccessRole) and assign it a meaningful name and colour. The console will cache the last 5 roles in your browser cache.
This browser extension simplifies switching between multiple accounts, determining which switches are possible based on the account IDs in the Console page and the
source_accounts specified in your configuration.
- AWS accounts require separate email addresses.
- An AWS organisation can contain up to 5,000 AWS accounts.