The main account is the management account, other accounts are member accounts
Member accounts can only be part of one organization
Consolidated billing across all accounts (single payment method)
Pricing benefits from aggregated usage (volume discounts for EC2, S3, etc.)
Shared reserved instances and Savings Plans discounts across accounts
API is available to automate AWS account creation
Advantages:
Multiple accounts rather than one account multi VPC
Use tagging stands for billing purposes
Enable CloudTrail on all accounts, send logs to a central S3 account
Send CloudWatch Logs to central logging account
Establish cross account roles for admin purposes
Security with Service Control Policies:
IAM policies applied to organizational units or accounts to restrict users and roles
Don't apply to management account (full admin privileges)
Must have explicit allow from the root through each organizational unit in the direct path to the target account (nothing is allowed by default unlike IAM)
Resource Policies and aws:PrincipalOrgID
aws:PrincipalOrgID can be used in any resource policies to restrict access to accounts that are a member of the Organization
IAM Roles vs. Resource Based Policies
Assuming a role (user, app or service) gives up your original permissions and takes the permissions assigned to the role
When using a resource-based policy, the principal doesn't have to give up their permissions
IAM Permission Boundaries
An advanced feature to use a managed policy to set the maximum permissions an IAM entity can get
Supported for users and roles (not groups)
Can be used in combinations of SCP
Useful for delegating responsibilities to non-admins within their permission boundaries, allowing developers to self-assign policies and manage their own permissions and restrict a specific user instead of a whole account using Organizations and SCP
IAM Identity Center
Successor to AWS Single Sign-On
One login for all AWS accounts in your Organization
Built-in identity store and 3rd party providers
IAM Identity Center Permissions and Assignments
Multi-Account Permissions
Manage access across all accounts in Organization
Define permission sets which is a collection of IAM policies assigned to users and groups to define access
Application Assignments
SSO access to SAML 2.0 business apps (Salesforce, Microsoft 365, etc.)
Attribute-Based Access Control (ABAC)
Fine-grained permissions based on users' attributes stored in IAM Identity Center Identity Store
Useful for defining permissions once, then modifying access by changing the attributes
Microsoft Active Directory
Found on any Windows Server with AD Domain Services