Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
2.2.2.3. Centralized Account Management (Organizations, Control Tower)
2.2.2.3. Centralized Account Management (Organizations, Control Tower, Trusted Advisor)
Centralized management means governing 100+ accounts without logging into each one.
AWS Organizations features for the exam:
- Consolidated billing: Single payment, volume discounts, Reserved Instance sharing
- SCPs: Organizational-level permission boundaries
- Tag policies: Enforce consistent tagging (e.g.,
Environmentmust bedev|staging|prod) - Backup policies: Enforce AWS Backup plans across accounts
- AI services opt-out policies: Control data use for AI improvement
Control Tower guardrails:
| Type | Mechanism | Example |
|---|---|---|
| Preventive (mandatory) | SCP | Disallow root access keys |
| Preventive (strongly recommended) | SCP | Disallow public S3 buckets |
| Detective (mandatory) | Config rule | Detect CloudTrail disabled |
| Detective (elective) | Config rule | Detect unencrypted EBS volumes |
AWS Trusted Advisor provides account-level recommendations: cost optimization, performance, security, fault tolerance, and service limits. Full features require Business or Enterprise Support.
Exam Trap: Organizations tag policies don't enforce tag values on existing resources — they only flag non-compliant tags. To prevent resource creation without required tags, use an SCP:
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"Null": {"aws:RequestTag/Environment": "true"}
}
}
Written byAlvin Varughese•Founder•15 professional certifications