7.1.1. AWS Organizations Deployment and Configuration

First Principle: AWS Organizations provides the structural foundation for multi-account governance — organizing accounts into OUs, applying policies, and enabling centralized management of billing and services.

Core Concepts:

• Organization: Root container for all accounts with a management account
• Organizational Units (OUs): Logical groupings of accounts (by function, environment, or compliance level)
• Management account: Special account that creates the organization. Minimize workloads here — use for governance only.
• Member accounts: All other accounts. Apply policies via OU membership.

Recommended OU Structure:

Best Practices:

• Dedicate the management account to governance — don't run workloads in it
• Create a centralized logging account for CloudTrail, Config, and VPC Flow Logs
• Create a security account for GuardDuty, Security Hub, and Detective administration
• Use delegated administrators (not the management account) for security services

⚠️ Exam Trap: The management account is exempt from SCPs — SCPs don't apply to the management account. This is why you should never run workloads in the management account and should minimize its IAM principals.

Scenario: A security architect designs an organization with a Security OU containing the log archive and security tooling accounts, a Workloads OU with separate prod and dev sub-OUs, and a Suspended OU with a deny-all SCP for quarantined accounts.

Reflection Question: Why should the management account contain NO workloads, and what unique risk does it carry due to SCP exemption?