7.1. Centralized Account Management

Without centralized account management, each AWS account is an island — with its own identity system, its own logging, its own security services, and its own governance gaps. Managing 200 accounts individually is not just inefficient; it's impossible to maintain consistent security. Think of it like a franchise without corporate standards: each location might operate differently, some excellently and some dangerously, and headquarters has no visibility or control. What fails without centralization? Inconsistent security baselines across accounts, inability to enforce organization-wide policies, blind spots in accounts that skip security service enablement, and root user credentials scattered across dozens of email addresses.

This section covers AWS Organizations, Control Tower, organizational policies, centralized security service management, and root user credential governance.

Scenario: A growing company creates new AWS accounts for each team. Some teams enable GuardDuty, others don't. Some use CloudTrail, others delete trails. Without centralized management, the security team has no way to enforce or verify compliance.

Reflection Question: Why is centralized account management a prerequisite for every other governance control?