AWS – Managing your accounts

How to install Docker CE on CentOS 8

There are a number of ways to group and arrange your AWS accounts. How you do this is completely up to you, but the following are a few examples to consider:

  • Business unit (BU) or location: You may wish to allow each BU to work in isolation on its own products or services, on its own schedule, without impacting other parts of the business.
  • Cost center: Grouping according to cost may help you track spending versus the allocated budget.
  • Environment type: It may make sense to group your development, test, and production environments together in a way that helps you manage the controls across each environment.
  • Workload type or data classification: Your company may want to isolate workload types from each other, or ensure that particular controls are applied to all the accounts containing a particular kind of data.

In the following fictitious example, we have isolated the Sitwell Enterprises Account from the rest of the organization by placing it in an OU called Sudden Valley. Perhaps they operate in a different geographical location and have different regulatory requirements around controls and access:

Organization hierarchy

Note that, while it’s also technically possible for us to put the master account inside an OU, we avoid doing this to make the following obvious:

  • It’s the master account and it has control over the entire organization.
  • The rules we set using the SCPs for the member accounts in our organization do not apply to the master account (because they can’t).

You can learn more about SCPs in the Adding a Service Control Policy (SCP) recipe in this chapter.

Getting ready

Before we can proceed, you should have already done the following:

  • Set up a master AWS account
  • Created an organization
  • Created member accounts in your organization, or manually added member accounts (by invitation) to your organization

How to do it…

We’ll now cover the one-line commands you’ll need in order to perform common tasks that are required to manage your OU. These commands can only be performed in your master account:

  • Getting the root ID for your organization
  • Creating an OU
  • Getting the ID of an OU
  • Adding an account to an OU
  • Removing an account from an OU
  • Deleting an OU

Getting the root ID for your organization

You can run this command to get the ID of the root for your organization. The root is created automatically for you when you create your organization in your master account:

aws organizations list-roots

The ID that’s returned to you will look something like the following:


Creating an OU

To create an OU, perform the following steps:

  1. Determine where you’d like this OU to live. If it lives directly underneath the root, then your root ID will be the parent. Alternatively, if this OU is going to be a child of another OU, use the ID of the OU instead. Obviously, if this is the first OU you’re creating, the root will be the parent.
  1. Use the CLI to create your OU, as follows:
        aws organizations create-organizational-unit \
          --parent-id <root-id or parent-ou-id> \
          --name <desired-ou-name>

Getting the ID of an OU

If you need to fetch the ID of an OU, you can use the CLI to do so; note that you’ll need to know the parent of the OU. Here is how you’d get a list of all the OUs and their IDs in a root or OU:

aws organizations list-organizational-units-for-parent \
  --parent-id <root-id or parent-ou-id>

Adding an account to an OU

To add an account to an OU, perform the following steps:

  1. When an account is initially added to your organization, it will be a child of the organization root. To add it to the OU you just created, you need to move it using the following CLI command:
        aws organizations move-account \
          --account-id <twelve-digit-account-id> \
          --source-parent-id <root-id> \
          --destination-parent-id <new-parent-ou-id>
  1. If you wish to move an account from one OU to another, simply use the same command but with the existing parent OU ID instead of the root ID.

Removing an account from an OU

To remove an account from an OU, perform the following steps:

  1. If you wish to remove an account from an OU, you have two options. You can move it to another OU, or you can move it back to the root. If you decide you want to delete an OU, you’ll need to make sure no accounts exist inside it first (we’ll show you how to do this next).
  1. Run the following command to move an account back to the root:
        aws organizations move-account \
          --account-id <twelve-digit-account-id> \
          --source-parent-id <existing-parent-ou-id> \
          --destination-parent-id <root-id>

Deleting an OU

To delete an OU, you’ll need to make sure it’s empty by removing its child accounts (as we mentioned previously). You can then go ahead and delete the OU, as follows:

aws organizations delete-organizational-unit \
  --organizational-unit-id <ou-id>

How it works…

If done right, grouping your accounts together using OUs will help you simplify the way you manage and administer them. Try to use only just enough OUs to get the job done. The idea is to use OUs to make your life easier, not harder.

There’s more…

Here are a few more things to keep in mind when managing your organization’s accounts.

  • Organizational Control Policies (OCPs) can be attached to your root, OU, or AWS accounts. At this time, only one kind of OCP is supported: SCP.
  • Accounts can only belong to one OU or root.
  • Similarly, OUs can only belong to one OU or root.
  • It’s best to avoid deploying resources in the master account because this account can’t be controlled with SCPs. The master account should be treated as a management account for audit, control, and billing purposes only.

See also

  • The Adding a Service Control Policy (SCP) recipe in this chapter

Comments are closed.