AWS Organizations: Multi-Account Management Basics

Tags:

April 22, 2026

As you start making full use of AWS, you'll often want to separate accounts per environment or have different teams use separate accounts. AWS Organizations is the service that lets you manage multiple AWS accounts centrally. This article covers the core concepts of Organizations and how to use them in practice.

What is AWS Organizations?

AWS Organizations is a service for managing multiple AWS accounts together. You can group accounts into a hierarchical structure, apply policies across all accounts, and consolidate billing.

By separating accounts per environment—such as development, staging, and production—you can isolate resources and simplify cost management. You can also enforce security policies across the entire organization, making it useful for strengthening governance.

What is AWS Organizations? - AWS Organizations

Learn how AWS Organizations helps you to manage multiple AWS accounts.

docs.aws.amazon.com

Key Components

Organizations is made up of the following components. Understanding each role is the first step to effective operations.

Component	Description
Organization	The top-level unit that groups multiple AWS accounts. Each organization has exactly one management account
Management Account	The account that creates and manages the organization. It handles inviting other accounts and managing OUs and policies
Member Account	Any AWS account in the organization other than the management account
Root	The top-level node of the organization's hierarchy. It is the parent of all OUs and accounts
Organizational Unit (OU)	A container for grouping accounts. Policies applied to an OU affect all accounts beneath it
Service Control Policy (SCP)	A JSON policy that defines allowed or denied actions for OUs or accounts. It operates above IAM

Designing Organizational Units (OUs)

OUs form the backbone of your organization. Designing a hierarchy that fits your use case makes policy management significantly easier.

A common design pattern is to separate OUs by environment. For example, you might create "Production," "Staging," and "Development" OUs and place the corresponding accounts in each.

Root
├── Production
│   └── account-prod
├── Staging
│   └── account-staging
└── Development
    └── account-dev

Another approach is to separate OUs by department or team. Choose based on your organization's scale and governance requirements.

Service Control Policies (SCPs)

SCPs are policies that define allowed or denied actions for the entire organization or specific OUs and accounts. Because they operate above IAM policies, even an IAM user with administrator permissions cannot perform actions that an SCP denies.

Service control policies (SCPs) - AWS Organizations

Service control policies (SCPs) offer central control over the maximum available permissions for IAM...

docs.aws.amazon.com

Common use cases for SCPs include:

Use Case	Example SCP
Restrict available regions	Deny operations outside the US East (N. Virginia) region
Disable specific services	Deny EC2 instance deletion in production
Restrict root user actions	Deny actions performed by the root user of member accounts
Prevent cost overruns	Deny launching high-cost instance types

SCPs only define the maximum permissions allowed—granting something in an SCP alone does not enable the action. You still need to grant permissions through IAM policies. An action is only allowed when both the SCP permits it and the IAM policy grants it.

Working with AWS CLI

Let's try some basic operations to inspect your organization using the AWS CLI. You'll need read permissions for Organizations. These commands also assume that an organization already exists—you can create one from the Organizations page in the AWS Management Console.

Retrieving Organization Details

Fetch information about the current organization, including the management account ID and organization ID.

❯ aws organizations describe-organization
{
    "Organization": {
        "Id": "o-0a1b2c3d4e5f",
        "Arn": "arn:aws:organizations::123456789012:organization/o-0a1b2c3d4e5f",
        "FeatureSet": "ALL",
        "MasterAccountArn": "arn:aws:organizations::123456789012:account/o-0a1b2c3d4e5f/123456789012",
        "MasterAccountId": "123456789012",
        "MasterAccountEmail": "admin@example.com",
        "AvailablePolicyTypes": [
            {
                "Type": "SERVICE_CONTROL_POLICY",
                "Status": "ENABLED"
            }
        ]
    }
}

Listing Accounts

List all accounts in the organization, including their names, statuses, and join timestamps.

❯ aws organizations list-accounts
{
    "Accounts": [
        {
            "Id": "210987654321",
            "Arn": "arn:aws:organizations::123456789012:account/o-0a1b2c3d4e5f/210987654321",
            "Email": "sandbox@example.com",
            "Name": "Sandbox",
            "Status": "ACTIVE",
            "State": "ACTIVE",
            "Paths": [
                "o-0a1b2c3d4e5f/r-0a1b/ou-0a1b-2c3d4e5f/210987654321/"
            ],
            "JoinedMethod": "CREATED",
            "JoinedTimestamp": "2024-01-01T00:00:00.000Z"
        },
        {
            "Id": "123456789012",
            "Arn": "arn:aws:organizations::123456789012:account/o-0a1b2c3d4e5f/123456789012",
            "Email": "admin@example.com",
            "Name": "Production",
            "Status": "ACTIVE",
            "State": "ACTIVE",
            "Paths": [
                "o-0a1b2c3d4e5f/r-0a1b/ou-0a1b-6e7f8a9b/123456789012/"
            ],
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": "2023-01-01T00:00:00.000Z"
        }
    ]
}

Listing OUs

First retrieve the root ID, then list the OUs beneath it. Start with list-roots to get the root ID, then use that ID to query the OUs.

❯ aws organizations list-roots
{
    "Roots": [
        {
            "Id": "r-0a1b",
            "Arn": "arn:aws:organizations::123456789012:root/o-0a1b2c3d4e5f/r-0a1b",
            "Name": "Root",
            "PolicyTypes": []
        }
    ]
}

Use the root ID to list the OUs beneath it.

❯ aws organizations list-organizational-units-for-parent --parent-id r-0a1b
{
    "OrganizationalUnits": [
        {
            "Id": "ou-0a1b-2c3d4e5f",
            "Arn": "arn:aws:organizations::123456789012:ou/o-0a1b2c3d4e5f/ou-0a1b-2c3d4e5f",
            "Name": "Sandbox",
            "Path": "o-0a1b2c3d4e5f/r-0a1b/ou-0a1b-2c3d4e5f/"
        },
        {
            "Id": "ou-0a1b-6e7f8a9b",
            "Arn": "arn:aws:organizations::123456789012:ou/o-0a1b2c3d4e5f/ou-0a1b-6e7f8a9b",
            "Name": "Production",
            "Path": "o-0a1b2c3d4e5f/r-0a1b/ou-0a1b-6e7f8a9b/"
        }
    ]
}

Summary

AWS Organizations centralizes management of multiple AWS accounts, enabling consolidated billing and organization-wide policy enforcement
OUs let you group accounts hierarchically, making it easier to manage by environment or department
SCPs operate above IAM and define the maximum permissions allowed for OUs and accounts
Even if an SCP permits an action, you still need to grant it through IAM policies
The AWS CLI lets you inspect organization details and list OUs

What is AWS Organizations?​

Key Components​

Designing Organizational Units (OUs)​

Service Control Policies (SCPs)​

Working with AWS CLI​

Retrieving Organization Details​

Listing Accounts​

Listing OUs​

Summary​