Set Up AWS Organizations

Multi-account.

Overview

AWS Organizations is the multi-account framework that gives a growing AWS estate shared governance: SCPs for org-wide guardrails, consolidated billing, and org-aware Config, CloudTrail, and GuardDuty. Multi-account is not just isolation; it is the foundation of compliance, cost attribution, and blast-radius management at scale.

• Multi-account structure. Per-environment, per-team, per-project accounts. Isolation by design.
• Service Control Policies (SCPs). Org-wide guardrails enforced regardless of IAM. Structural protection that IAM alone cannot provide.
• Consolidated billing. Single invoice across accounts plus volume discounts. Finance and engineering see the same numbers.
• Org-wide service integration plus Account Factory. Config, CloudTrail, GuardDuty enabled org-wide; Control Tower or custom automation provisions new accounts safely.

The approach

Three habits make AWS Organizations a real governance surface: deliberate OU structure, SCPs enforced from day one, and Account Factory automation that keeps new-account creation consistent.

• OU structure. Per-environment OUs (prod, staging, dev). Per-business-unit OUs as the org grows.
• SCPs from day one. Block region usage outside policy, enforce tagging, prevent root-account use. Structural protection.
• Account Factory. Control Tower or custom automation provisions accounts with conventions baked in.
• Org-wide service integration plus documented OU policy. Config, CloudTrail, GuardDuty enabled across the org; per-OU the policy documented.

Why this compounds

Each new account inherits the SCPs, conventions, and integrations of the org. The team’s multi-account fluency deepens; compliance posture improves; cost attribution becomes possible at the team level.

• Blast-radius isolation. Per-account boundaries shrink breach impact. Compromise in one account does not spread.
• Cost attribution. Per-account billing surfaces team-level cost. Conversations with finance get easier.
• Governance through SCPs. Structural protection that does not depend on every engineer remembering policy.
• Year-one investment, year-two habit. First OU structure is heavy lift. By the third account, the conventions are settled.