DEV Community

Cover image for Managing Multiple AWS Accounts with Organizations and Control Tower
Guille Ojeda for AWS Community Builders

Posted on • Originally published at

Managing Multiple AWS Accounts with Organizations and Control Tower

Note: This content was originally published at the Simple AWS newsletter. Understand the Why behind AWS Solutions. Subscribe for free! 3000 engineers and tech experts already have.

Managing Multiple AWS Accounts with Organizations and Control Tower

Services involved:

  • AWS Organizations: An account management service that lets you consolidate multiple AWS accounts into an organization that you create and centrally manage. It includes consolidated billing and centralized security with Service Control Policies.

  • AWS Control Tower: A service that helps you set up and govern a secure, multi-account AWS environment. It is an opinionated architecture that builds out a multi-account architecture with pre-configured security and access settings.

Each AWS Account should serve one single purpose and hold one workload (one environment for one application, for example the production environment for App 1). Accounts are grouped into Organizational Units (OUs).

This is an example account structure:

Example account structure with AWS Organizations

Benefits of using AWS Organizations

  • Consolidated billing: You only put your credit card details in the root account, and all AWS bills from all accounts are billed to the root account

  • Centralized management: You can create new accounts and manage existing accounts from the Organizations console in the root account

  • Improved security: Using Service Control Policies.

How to set up an Organization

  1. Create a new AWS account. This is going to be the root account of your Organization

  2. Set up an Organization in that account. There's two ways to do it:

    1. Set it up with Control Tower (preferred method)
    2. Manually create the Organization
  3. Create Organizational Units. Use them to group your accounts, for example by project.

  4. Set up the following shared accounts (don't worry, accounts are free)

    1. Log archive: You'll send all logs into this account, for centralized management and security.
    2. Security: For security access and audits.
    3. Shared services: This account will hold anything that can be shared across accounts, such as CI/CD pipelines
  5. Set up one account per environment per project. For example, if you have 2 projects called Project 1 and Project 2, each with development and production environments, you'd set up the following accounts: Project 1 dev, Project 1 prod, Project 2 dev, Project 2 prod. Make sure these are set up in the correct Organizational Unit, for example Project 1 OU for all Project 1 accounts.

  6. Set up Service Control Policies

  7. Don't use the root account for anything else.

  8. If you already have an account with existing resources, create a new account to use as the root, and invite your existing account into the Organization


A Secure Cloud's Service Control Policies are a great starting point for setting up your own Service Control Policies. Even if you know what you're doing, check them out.

Understand the Why behind AWS Solutions.
Join over 3000 devs, tech leads, and experts learning how to architect cloud solutions, not pass exams, with the Simple AWS newsletter.

  • Real-world scenarios
  • The Why behind solutions
  • How to apply best practices

Subscribe for free!

If you'd like to know more about me, you can find me on LinkedIn or at

Top comments (0)