AWS Certified Cloud Practitioner
Post 23 of 25
92%
Complete
Cloud Architecture6 min read
AWS Cloud Practitioner #23: AWS Organizations - Multi-Account Management
Aprende AWS Organizations: gestión de múltiples cuentas, OUs, SCPs, billing consolidado y governance.
🎯 Lo que Aprenderás Hoy
- Explicar AWS Organizations y multi-account strategy
- Comprender Organizational Units (OUs)
- Configurar Service Control Policies (SCPs)
- Implementar consolidated billing
- Aplicar governance a escala
¿Qué es AWS Organizations?
AWS Organizations permite gestionar múltiples AWS accounts centralizadamente.
plaintext
Sin Organizations:
- Account 1 (Production): Billing separado
- Account 2 (Development): Billing separado
- Account 3 (Testing): Billing separado
Each: Separate login, separate billing, separate management
Con Organizations:
- Organization (root)
├── Production Account
├── Development Account
└── Testing Account
Benefits:
✅ Single bill (consolidated)
✅ Centralized management
✅ Volume discounts
✅ Policies aplicadas a multiple accountsConceptos Clave
Organization
plaintext
Root container para todos accounts:
Management Account (antes Master):
- Crea organization
- Invita/crea member accounts
- Full control sobre organization
- Paga consolidated bill
Member Accounts:
- Pertenecen a organization
- Pueden tener resources
- Subject a policies de organizationOrganizational Units (OUs)
plaintext
Logical containers para accounts:
Organization Root
├── OU: Production
│ ├── Account: Prod-US
│ └── Account: Prod-EU
├── OU: Development
│ ├── Account: Dev-Team1
│ └── Account: Dev-Team2
└── OU: Sandbox
└── Account: Experimentation
Benefits:
- Group accounts por purpose
- Apply policies a OU level (inherited)
- Delegation (OU admin)Service Control Policies (SCPs)
¿Qué son? Policies que limitan permissions en accounts.
plaintext
SCP vs. IAM:
IAM:
Define qué users/roles PUEDEN hacer dentro de account
SCP:
Define máximo qué account PUEDE hacer
Acts as guardrail
Example:
IAM da user AdministratorAccess
SCP niega EC2 termination
→ User NO puede terminar EC2 (SCP wins)
Rule: SCP limits max permissions
Even admin can't exceed SCPSCP Examples
json
// Example 1: Deny specific regions
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["us-east-1", "eu-west-1"]
}
}
}]
}
// Only permite US-East-1 y EU-West-1
// Example 2: Deny root account usage
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::*:root"
}
}
}]
}
// Blocks root user access (force IAM users)
// Example 3: Require MFA
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}]
}
// Actions require MFASCP Inheritance
plaintext
Organization Root (SCP1: Allow all except delete S3)
├── OU: Production (SCP2: Deny EC2 instance types > m5.large)
│ └── Account: Prod (IAM: AdministratorAccess)
Effective permissions en Prod Account:
= SCP1 ∩ SCP2 ∩ IAM policies
User en Prod puede:
✅ Launch m5.large EC2
❌ Launch m5.2xlarge EC2 (SCP2 denies)
❌ Delete S3 buckets (SCP1 denies)
All SCPs en hierarchy aplicadosConsolidated Billing
¿Qué es? Single bill para todos accounts en organization.
plaintext
Without consolidated billing:
Account 1: $500/month bill
Account 2: $300/month bill
Account 3: $200/month bill
Total: $1,000 en 3 separate bills
With consolidated billing:
Organization: $1,000/month en single bill
- Account 1: $500
- Account 2: $300
- Account 3: $200
Management account paga todoVolume Discounts
plaintext
S3 tiered pricing:
0-50 TB: $0.023/GB
50-500 TB: $0.022/GB
>500 TB: $0.021/GB
Without consolidation:
Account 1: 30 TB × $0.023 = $690
Account 2: 40 TB × $0.023 = $920
Total: $1,610
With consolidation:
Total: 70 TB combined
First 50 TB: 50 × $0.023 = $1,150
Next 20 TB: 20 × $0.022 = $440
Total: $1,590
Savings: $20 (increases with more usage)
Benefits increase con más accounts y usageReserved Instance Sharing
plaintext
Account A: Purchased 10 Reserved Instances (m5.large)
Account A usage: 7 instances
Unused: 3 instances
Without RI sharing:
3 RIs wasted (paid but not used)
With RI sharing (Organizations):
Account B: Launching 5 m5.large On-Demand
→ 3 automatically use Account A's unused RIs
→ Account B saves money
→ Account A's RIs fully utilized
Benefit: Maximize RI utilization across organizationMulti-Account Strategy
¿Por qué múltiples accounts?
plaintext
1. Security isolation:
Production ≠ Development
Breach en dev NO afecta prod
2. Billing separation:
Track costs por team/project
Chargeback accurate
3. Compliance:
Different accounts para different data classifications
PCI data en separate account
4. Resource limits:
Each account tiene own limits
Organization = combined limits
5. Blast radius:
Error en 1 account NO afecta otrosCommon Structure
plaintext
Organization
├── OU: Infrastructure
│ ├── Logging Account (CloudTrail, Config)
│ └── Security Account (GuardDuty, SecurityHub)
├── OU: Production
│ ├── Prod-WebApp
│ └── Prod-Database
├── OU: Development
│ ├── Dev-Team1
│ └── Dev-Team2
└── OU: Sandbox
└── Experimentation (no production data)
SCPs:
- Infrastructure: Read-only para most teams
- Production: Strict controls, change approval
- Development: More permissive
- Sandbox: Very permissive, cost limitsBest Practices
plaintext
1. Separate management account:
✅ Use ONLY para organization management
❌ NO deploy production workloads
Reason: Security (management account compromise = all accounts)
2. Enable CloudTrail organization trail:
Logs from ALL accounts → centralized bucket
Comprehensive audit trail
3. Use SCPs as guardrails:
Prevent accidental actions
Example: Deny delete production RDS
4. Naming conventions:
Accounts: prod-webapp-us, dev-team1
OUs: Production, Development, Sandbox
5. Tagging strategy:
Consistent tags across accounts
Cost allocation, automation
6. Limit management account access:
Only senior engineers
MFA required
Break-glass procedure
7. Regular SCP audits:
Review and update
Remove unnecessary restrictionsAWS Control Tower
¿Qué es? Automated setup para multi-account environment.
plaintext
Control Tower provides:
✅ Pre-configured organization structure
✅ Guardrails (SCPs) predefined
✅ Account Factory (automated provisioning)
✅ Dashboard (compliance view)
Landing Zone:
Baseline environment con best practices
Guardrails:
- Preventive: SCPs (deny actions)
- Detective: Config rules (detect violations)
Use when:
Starting fresh multi-account setup
Want AWS best practices automated📝 Preparación para el Examen
Puntos Clave
Organizations:
- 📌 Multi-account management: Centralized
- 📌 Management account: Creates organization
- 📌 Member accounts: Belong to organization
- 📌 OUs: Logical grouping of accounts
SCPs:
- 📌 Guardrails: Limit max permissions
- 📌 Applied to: OUs or accounts
- 📌 Inheritance: Down hierarchy
- 📌 vs. IAM: SCP limits max, IAM grants
Billing:
- 📌 Consolidated: Single bill
- 📌 Volume discounts: Combined usage
- 📌 RI sharing: Unused RIs shared
Preguntas de Práctica
Pregunta 1:
¿Qué permite consolidated billing en Organizations?
A) Separate bills por account B) Volume discounts basados en combined usage C) Eliminate costs D) Automatic payment
Success
Respuesta: B) Volume discounts basados en combined usage
Consolidated billing combina usage de todos accounts, permitiendo alcanzar volume discount tiers más rápido (S3, data transfer, etc.).
Pregunta 2:
¿Qué son Service Control Policies (SCPs)?
A) IAM policies para users B) Security group rules C) Limits on max permissions para accounts D) Network policies
Success
Respuesta: C) Limits on max permissions para accounts
SCPs act como guardrails, limitando qué actions son permitidas en accounts, incluso para admins. No grant permissions, solo limit.
🎓 Resumen
- Organizations: Multi-account management centralized
- OUs: Logical grouping de accounts
- SCPs: Guardrails limiting max permissions
- Consolidated billing: Single bill + volume discounts
- Strategy: Separate accounts para security, billing, compliance
⏭️ Próximo Post
Post #24: Migration y AWS Innovation Services
Tags: #AWS #CloudPractitioner #Organizations #MultiAccount #SCP #Governance #Certification
Related Articles
Cloud Architecture
AWS Cloud Practitioner #14: CloudTrail - Auditoría y Compliance
Domina CloudTrail para auditing, AWS Config para compliance, y aprende a rastrear todas las acciones en tu cuenta AWS.
7 min
Cloud Architecture
AWS Cloud Practitioner #1: De Servidores Físicos a la Nube
Aprende qué es cloud computing y las diferencias entre IaaS, PaaS y SaaS con una metodología bottom-up que construye tu conocimiento paso a paso.
7 min
Cloud Architecture
AWS Cloud Practitioner #2: Infraestructura Global AWS - Regions, AZs y Edge Locations
Descubre cómo AWS distribuye su infraestructura globalmente y aprende a elegir la región correcta para tus aplicaciones usando metodología bottom-up.
9 min
Cloud Architecture
AWS Cloud Practitioner #3: Superpoderes de la Nube - Elasticity, Scalability y HA
Comprende las ventajas clave de cloud computing: elasticity, scalability, high availability y agility. Aprende cómo AWS implementa estos conceptos.
9 min
Recent Articles
Cloud Architecture
AWS Cloud Practitioner #4: Well-Architected Framework - Los 6 Pilares
13 min
Cloud Architecture
AWS Cloud Practitioner #5: Shared Responsibility Model - ¿Quién es Responsable de Qué?
13 min
Cloud Architecture
AWS Cloud Practitioner #6: Amazon EC2 - Tu Servidor en la Nube
12 min
Cloud Architecture
AWS Cloud Practitioner #7: Amazon S3 - Almacenamiento Ilimitado en la Nube
13 min
Cloud Architecture
AWS Cloud Practitioner #8: Amazon RDS - Databases Gestionadas
12 min