With AWS, you can improve business agility while maintaining governance control. AWS provides an automated solution for creating and managing a secure multi-account environment. Use AWS to automate account creation, create groups of accounts to reflect your business needs, and use guardrails to enforce your policies on AWS.
“With a secure multi-account AWS environment, we can meet SANS' expanding needs to create training covering emerging technologies and hands-on learning environments for our students. Control Tower’s visibility, guardrails, and federation ensure that we can scale our usage of AWS both quickly and confidently."
As your multi-account environment grows, gain peace of mind knowing your accounts conform to your company-wide policies. With AWS Control Tower, you can automate the setup of your
environment and enforce guardrails for ongoing governance over your AWS workloads.
As you grow and
scale your workloads on AWS, it is crucial to centrally govern your multi-account environment. With AWS Organizations, you can create groups of accounts to reflect your business needs,
apply policies for these groups for governance, and centrally manage billing.
Facilitating governance processes can be challenging, as you seek a consolidated view across your organizational units and accounts.
AWS Control Tower provides dashboard visibility into your guardrails, as well as your organizational units and accounts.
In the past, organizations have had to choose between innovating faster and maintaining control over cost, compliance, and security. With AWS Management and Governance services, you don’t have to choose between innovation and
control—you can have both. With AWS, you can enable, provision, and operate your environment for both business agility and governance control.
AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari. Learn more »
With AWS Organizations you can perform account management activities at scale by consolidating multiple AWS accounts into a single organization. Consolidating accounts simplifies how you use other AWS services. You can leverage the multi-account management services available in AWS Organizations with select AWS services to perform tasks on all accounts that are members of your organization.
The following table lists AWS services that you can use with AWS Organizations, and the benefit
of using each service on an organization-wide level.
| AWS service | Benefits of using with AWS Organizations | Supports Trusted Access | Supports Delegated Administrator |
|---|
AWS Account Management Manage the details and metadata for all of the AWS accounts for your organization.
| You can create, update, and delete the alternate contact information for all of the accounts in your organization.
| Yes Learn more
| Yes Learn more
|
AWS Artifact Download AWS security compliance reports such as ISO and PCI reports.
| You can accept agreements on behalf of all accounts within your organization.
| Yes Learn more
| No
|
AWS Audit Manager Automate the continuous collection of evidence to help you audit your use of cloud services.
| Continuously audit your AWS use across multiple accounts in your organization to simplify how you assess risk and compliance.
| Yes Learn more
| Yes Learn more
|
AWS Backup Manage and monitor backups across all of the accounts in your organization.
| You can configure and manage backup plans for your entire organization, or for groups of accounts in your organization units (OUs). You can centrally monitor backups for all of your accounts.
| Yes Learn more
| No
|
AWS CloudFormation Stacksets Create, update, or delete stacks across multiple accounts and Regions with a single operation.
| A user in the management account or a delegated administrator account can create a stack set with service-managed permissions that deploys stack instances to accounts in your organization.
| Yes Learn more
| Yes Learn more
|
AWS CloudTrail Enable governance, compliance, and operational and risk auditing of your account.
| A user in a management account can create an organization trail that logs all events for all accounts in that organization.
| Yes Learn more
| No
|
Amazon CloudWatch Events Monitor your AWS resources and the applications that you run on AWS in real time.
| You can enable sharing of all CloudWatch Events across all accounts in your organization. For more information, see Sending and Receiving Events Between AWS accounts in the Amazon CloudWatch Events User Guide.
| No
| No
|
AWS Compute Optimizer Get AWS compute optimization recommendations.
| You can analyze all resources that are in your organization's accounts to get optimization recommendations. For more information, see Accounts Supported by Compute Optimizer in the AWS Compute Optimizer User Guide.
| Yes Learn more
| Yes Learn more
|
AWS Config Assess, audit, and evaluate the configurations of your AWS resources.
| You can get an organization-wide view of your compliance status. You can also use AWS Config API operations to manage AWS Config rules and conformance packs across all AWS accounts in your organization. You can use a delegated administrator account to aggregate resource configuration and compliance data from all member accounts of an organization in AWS Organizations. For more
information, see Register a delegated administrator in the AWS Config Developer Guide.
| Yes Learn more
| Yes Learn more: Config rules Conformance packs
Multi-account multi-region data aggregation
|
AWS Control Tower Set up and govern a secure, compliant, multi-account AWS environment.
| You can set up a landing zone, a multi-account environment for all of your AWS resources. This environment includes an organization and organization entities. You can use this environment to enforce compliance regulations on all of your AWS accounts. For more information, see How AWS Control Tower and
Manage Accounts Through AWS Organizations in the AWS Control Tower User Guide.
| Yes Learn more
| No
|
Amazon Detective Generate visualizations from your log data to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities.
| You can integrate Amazon Detective with AWS Organizations to ensure that your Detective behavior graph provides visibility into the activity for all of your organization accounts.
| Yes Learn more
| Yes Learn more
|
Amazon DevOps Guru Analyze operational data and application metrics and events to identify behaviors that deviate from normal operating patterns. Users are notified when DevOps Guru detects an operational issue or risk.
| You can integrate with AWS Organizations to manage insights from all accounts across your entire organization. You delegate an administrator to view, sort, and filter insights from all accounts to obtain organization-wide health of all monitored applications.
| Yes Learn more
| Yes Learn more
|
AWS Directory Service Set up and run directories in the AWS Cloud or connect your AWS resources with an existing on-premises Microsoft Active Directory.
| You can integrate AWS Directory Service with AWS Organizations for seamless directory sharing across multiple accounts and any VPC in a Region.
| Yes Learn more
| No
|
AWS Firewall Manager Centrally configure and manage firewall rules for web applications across your accounts and applications.
| You can centrally configure and manage AWS WAF rules across the accounts in your organization.
| Yes Learn more
| Yes Learn more
|
Amazon GuardDuty GuardDuty is a continuous security monitoring service that analyzes and processes information from a variety of data sources. It uses threat intelligence feeds and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.
| You can designate a member account to view and manage GuardDuty for all of the accounts in your organization. Adding member accounts automatically enables GuardDuty for those accounts in the selected AWS Region. You can also automate GuardDuty activation for new accounts added to your organization. For more information, see GuardDuty and Organizations in the Amazon
GuardDuty User Guide.
| Yes Learn more
| Yes Learn more
|
AWS Health Get visibility into events that might affect your resource performance or availability issues for AWS services.
| You can aggregate AWS Health events across accounts in your organization.
| Yes Learn more
| No
|
AWS Identity and Access Management Securely control access to AWS resources.
| You can use service last accessed data in IAM to help you better understand AWS activity across your organization. You can use this data to create and update service control policies (SCPs) that restrict access to only the AWS services that your
organization's accounts use. For an example, see Using Data to Refine Permissions for an Organizational Unit in the IAM User Guide.
| No
| No
|
IAM Access Analyzer Analyze resource-based policies in your AWS environment to identify any policies that grant access to a principal outside of your zone of trust.
| You can designate a member account to be an administrator for IAM Access Analyzer. For more information, see Enabling Access Analyzer in the IAM User Guide.
| Yes Learn more
| Yes Learn more
|
Amazon Inspector Automatically scan your AWS workloads for vulnerabilities to discover Amazon EC2 instances and container images that reside in Amazon ECR for software vulnerabilities and unintended network exposure.
| Delegate an administrator to enable or disable scans for member accounts, view aggregated finding data from the entire organization, create and manage suppression rules. For more information, see Managing multiple accounts with AWS Organizations in the Amazon Inspector User Guide.
| Yes Learn more
| Yes Learn more
|
AWS License Manager Streamline the process of bringing software licenses to the cloud.
| You can enable cross-account discovery of computing resources throughout your organization.
| Yes Learn more
| Yes Learn more
|
Amazon Macie Discovers and classifies your business-critical content using machine learning to help you meet data security and privacy requirements. It continuously evaluates your content stored in Amazon S3 and notifies you of potential issues.
| You can configure Amazon Macie for all of the accounts in your organization to get a consolidated view of all of your data in Amazon S3, across all accounts from a designated Macie administrator account. You can configure Macie to automatically protect resources in new accounts as your organization grows. You are alerted to remediate policy misconfigurations across S3 buckets throughout your organization.
| Yes Learn more
| Yes Learn more
|
AWS Marketplace A curated digital catalog that you can use to find, buy, deploy, and manage third-party software, data, and services that you need to build solutions and run your businesses.
| You can share licenses for your AWS Marketplace subscriptions and purchases across the accounts in your organization.
| Yes Learn more
| No
|
AWS Network Manager Enables you to centrally manage your AWS Cloud WAN core network and your AWS Transit Gateway network across AWS accounts, Regions, and on-premises locations.
| You can centrally manage and monitor your global networks with transit gateways and their attached resources in multiple AWS accounts within your organization.
| Yes Learn more
| Yes Learn more
|
AWS Resource Access Manager Share specified AWS resources that you own with other accounts.
| You can share resources within your organization without exchanging additional invitations. Resources you can share include Route 53 Resolver rules, on-demand capacity reservations, and more. For information about sharing capacity reservations, see the
Amazon EC2 User Guide for Linux Instances or the Amazon EC2 User Guide for Windows Instances. For a list of shareable resources, see Shareable Resources
in the AWS RAM User Guide.
| Yes Learn more
| No
|
AWS Security Hub View your security state in AWS and check your environment against security industry standards and best practices.
| You can automatically enable Security Hub for all of your organization's accounts, including new accounts as they are added. This increases the coverage for Security Hub checks and findings, which provides a more accurate picture of your overall security posture.
| Yes Learn more
| Yes Learn more
|
Amazon S3 Storage Lens Get visibility into your Amazon S3 storage usage and activity metrics with actionable recommendations to optimize storage.
| Configure Amazon S3 Storage Lens to gain visibility into Amazon S3 storage usage and activity trends, and recommendations for all member accounts in your organization.
| Yes Learn more
| Yes Learn more
|
AWS Service Catalog Create and manage catalogs of IT services that are approved for use on AWS.
| You can share portfolios and copy products across accounts more easily, without sharing portfolio IDs.
| Yes Learn more
| Yes Learn more
|
Service Quotas View and manage your service quotas, also referred to as limits, from a central location.
| You can create a quota request template to automatically request a quota increase when accounts in your organization are created.
| Yes Learn more
| No
|
AWS IAM Identity Center (successor to AWS Single Sign-On) Provide single sign-on access for all of your accounts and cloud applications.
| Users can sign in to the AWS access portal with their corporate credentials and access resources in their assigned management account or member accounts.
| Yes Learn more
| Yes Learn more
|
AWS Systems Manager Enable visibility and control of your AWS resources.
| You can synchronize operations data across all AWS accounts in your organization by using Systems Manager Explorer. You can manage change templates, approvals and reporting for all member accounts in your organization from a delegated administrator account by using Systems Manager Change Manager.
| Yes (Systems Manager Explorer only) Learn more
| Yes Learn more
|
Tag policies Use standardize tags across resources in your organization's accounts.
| You can create tag policies to define tagging rules for specific resources and resource types and attach those policies to organization units and accounts to enforce those rules.
| Yes Learn more
| No
|
AWS Trusted Advisor Trusted Advisor inspects your AWS environment and makes recommendations when opportunities exist to save money, to improve system availability and performance, or to help close security gaps.
| Run Trusted Advisor checks for all of the AWS accounts in your organization.
| Yes Learn more
| Yes Learn more
|
AWS Well-Architected Tool The AWS Well-Architected Tool helps you document the state of your workloads and compares them to the latest AWS architectural best practices.
| Enables both AWS WA Tool and Organizations customers to simplify the process of sharing AWS WA Tool resources with other members of their organization.
| Yes Learn more
| No
|
Amazon VPC IP Address Manager (IPAM) IPAM is a VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads.
| Monitor IP address usage throughout your organization and share IP address pools across member accounts.
| Yes Learn more
| Yes Learn more
|
