Curriculum Overview: AWS Organizations & Multi-Account Management

This curriculum provides a comprehensive roadmap for mastering AWS Organizations, a critical pillar of the AWS Certified Security - Specialty (SCS-C03) exam. You will learn to architect a multi-account environment that scales securely using Organizational Units (OUs) and Service Control Policies (SCPs).

---

Prerequisites

Before starting this module, learners should have a solid grasp of the following:

• Identity and Access Management (IAM): Proficiency in creating users, roles, and identity-based policies.
• AWS Global Infrastructure: Understanding of Regions and Availability Zones.
• Security Fundamentals: Knowledge of the Shared Responsibility Model and the principle of least privilege.
• Basic JSON Syntax: Ability to read and write JSON, as it is the primary format for SCPs.

---

Module Breakdown

---

Learning Objectives per Module

Module 1: Foundations of AWS Organizations

• Differentiate between the Management Account (billing/master) and Member Accounts.
• Establish a root-level organization and invite existing accounts.

Module 2: Organizing with OUs

• Design a hierarchical structure using Organizational Units (OUs) to mimic business units or environments (Dev, Test, Prod).
• Understand how policies cascade from the Root to child OUs and accounts.

Module 3: Service Control Policies (SCPs)

• Implement SCPs to set the maximum available permissions for an account.
• Apply the "Filter" logic: SCPs do not grant permissions; they only restrict the intersection of permissions.

Module 4: Centralized Security Governance

• Configure Delegated Administrator accounts for services like GuardDuty, Security Hub, and Macie.
• Centralize CloudTrail logging across the entire organization.

Module 5: Automated Provisioning

• Utilize AWS Control Tower to deploy a "Landing Zone" with pre-configured security guardrails.
• Standardize resource tagging via Tag Policies to ensure cost-center accountability.

---

Success Metrics

To demonstrate mastery of this curriculum, the learner must be able to:

1. Diagram Permission Intersections: Correctly identify the "Effective Permissions" when an IAM policy and an SCP overlap.
2. Architect an OU Hierarchy: Design a structure that prevents "blast radius" expansion during a security incident.
3. Deploy a Guardrail: Write a functional SCP that prevents member accounts from leaving the organization or disabling CloudTrail.
4. Audit Compliance: Use AWS Config and IAM Access Analyzer to verify that organizational policies are being enforced.

[!IMPORTANT] Success is measured not just by deployment, but by the ability to explain why a specific OU structure or SCP was chosen to meet a security requirement.

---

Real-World Application

In a professional setting, AWS Organizations is the difference between an unmanaged "Wild West" of cloud accounts and a governed enterprise environment.

• Security Containment: If a developer account is compromised, OUs and SCPs can isolate that account, preventing the attacker from accessing the production billing data or core infrastructure.
• Compliance at Scale: Instead of manually checking 100 accounts for encryption, you apply one SCP at the root that denies any S3:CreateBucket action unless encryption is enabled.
• Cost Management: Consolidated billing allows companies to reach volume discount tiers faster and provides a single pane of glass for all cloud expenditures.

Permission Intersection Logic

\begin{tikzpicture}[thick, fill opacity=0.5] \draw[fill=blue!30] (0,0) circle (1.5) node[below=1.6cm] {IAM Policy (Allows All)}; \draw[fill=red!30] (1.5,0) circle (1.5) node[below=1.6cm] {SCP (Restricts S3)}; \node at (0.75, 0) {\textbf{Effective}}; \node at (0.75, -0.4) {\textbf{Permissions}}; \end{tikzpicture}

[!TIP] Always remember: Deny trumps Allow. If an SCP denies a service, no IAM policy in the member account can override it.