Lab: Centrally Managing AWS Accounts with Organizations and SCPs
Develop a strategy to centrally deploy and manage AWS accounts
Lab: Centrally Managing AWS Accounts with Organizations and SCPs
In this lab, you will implement a multi-account strategy using AWS Organizations. You will learn how to structure accounts into Organizational Units (OUs) and enforce security guardrails using Service Control Policies (SCPs). This mirrors the foundation of an AWS Control Tower Landing Zone.
[!WARNING] This lab involves AWS Organizations. If your account is already part of an organization, ensure you have the necessary permissions in the Management account. Standard AWS fees may apply, though AWS Organizations itself is free.
Prerequisites
- AWS Account: Access to an AWS account with
AdministratorAccesspermissions. - AWS CLI: Installed and configured with a profile for the management account.
- IAM Permissions: Ability to create IAM policies and organization resources.
- Browser: Access to the AWS Management Console.
Learning Objectives
- Initialize an AWS Organization structure.
- Create a hierarchical tree using Organizational Units (OUs).
- Author and attach a Service Control Policy (SCP) to restrict specific actions across the organization.
- Verify the effective permissions of member accounts.
Architecture Overview
This architecture demonstrates a simple production-ready hierarchy where a Management account controls a "Production" OU. An SCP is applied to the OU to prevent member accounts from leaving the organization or disabling logging.
Step-by-Step Instructions
Step 1: Initialize the Organization
First, you must enable AWS Organizations. This transforms your standalone account into a Management account.
CLI Command:
aws organizations create-organization --feature-set ALL▶Console Alternative
- Navigate to the AWS Organizations console.
- Click Create organization.
- Confirm the creation.
Step 2: Create a Production Organizational Unit (OU)
OUs allow you to group accounts and apply policies to the group rather than individual accounts.
CLI Command: First, find your Root ID:
aws organizations list-rootsThen create the OU (replace <ROOT_ID>):
aws organizations create-organizational-unit --parent-id <ROOT_ID> --name "Production"▶Console Alternative
- In the Organizations console, select the Root checkbox.
- Click Actions > Organizational unit > Create new.
- Name it
Productionand click Create.
Step 3: Enable SCPs in the Root
Service Control Policies are not enabled by default. You must enable the policy type at the root level.
CLI Command:
aws organizations enable-policy-type --root-id <ROOT_ID> --policy-type SERVICE_CONTROL_POLICYStep 4: Create a Guardrail Policy (SCP)
We will create a policy that prevents any account in the OU from deleting the AWS Config recorder, ensuring compliance monitoring stays active.
Create a file named policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"config:DeleteConfigurationRecorder",
"config:StopConfigurationRecorder"
],
"Resource": "*"
}
]
}CLI Command:
aws organizations create-policy \
--content file://policy.json \
--description "Prevent disabling of AWS Config" \
--name "GuardrailConfigCheck" \
--type SERVICE_CONTROL_POLICYStep 5: Attach the SCP to the Production OU
Now, link the security guardrail to your specific OU.
CLI Command:
Replace <POLICY_ID> and <OU_ID> with the outputs from previous steps.
aws organizations attach-policy --policy-id <POLICY_ID> --target-id <OU_ID>Policy Inheritance Visualization
This diagram illustrates how permissions flow through the organization. Even if an IAM user in Account A has FullAdministrator access, the SCP at the OU level acts as a filter (Maximum Available Permissions).
\begin{tikzpicture}[node distance=1.5cm, every node/.style={fill=white, font=\small}] \draw[fill=gray!10, rounded corners] (-1,-1) rectangle (6,4); \node at (2.5,3.5) {\textbf{Permission Boundary (SCP)}};
\draw[thick, ->] (0,3) -- (5,3) node[midway, above] {Full IAM Permissions};
\draw[red, ultra thick] (2.5,4) -- (2.5,-1) node[below] {SCP Filter};
\node[draw, circle] (user) at (0,1) {User};
\node[draw, rect] (service) at (5,1) {AWS Resource};
\draw[->, thick] (user) -- (2.3,1);
\draw[->, dashed] (2.7,1) -- (service) node[midway, below] {Effective Access};
\node[text width=3cm, align=center] at (2.5, -0.5) {\textit{Denied Actions Blocked Here}};\end{tikzpicture}
Checkpoints
| Verification Step | Expected Result |
|---|---|
Run aws organizations list-organizational-units-for-parent | You should see the Production OU listed. |
Run aws organizations list-policies-for-target on the OU | The GuardrailConfigCheck should be present. |
| Check the Console Policy Editor | The JSON for your SCP should be viewable in the Policy tab. |
Troubleshooting
| Problem | Cause | Solution |
| :--- | :--- |
| ConstraintViolationException | Trying to delete an OU that still has accounts or sub-OUs. | Move or remove all child accounts/OUs first. |
| AccessDenied | IAM user lacks organizations:* permissions. | Ensure you are using the Management account with Admin rights. |
| SCP doesn't seem to work | SCPs do not affect the Management Account root user. | Test the policy using a member account, not the management account. |
Clean-Up / Teardown
[!IMPORTANT] To avoid leaving your account in a non-standard state, perform these steps.
- Detach Policy:
aws organizations detach-policy --policy-id <POLICY_ID> --target-id <OU_ID> - Delete Policy:
aws organizations delete-policy --policy-id <POLICY_ID> - Remove OU:
aws organizations delete-organizational-unit --organizational-unit-id <OU_ID> - Note: You cannot delete an Organization if it has member accounts (other than the management account). You must first remove or close those accounts.
Stretch Challenge
Modify your SCP to implement a "Region Lock." Add a Condition block to your policy that denies all actions unless the aws:RequestedRegion is one of your approved regions (e.g., us-east-1). This is a common requirement for data residency compliance.