Multi-Account Strategy
AWS Organizations — manage multiple AWS accounts from a single management account. Consolidated billing (volume discounts). Accounts are organized in OUs (Organizational Units).
Service Control Policies (SCPs) — applied at the Organization/OU/account level. Set maximum permission boundaries for entire accounts. SCPs do not apply to the management account. Do not grant permissions by themselves — they restrict what IAM can allow.
AWS Control Tower — sets up and governs a multi-account environment using guardrails:
- Preventive guardrails — use SCPs (e.g., restrict regions)
- Detective guardrails — use AWS Config (e.g., find untagged resources)
