VISI

Multi-Account Strategy

AWS Organizations — manage multiple AWS accounts from a single management account. Consolidated billing (volume discounts). Accounts are organized in OUs (Organizational Units).

Service Control Policies (SCPs) — applied at the Organization/OU/account level. Set maximum permission boundaries for entire accounts. SCPs do not apply to the management account. Do not grant permissions by themselves — they restrict what IAM can allow.

AWS Control Tower — sets up and governs a multi-account environment using guardrails:

  • Preventive guardrails — use SCPs (e.g., restrict regions)
  • Detective guardrails — use AWS Config (e.g., find untagged resources)

References

Quiz

A few quick questions based on this unit. Mark it complete when you are done.

Question 1 / 3

What is Service Control Policies (SCPs)?