Organizations

Organizations
-         https://docs.aws.amazon.com/controltower/latest/userguide/organizations.html
-         Account management service that lets you consolidate multiple AWS accounts into an organization that you create and centrally manage
-         Can create member accounts and invite existing accounts to join your organization. You can organize those accounts into groups and attach policy-based controls. Includes consolidate billing
-         GLOBAL, free of charge
-         Root – The parent container for all accounts and all other OUs in your landing zone.
          §  Only one Root is allowed
          §  A policy applied to Root gets applied to all OUs and Accounts
          §  Can selectively apply policies to specific accounts and OUs
          §  However, a policy applied to an underlying account applies to that account only
-         Core – This OU contains the log archive account, the audit account, and the resources they own.
-         Custom OU – This OU is created when you set up your landing zone. It and other child OUs in your landing zone contain your member accounts. These are the accounts that your end user access to perform work on AWS resources.
          §  Placeholder for other OUs and Accounts
          §  Can have only one parent
          §  Can nest OUs under OUs for up to 5 levels
          §  An account can belong to only one OU
          §  A policy applied to an OU gets applied to all underlying OUs and Accounts
-         Master Account – owner, paying account
          §  Can add / remove accounts t / from organization
          §  Can limit what a root (!) owner of an underlying account is allowed to do
-         Organization cannot grant permissions; this is done by IAM. But the Master Account admin can approve or deny the actions allowed by IAM permissions.
          §  A user can access only what is allowed by the IAM role and
-         Organization infra is highly available within region

-         Eventual data consistency