Domain 1 of 4 · Chapter 4 of 5

Multi-account AWS environments

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Solutions Architect - Professional premium course — no separate purchase.

Included in this chapter:

  • Organizations hierarchy: OU design, limits, and delegated administration
  • SCP + RCP authoring and the intersection evaluation model
  • Control Tower landing zones: control types, Account Factory, drift
  • IAM Identity Center: permission sets, ABAC, external IdP
  • RAM sharing, consolidated billing, and migrating accounts in
Guardrail / policy mechanismSCPRCPPermissions boundaryIAM identity policy
Can grant permissions?No (ceiling only)No (ceiling only)No (ceiling only)Yes
Scope of effectPrincipals in member accountsResources in member accountsA single IAM user/roleThe attached identity
Managed whereAWS OrganizationsAWS OrganizationsIAM (per principal)IAM (per principal)
Applies to management account?NoNoYes (if attached)Yes
Applies to service-linked roles?NoNoN/AYes
Typical useOrg-wide deny / Region lockBlock external access to resourcesCap delegated-admin privilegesGrant day-to-day access

Decision tree

Greenfield org needing amanaged landing zone?YesNo / governing it yourselfControl covered by ControlTower guardrails?YesNo / needs customizationRestricting principalsor resources?ResourcesPrincipalsAWS Control Tower+ Account Factory(landing zone, self-service vending)Landing Zone Acceleratoror raw Organizations APIs(you own the drift)RCPresource ceiling; blocksexternal access (needs all-features)Org-wide ceiling orper-principal cap?Org-wideOne roleSCPprincipal ceiling across OUs;org-wide deny / Region lockPermissions boundarycaps a single delegated-adminuser / role in IAMAlways: run no workloads in the management account (SCPs/RCPs never apply there).Guardrails set ceilings only — effective access is their intersection with explicit IAM grants.Share infra with RAM; SSO via IAM Identity Center.

Cheat sheet

  • An organization is one tree; policies inherit downward
  • OUs nest at most five levels deep under the root
  • Default account quota is 10, raisable to 50,000
  • At most 10 SCPs but only 5 RCPs attach per entity
  • Policy governance requires all-features mode
  • SCPs and RCPs never restrict the management account
  • Register a member account as delegated administrator
  • SCPs and RCPs filter the ceiling; they never grant
  • An explicit Deny anywhere on the path is terminal
  • Deny-list strategy keeps FullAWSAccess attached
  • A Region-lock SCP must exempt global services with NotAction
  • RCPs block out-of-org principals from your resources
  • RCPs and SCPs skip service-linked roles
  • Control Tower's three control types map to three mechanisms
  • Control Tower orchestrates existing services, not new primitives
  • Account Factory vends governed accounts as Service Catalog products
  • A permission set provisions one IAM role per target account
  • ABAC scales access without minting more permission sets
  • External IdP federation uses SAML 2.0 plus SCIM
  • Subnet and Outposts sharing is organization-only
  • In-org RAM shares skip invitation acceptance
  • Consolidated billing aggregates usage for volume tiers
  • Absorb an existing account: invite, then enroll
  • Control Tower lifecycle events drive automation via EventBridge
  • Carve SCP exceptions with aws:PrincipalArn and aws:PrincipalOrgPaths

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. Quotas and service limits for AWS Organizations
  2. Service control policies (SCPs)
  3. AWS Organizations delegated administrator for AWS services
  4. Resource control policies (RCPs)
  5. IAM JSON policy evaluation logic
  6. Control behavior and guidance
  7. Provision and manage accounts with Account Factory
  8. Permission sets
  9. Shareable AWS resources
  10. Best practices for the management account
  11. How AWS Control Tower works
  12. About controls in AWS Control Tower
  13. AWS Control Tower quotas
  14. What is IAM Identity Center?
  15. Quotas and limits in IAM Identity Center
  16. Attribute-based access control (ABAC) in IAM Identity Center
  17. Sharing your AWS resources
  18. Consolidated billing for AWS Organizations
  19. Using cost allocation tags
  20. Inviting an AWS account to join your organization
  21. Enroll an existing AWS account