{
	"id": "e57f63d4-5fec-4a98-af29-9555fec35454",
	"created_at": "2026-04-06T00:12:06.27535Z",
	"updated_at": "2026-04-10T03:20:49.969493Z",
	"deleted_at": null,
	"sha1_hash": "19b8e22bc6dc6e7a6c623cb62358aeaa232b0568",
	"title": "Terminology and concepts for AWS Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79357,
	"plain_text": "Terminology and concepts for AWS Organizations\r\nBy Authorization policies\r\nArchived: 2026-04-05 19:55:18 UTC\r\nThis topic explains some of the key concepts for AWS Organizations.\r\nThe following diagram shows an organization that consists of five accounts that are organized into four\r\norganizational units (OUs) under the root. The organization also has several policies that are attached to some of\r\nthe OUs or directly to accounts.\r\nFor a description of each of these items, refer to the definitions in this topic.\r\nTopics\r\nAvailable feature sets\r\nOrganization structure\r\nInvitations and handshakes\r\nOrganization policies\r\nAvailable feature sets\r\nAll features (Recommended)\r\nAll features is the default feature set that is available to AWS Organizations. You can set central policies\r\nand configuration requirements for an entire organization, create custom permissions or capabilities within\r\nthe organization, manage and organize your accounts under a single bill, and delegate responsibilities to\r\nother accounts on behalf of the organization. You can also use integrations with other AWS services to\r\ndefine central configurations, security mechanisms, audit requirements, and resource sharing across all\r\nmember accounts in your organization. For more information, see Using AWS Organizations with other\r\nAWS services.\r\nAll features mode provides all the capabilities of consolidated billing along with the administrative\r\ncapabilities.\r\nConsolidated billing\r\nConsolidated billing is the feature set that provide shared billing functionality, but doesn't include the more\r\nadvanced features of AWS Organizations. For example, you can't enable other AWS services to integrate\r\nwith your organization to work across all of its accounts, or use policies to restrict what users and roles in\r\ndifferent accounts can do.\r\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html\r\nPage 1 of 6\n\nYou can enable all features for an organization that originally supported only the consolidated billing\r\nfeatures. To enable all features, all invited member accounts must approve the change by accepting the\r\ninvitation that is sent when the management account starts the process. For more information, see Enabling\r\nall features for an organization with AWS Organizations.\r\nOrganization structure\r\nOrganization\r\nAn organization is a collection of AWS accounts that you can manage centrally and organize into a\r\nhierarchical, tree-like structure with a root at the top and organizational units nested under the root. Each\r\naccount can be directly in the root, or placed in one of the OUs in the hierarchy.\r\nEach organization consists of:\r\nA management account\r\nZero or more member accounts\r\nZero or more organizational units (OUs)\r\nZero or more policies.\r\nAn organization has the functionality that is determined by the feature set that you enable.\r\nRoot\r\nAn administrative root (root) is contained in the management account and is the starting point for\r\norganizing your AWS accounts. The root is the top-most container in your organization’s hierarchy. Under\r\nthis root, you can create organizational units (OUs) to logically group your accounts and organize these\r\nOUs into a hierarchy that best matches your needs.\r\nIf you apply a management policy to the root, it applies to all organizational units (OUs) and accounts,\r\nincluding the management account for the organization.\r\nIf you apply an authorization policy (for example, a service control policy (SCP)), to the root, it applies to\r\nall organizational units (OUs) and member accounts in the organization. It does not apply to the\r\nmanagement account in the organization.\r\nNote\r\nYou can have only one root. AWS Organizations automatically creates the root for you when you create an\r\norganization.\r\nOrganizational unit (OU)\r\nAn organizational unit (OU) is a group of AWS accounts within an organization. An OU can also contain\r\nother OUs enabling you to create a hierarchy. For example, you can group all accounts that belong to the\r\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html\r\nPage 2 of 6\n\nsame department into a departmental OU. Similarly, you can group all accounts running security services\r\ninto a security OU.\r\nOUs are useful when you need to apply the same controls to a subset of accounts in your organization.\r\nNesting OUs enables smaller units of management. For example, you can create OUs for each workload,\r\nthen create two nested OUs in each workload OU to divide production workloads from pre-production.\r\nThese OUs inherit the policies from the parent OU in addition to any controls assigned directly to the team-level OU. Including the root and AWS accounts created in the lowest OUs, your hierarchy can be five\r\nlevels deep.\r\nAWS account\r\nAn AWS account is a container for your AWS resources. You create and manage your AWS resources in an\r\nAWS account, and the AWS account provides administrative capabilities for access and billing.\r\nUsing multiple AWS accounts is a best practice for scaling your environment, as it provides a billing\r\nboundary for costs, isolates resources for security, gives flexibility or individuals and teams, in addition to\r\nbeing adaptable for new processes.\r\nThere are two types of accounts in an organization: a single account that is designated as the management\r\naccount and one or more member accounts.\r\nManagement account\r\nA management account is the AWS account you use to create your organization. From the management\r\naccount, you can do the following:\r\nCreate other accounts in your organization\r\nInvite and manage invitations for other accounts to join your organization\r\nDesignate delegated administrator accounts\r\nRemove accounts from your organization\r\nAttach policies to entities such as roots, organizational units (OUs), or accounts within your\r\norganization\r\nEnable integration with supported AWS services to provide service functionality across all of the\r\naccounts in the organization.\r\nThe management account is the ultimate owner of the organization, having final control over security,\r\ninfrastructure, and finance policies. This account has the role of a payer account and is responsible for\r\npaying all charges accrued by the accounts in its organization.\r\nNotes\r\nYou cannot change which account in your organization is the management account.\r\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html\r\nPage 3 of 6\n\nThe management account does not have to be directly under the root, it can be placed anywhere in\r\nthe organization.\r\nMember account\r\nA member account is an AWS account, other than the management account, that is part of an organization.\r\nIf you are an administrator of an organization, you can create member accounts in the organization and\r\ninvite existing accounts to join the organization. You also can apply policies to member accounts.\r\nNote\r\nA member account can belong to only one organization at a time. You can designate member accounts to\r\nbe delegated administrator accounts.\r\nDelegated administrator\r\nWe recommend that you use the management account and its users and roles only for tasks that must be\r\nperformed by that account. We recommend that you store your AWS resources in other member accounts in\r\nthe organization and keep them out of the management account. This is because security features like\r\nOrganizations service control policies (SCPs) do not restrict any users or roles in the management account.\r\nSeparating your resources from your management account can also help you understand the charges on\r\nyour invoices. From the organization's management account, you can designate one or more member\r\naccounts as a delegated administrator account to help you implement this recommendation. There are two\r\ntypes of delegated administrators:\r\nDelegated administrator for Organizations: From these accounts, you can manage organization\r\npolicies and attach policies to entities (roots, OUs, or accounts) within the organization. The\r\nmanagement account can control delegation permissions at granular levels. For more information,\r\nsee Delegated administrator for AWS Organizations.\r\nDelegated administrator for an AWS service: From these accounts, you can manage AWS services\r\nthat integrate with Organizations. The management account can register different member accounts\r\nas delegated administrators for different services as needed. These accounts have administrative\r\npermissions for a specific service, as well as permissions for Organizations read-only actions. For\r\nmore information, see Delegated administrator for AWS services that work with Organizations\r\nInvitations and handshakes\r\nInvitation\r\nAn invitation is a request made by the management account of an organization to another account. For\r\nexample, the process of asking a standalone account to join an organization is an invitation.\r\nInvitations are implemented as handshakes. You might not see handshakes when you work in the AWS\r\nOrganizations console. But if you use the AWS CLI or AWS Organizations API, you must work directly\r\nwith handshakes.\r\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html\r\nPage 4 of 6\n\nHandshake\r\nA handshake is the secure exchange of information between two AWS accounts: a sender and a recipient.\r\nThe following handshakes are supported:\r\nINVITE: Handshake sent to a standalone account for it to join the sender's organization.\r\nENABLE_ALL_FEATURES: Handshake sent to invited member accounts to enable all features\r\nfor the organization.\r\nAPPROVE_ALL_FEATURES: Handshake sent to the management account when all invited\r\nmember accounts have approved to enable all features.\r\nYou generally need to directly interact with handshakes only if you work with the AWS Organizations API\r\nor command line tools such as the AWS CLI.\r\nOrganization policies\r\nA policy is a \"document\" with one or more statements that define the controls that you want to apply to a group of\r\nAWS accounts. AWS Organizations supports authorization policies and management policies.\r\nAuthorization policies help you to centrally manage the security of AWS accounts across an organization.\r\nService control policy (SCP)\r\nA service control policy is a type of policy that offers central control over the maximum available\r\npermissions for IAM users and IAM roles in an organization.\r\nThis means that SCPs specify principal-centric controls. SCPs create a permissions guardrail, or set limits\r\non the maximum permissions available to principals in your member accounts. You use an SCP when you\r\nwant to centrally enforce consistent access controls on principals in your organization.\r\nThis can include specifying which services your IAM users and IAM roles can access, which resources\r\nthey can access, or the conditions under which they can make requests (for example, from specific regions\r\nor networks). For more information, see SCPs.\r\nResource control policy (RCP)\r\nA resource control policy is a type of policy that offers central control over the maximum available\r\npermissions for resources in an organization.\r\nThis means that RCPs specify resource-centric controls. RCPs create a permissions guardrail, or set limits,\r\non the maximum permissions available for resources in your member accounts. Use an RCP when you\r\nwant to centrally enforce consistent access controls across resources in your organization.\r\nThis can include restricting access to your resources so that they can only be accessed by identities that\r\nbelong to your organization, or specifying the conditions under which identities external to your\r\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html\r\nPage 5 of 6\n\norganization can access your resources. For more information, see RCPs.\r\nManagement policies\r\nManagement policies help you centrally configure and manage AWS services and their features across an\r\norganization.\r\nDeclarative policies allow you to centrally declare and enforce desired configurations for a given AWS\r\nservice at scale across an organization. Once attached, the configuration is always maintained when the\r\nservice adds new features or APIs.\r\nBackup policies allow you to centrally manage and apply backup plans to the AWS resources across an\r\norganization's accounts.\r\nTag policies allow you to standardize the tags attached to the AWS resources in an organization's accounts.\r\nChat applications policies allow you to control access to an organization's accounts from chat applications\r\nsuch as Slack and Microsoft Teams.\r\nAI services opt-out policies allow you to control data collection for AWS AI services for all the accounts\r\nin an organization.\r\nSecurity Hub policies allow you to address security coverage gaps that align with your organization's\r\nsecurity requirements and centrally applying them across an organization.\r\nAmazon Inspector policies allow you to centrally enable and manage Amazon Inspector across accounts\r\nin your AWS organization.\r\nAmazon Bedrock policies allow you to enforce safeguards configured in Amazon Bedrock Guardrails\r\nautomatically across any element in your organization structure for all model inference calls to Amazon\r\nBedrock.\r\nUpgrade rollout policies allow you to centrally manage and stagger automatic upgrades across multiple\r\nAWS resources and accounts in your organization.\r\nAmazon S3 policies allow you to centrally manage configurations for Amazon S3 resources at scale across\r\nthe accounts in an organization.\r\nAWS Shield Network Security Director policies allow you to centrally enable and manage AWS Shield\r\nNetwork Security Director across the accounts in an organization.\r\nSource: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html\r\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html"
	],
	"report_names": [
		"orgs_getting-started_concepts.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434326,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19b8e22bc6dc6e7a6c623cb62358aeaa232b0568.pdf",
		"text": "https://archive.orkl.eu/19b8e22bc6dc6e7a6c623cb62358aeaa232b0568.txt",
		"img": "https://archive.orkl.eu/19b8e22bc6dc6e7a6c623cb62358aeaa232b0568.jpg"
	}
}