AWS Account Management — Organizations, Control Tower & Billing
Multi-account AWS management for CloudOps. AWS Organizations, SCPs, Control Tower, Service Catalog, Cost Explorer, Budgets, and Compute Optimizer — key SOA-C03 exam topics.
What you'll learn
- Structure accounts using AWS Organizations and OUs
- Enforce guardrails with Service Control Policies (SCPs)
- Set up new accounts with AWS Control Tower
- Manage pre-approved service offerings with Service Catalog
- Monitor and optimise costs with Cost Explorer and Budgets
- Use Compute Optimizer for right-sizing recommendations
Prerequisites
Relevant for certifications
AWS Organizations
AWS Organizations lets you manage multiple AWS accounts centrally — consolidated billing, policy enforcement, and account governance.
Management account (root)
└── Root OU
├── Infrastructure OU
│ ├── Networking account
│ └── Logging account
├── Production OU
│ ├── Prod-App-1 account
│ └── Prod-App-2 account
└── Dev OU
├── Dev-Team-A account
└── Dev-Team-B account
Consolidated Billing
All accounts in an Org are billed through the management account:
- Volume discounts apply across the entire organisation (EC2, S3, etc.)
- Reserved Instance and Savings Plan benefits shared across accounts
- Single consolidated invoice for all accounts
# Invite existing account to organisation
aws organizations invite-account-to-organization \
--target Id=123456789012,Type=ACCOUNT
# Create a new account within the organisation
aws organizations create-account \
--email newaccount@company.com \
--account-name "Prod-App-3"
Service Control Policies (SCPs)
SCPs are guardrails applied to OUs and accounts — they set the maximum permissions that any IAM identity in the account can have (they don't grant permissions themselves).
If SCP allows: [S3:*, EC2:*]
And IAM policy allows: [S3:*, EC2:*, RDS:*]
→ Effective permissions: [S3:*, EC2:*] (SCP is the ceiling)
SCP examples
// Deny leaving the Organization (account-level SCP)
{
"Statement": [{
"Effect": "Deny",
"Action": "organizations:LeaveOrganization",
"Resource": "*"
}]
}
// Restrict to approved regions only (OU-level SCP)
{
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["us-east-1", "eu-west-1"]
}
}
}]
}
// Require encryption on EBS volumes
{
"Statement": [{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Bool": {"ec2:Encrypted": "false"}
}
}]
}
Warning
SCPs do NOT apply to the management account — the management account always has full permissions. Apply restrictive policies to member accounts/OUs, not the root.
SCP strategy
| Strategy | Description |
|---|---|
| Allowlist | Default Deny all, then allow specific actions |
| Denylist (recommended) | Default FullAWSAccess, then deny specific actions |
AWS Control Tower
Control Tower automates the setup of a well-architected multi-account AWS environment following best practices — the "Landing Zone."
What Control Tower sets up
Management account
├── Log Archive account → centralised CloudTrail and Config logs
├── Audit account → security tooling (GuardDuty, Security Hub)
└── Enrolled accounts → governed by guardrails
Guardrails
Guardrails are pre-packaged governance rules:
| Type | Behaviour |
|---|---|
| Mandatory | Always enforced (cannot be disabled) |
| Strongly recommended | Best practice (can disable) |
| Elective | Optional (for specific use cases) |
Types by enforcement:
- Preventive — SCPs that block non-compliant actions
- Detective — Config rules that report non-compliance
# Enroll an existing account into Control Tower
aws controltower register-organizational-unit \
--organizational-unit-id ou-12345
# List guardrails
aws controltower list-enabled-controls \
--target-identifier arn:aws:organizations::123456789:ou/o-xxx/ou-xxx
Account Factory
Account Factory automates new account provisioning:
- Standardised VPC, subnets, and network config
- Pre-approved account templates
- Enroll in Control Tower governance automatically
- Self-service via AWS Service Catalog
AWS Service Catalog
Service Catalog allows IT administrators to create pre-approved portfolios of CloudFormation templates that end users can self-service deploy — ensuring compliance while enabling developer agility.
Admin: creates Portfolio with approved products
(EC2 standard, RDS standard, VPC standard)
Developer: browses Service Catalog
→ Launches "Standard EC2" product
→ CloudFormation deploys with enforced settings
→ No direct CloudFormation or IAM access needed
Key concepts
| Concept | Description |
|---|---|
| Portfolio | Collection of products |
| Product | CloudFormation template with pre-set constraints |
| Constraint | Limits (launch role, template, tag, notification) |
| Launch constraint | IAM role used to deploy the product (not user's own role) |
AWS Billing and Cost Management
AWS Billing Alarms
Set a CloudWatch alarm on the EstimatedCharges metric to receive email when costs exceed a threshold:
aws cloudwatch put-metric-alarm \
--alarm-name "MonthlyBillingAlert" \
--namespace AWS/Billing \
--metric-name EstimatedCharges \
--dimensions Name=Currency,Value=USD \
--period 86400 \ # 1 day
--evaluation-periods 1 \
--threshold 100 \
--comparison-operator GreaterThanThreshold \
--alarm-actions arn:aws:sns:us-east-1:123456789:billing-alerts
Billing alarms region
Billing metrics are only available in us-east-1 (N. Virginia). Set your alarm in that region regardless of where your resources run.
AWS Cost Explorer
Cost Explorer provides visualisation and analysis of your AWS spending:
- View costs by service, account, tag, region
- Forecast future costs
- Right-sizing recommendations for EC2
- Savings Plan and Reserved Instance recommendations
# Get cost breakdown by service for last 30 days
aws ce get-cost-and-usage \
--time-period Start=2026-03-26,End=2026-04-26 \
--granularity MONTHLY \
--metrics BlendedCost \
--group-by Type=DIMENSION,Key=SERVICE
AWS Budgets
Budgets alerts you when costs or usage exceed (or are forecasted to exceed) defined thresholds:
| Budget type | Alert on |
|---|---|
| Cost budget | Actual or forecasted spend |
| Usage budget | EC2 hours, S3 GB, etc. |
| Reservation budget | RI utilisation or coverage |
| Savings Plan budget | SP utilisation or coverage |
# Create a $500/month budget with email alert at 80%
aws budgets create-budget \
--account-id 123456789 \
--budget '{
"BudgetName": "MonthlySpend",
"BudgetLimit": {"Amount": "500", "Unit": "USD"},
"TimeUnit": "MONTHLY",
"BudgetType": "COST"
}' \
--notifications-with-subscribers '[{
"Notification": {
"NotificationType": "ACTUAL",
"ComparisonOperator": "GREATER_THAN",
"Threshold": 80,
"ThresholdType": "PERCENTAGE"
},
"Subscribers": [{"SubscriptionType": "EMAIL", "Address": "ops@company.com"}]
}]'
Cost Allocation Tags
Tag resources and activate cost allocation tags to break down costs in billing reports:
Resource tags:
Project = ecommerce
Environment = production
Team = backend
→ Cost report filtered by Project = ecommerce
→ Shows total spend for the ecommerce project
# Activate a user-defined tag for cost allocation
aws ce create-cost-category-definition \
--name "ProjectCosts" \
--rule-version "CostCategoryExpression.v1" \
--rules '[{"Value":"Ecommerce","Rule":{"Tags":{"Key":"Project","Values":["ecommerce"]}}}]'
AWS Cost & Usage Report (CUR)
The most detailed billing data — CSV files delivered to S3:
- Line item per resource per hour
- Reservation and Savings Plan data
- Query with Athena for custom analysis
AWS Compute Optimizer
Compute Optimizer analyses CloudWatch metrics and recommends right-sizing for EC2, ECS on Fargate, Lambda, and EBS:
Finding: i-0abc123 (m5.xlarge) is over-provisioned
Recommendation: Downsize to m5.large
Projected savings: $47/month
Evidence: CPU p99 < 15%, memory p99 < 20%
# Get recommendations for all EC2 instances
aws compute-optimizer get-ec2-instance-recommendations \
--filters Name=Finding,Values=OVER_PROVISIONED
AWS Billing Conductor
Billing Conductor (for AWS Partners/MSPs) customises billing and pricing shown to linked accounts — useful for charging customers at different rates than AWS list prices.
AWS Health Dashboard
Service Health Dashboard
Public view at status.aws.amazon.com — shows current and historical service status for all AWS services globally.
Personal Health Dashboard
Account-specific health events that affect your resources:
# List active health events
aws health describe-events \
--filter eventStatusCodes=open,upcoming \
--region us-east-1 # Health API only in us-east-1
# Get affected entities for an event
aws health describe-affected-entities \
--event-arns arn:aws:health:us-east-1::event/EC2/AWS_EC2_INSTANCE_RETIREMENT_SCHEDULED/...
Automate health event responses
AWS Health event: EC2 host retirement scheduled (7 days notice)
→ EventBridge rule: source = "aws.health", detail-type = "AWS Health Event"
→ Lambda: automatically stop+start affected instances
→ Instances migrate to healthy hosts before retirement date
AWS Organizations for CloudOps — Advanced Patterns
Centralised logging account
All accounts in org → CloudTrail → S3 bucket in Logging account
All accounts in org → Config → S3 bucket in Logging account
All accounts in org → VPC Flow Logs → S3 bucket in Logging account
Logging account has:
- Restrictive bucket policy (write from any org account, no delete)
- MFA Delete enabled
- Object Lock (compliance mode, 7 years)
Service-linked StackSets
Auto-deploy operational tooling to every new account:
- CloudTrail multi-region trail
- Config recording (all resources)
- GuardDuty enablement
- Default VPC deletion
- IAM password policy
Hands-on: Set Up an AWS Landing Zone (Simple)
1. Create AWS Organization (Management account → Organizations → Create org)
2. Create OUs:
- Security (Audit + Log Archive accounts)
- Production
- Development
- Sandbox
3. Apply SCPs:
- Deny leaving org: all OUs
- Restrict regions to us-east-1, eu-west-1: Production OU
- Deny root account actions: all member OUs
- Require EBS encryption: Production OU
4. Enable trusted access for:
- CloudFormation StackSets (for cross-account deployments)
- AWS Config (for organisation-wide compliance)
- AWS Security Hub (for centralised security findings)
- GuardDuty (for centralised threat detection)
5. Create baseline StackSet (deploy to all accounts):
- CloudTrail → Log Archive account
- Config → Log Archive account
- Default password policy
- IAM alias
6. Set up consolidated billing:
- Enable Compute Optimizer for all accounts
- Purchase Savings Plans at org level for maximum discounts
- Set organisation-wide budget alert at $1000/month
Common SOA-C03 Exam Questions
Q: An SCP denies a specific action but an IAM policy allows it. What is the effective permission? The SCP wins — it's the ceiling. The action is denied. SCPs restrict what IAM policies can do. Both must allow an action for it to be permitted.
Q: You need to ensure no member account can disable CloudTrail. What's the mechanism?
Apply an SCP to the root or relevant OUs: "Effect": "Deny", "Action": "cloudtrail:StopLogging". This cannot be overridden by any IAM policy in member accounts.
Q: A team needs to deploy EC2 instances without direct IAM access to CloudFormation. How? Use AWS Service Catalog — create a portfolio with an approved EC2 product (CloudFormation template). Assign the portfolio to the team. They launch from the catalog using a launch constraint role that has the needed CloudFormation permissions.
Q: How do you get all accounts to receive a new Config rule without touching each account? Use CloudFormation StackSets with service-managed permissions (Organizations integration) — deploy the Config rule to the target OU. New accounts joining the OU automatically receive the rule.
What to Learn Next
- AWS Security & Compliance — GuardDuty, Security Hub at organization level
- AWS CloudFormation for CloudOps — StackSets for multi-account deployments
- AWS CloudWatch Monitoring — centralize monitoring across accounts