It is common to use multiple accounts in AWS to split up environments, group workload based on the business function, or apply tighter security measures…
That’s a correct way to do it, but it comes with the pain and overhead of managing multiple AWS accounts. Should we create a user per account for each of our users? Should we set up a different payment method by account?
AWS solves this problem for us through “Organisations”. AWS organisations help govern and manage multiple AWS accounts from a centralised place, simplifying billing and configurations and making scaling your business effortless.
How to create and configure your org?
From one of your standard AWS accounts, you can create an “Organisation”. This makes that standard account the Organisation Management Account. You can only have a single Management Account in an organisation.
What about the rest of the accounts? You can invite them from the management account into the created organisation. This makes them “member” accounts (Note that these accounts need to accept the invitation).
The AWS organisation is hierarchical and is formed of an Administrative Root and one or more Organisational units. The Administrative root is the highest level container of the organisation (it contains AWS accounts and other containers). An Organisational Unit is a group of one or more AWS Accounts within your organisation. For example, you might choose to have 2 Prod accounts to separate the infrastructure of 2 entities within your product but would want to only keep one for Staging and one for Dev. One way to go about it is by creating 3 Organisational Units, one for Dev, one for Staging, and one for Prod. The latter contains 2 AWS accounts.
Below is one way to visualise the previous example:
For our example, I will work with two existing accounts only, one the management account and the other the member account.
The terraform configuration would look as follows: