Amazon Organizations service should be use to gain central control over the use of AWS services across multiple AWS accounts (using Service Control Policies) in order to help you comply with the security and compliance policies within your company.
1. Sign in to the AWS Management Console using the root credentials.
2. Navigate to AWS Organizations home page.
3. On the Getting Started page, click Create organization.
4. Within Create new organization dialog box, select ENABLE ALL FEATURES to use All features set (including Consolidated Billing features, policy-based controls and hierarchical management of accounts) for your new organization.Click Create organization to confirm that your new organization has all features enabled. You have now an AWS organization with your current account as its only member. This account is the master account of the organization.
5. To invite an existing AWS account to join your organization, select Accounts tab, click Add account from the dashboard top menu and choose Invite account option.
6. Enter the account ID or the email address of the account that you want to invite in the Account ID or email box.
7. In the Notes box, provide a short note to be included in the email that is sent to the owner of the account that receives the invitation. Click Invite to send your invitation.
8. (Optional) To invite other AWS accounts owners to join your organization, repeat steps no. 5 – 7.
9. Create an Organizational Unit (OU) to place the member account(s) invited at the previous steps. To create and populate your OU, select Organize Accounts tab then choose + New organizational unit.
10. In the Create organizational unit dialog box, provide a name for your new OU then click Create organizational unit to confirm the action. Now you can move your member account(s) into the newly created Organizational Unit.
11. Select the first member account that you want to place into your OU, then click Move to initiate the moving process.
12. Within Move 1 account dialog box, choose the Organizational Unit you want to move the account to then click Move to confirm the action.
13. (Optional) To move other available member accounts to your Organizational Unit, repeat steps no. 10 – 12.
14. On the Create policy page, choose Policy generator and provide a name and a description for your new SCP using the Policy name and Description fields. For Choose Overall Effect select Allow then choose the AWS service(s) and action(s) that you want to whitelist from the Statement builder section using the Add statement button to add as many services/actions as you need.Once all the necessary AWS services and actions have been defined, click Create policy to generate your SCP.
16. To attach your new SCP to a root or to any OU within a root, you must first enable the policy type for that root as the policy types are not enabled by default. To enable Service Control Policy type for the root in your organization, select Organize Accounts tab, choose Root from the left navigation panel then click Enable next to the Service control policies:
17. Click on the Organizational Unit that you want to configure to access its management page.
18. Under POLICIES section, click Service control policies to expand the panel with the policies attached/available to the selected OU. Locate the SCP created at step no. 14 and 15, then click Attach to associate your SCP with the Organizational Unit (OU). Once attached, the member accounts available in the OU will be able to access the AWS services and actions defined within the SCP.
Note: since all OUs created under the root account inherit the FullAWSAccess” policy that allows access to every operation, make sure this policy is detached just after attaching your new SCP.“