By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
For AWS Solutions Architect – Associate (SAA-C03) and Real-World Deployments
You’re a cloud engineer at a mid-sized company. Your CTO just handed you a spreadsheet with 50 AWS accounts—some for dev, some for prod, some for finance, some for legacy apps. Each account has different IAM policies, cost centers, and compliance requirements. Chaos is brewing.
Real-world scenario:You inherit a multi-account AWS environment where: - Dev accounts have unrestricted EC2 instance types (cost overruns).- Prod accounts lack encryption requirements (compliance violations).- Finance accounts can’t be tagged properly (cost allocation is a mess).
Your mission: Use OUs, SCPs, and Tag Policies to enforce guardrails without breaking existing workloads.
[email protected]
Prod
Dev
Finance
Environment=Prod
CostCenter=Finance
dev-team-1
prod-db
✅ AWS Management Account (root) with admin IAM permissions.✅ At least 2 member accounts (e.g., dev, prod). If you don’t have them, create them here.✅ AWS CLI installed and configured (aws configure).
dev
prod
aws configure
aws organizations create-organization --feature-set ALL
Verify:
aws organizations describe-organization
Expected output:
{ "Organization": { "Id": "o-1234567890", "Arn": "arn:aws:organizations::123456789012:organization/o-1234567890", "FeatureSet": "ALL" } }
Why this matters: ALL enables SCPs and Tag Policies (not just consolidated billing).
ALL
# Create OUs aws organizations create-organizational-unit --parent-id o-1234567890 --name "Prod" aws organizations create-organizational-unit --parent-id o-1234567890 --name "Dev" aws organizations create-organizational-unit --parent-id o-1234567890 --name "Finance"
aws organizations list-organizational-units-for-parent --parent-id o-1234567890
{ "OrganizationalUnits": [ { "Id": "ou-1234-abcdefgh", "Arn": "arn:aws:organizations::123456789012:ou/o-1234567890/ou-1234-abcdefgh", "Name": "Prod" }, { "Name": "Dev" }, { "Name": "Finance" } ] }
# List accounts to get their IDs aws organizations list-accounts # Move an account (e.g., prod-db) into the Prod OU aws organizations move-account \ --account-id 987654321098 \ --source-parent-id o-1234567890 \ --destination-parent-id ou-1234-abcdefgh
aws organizations list-accounts-for-parent --parent-id ou-1234-abcdefgh
Policy (deny-public-s3.json):
deny-public-s3.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "s3:PutBucketPublicAccessBlock", "Resource": "*", "Condition": { "Bool": { "s3:x-amz-acl": "public-read|public-read-write|authenticated-read" } } } ] }
Apply the SCP to the Prod OU:
aws organizations create-policy \ --content file://deny-public-s3.json \ --description "Block public S3 buckets in Prod" \ --name "DenyPublicS3" \ --type SERVICE_CONTROL_POLICY # Attach the SCP to the Prod OU aws organizations attach-policy \ --policy-id p-12345678 \ --target-id ou-1234-abcdefgh
aws organizations list-policies-for-target --target-id ou-1234-abcdefgh --filter SERVICE_CONTROL_POLICY
Why this matters:- Security: Prevents accidental public S3 buckets in prod.- Compliance: Meets CIS AWS Foundations Benchmark (1.20: Ensure S3 buckets are not publicly accessible).
Policy (enforce-tags.json):
enforce-tags.json
{ "tags": { "Environment": { "tag_key": { "@@assign": "Environment" }, "tag_value": { "@@assign": ["Prod", "Dev", "Staging"] } }, "CostCenter": { "tag_key": { "@@assign": "CostCenter" }, "enforced_for": { "@@assign": ["ec2:instance", "s3:bucket"] } } } }
Apply the Tag Policy:
aws organizations create-policy \ --content file://enforce-tags.json \ --description "Enforce Environment and CostCenter tags" \ --name "EnforceTags" \ --type TAG_POLICY # Attach to the root OU (applies to all accounts) aws organizations attach-policy \ --policy-id p-87654321 \ --target-id o-1234567890
aws organizations list-policies-for-target --target-id o-1234567890 --filter TAG_POLICY
Why this matters:- Cost tracking: Finance can now allocate costs by CostCenter.- Automation: Tools like AWS Cost Explorer and AWS Config rely on tags.
CostCenter
✅ Least privilege SCPs: Start with deny-all, then whitelist allowed actions.✅ Never attach SCPs to the root OU unless absolutely necessary (risk of breaking everything).✅ Use IAM roles for cross-account access (not root users).
✅ Tag all resources (Environment, Owner, Project) for cost allocation.✅ Use SCPs to block expensive instance types (e.g., deny p4d.24xlarge in dev).✅ Enable AWS Cost Anomaly Detection at the organization level.
Environment
Owner
Project
p4d.24xlarge
✅ Standardize OU structure (e.g., Prod/DB, Prod/App, Dev/Sandbox).✅ Use AWS Config rules to audit SCP compliance.✅ Document SCPs (e.g., "This SCP blocks public S3 buckets in prod").
Prod/DB
Prod/App
Dev/Sandbox
✅ Enable AWS CloudTrail at the organization level (logs all API calls).✅ Set up AWS Budgets with alerts for each OU.✅ Monitor SCP violations with AWS Config and Amazon EventBridge.
Deny
Allow
iam:*
❌ AWS Config (audits, doesn’t enforce)
"How do you prevent dev accounts from launching expensive EC2 instances?"
ec2:RunInstances
❌ IAM policy (only applies to one account).
"How do you ensure all S3 buckets in prod have encryption enabled?"
s3:CreateBucket
s3:x-amz-server-side-encryption
Challenge:"You have a Dev OU with 5 accounts. You want to block all EC2 instances except t3.micro and t3.small. Write an SCP and apply it to the Dev OU."
t3.micro
t3.small
Solution:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringNotEquals": { "ec2:InstanceType": ["t3.micro", "t3.small"] } } } ] }
Why it works:- Denies ec2:RunInstances unless the instance type is t3.micro or t3.small.- Applies to all accounts in the Dev OU.
aws organizations create-organizational-unit
aws organizations attach-policy
{"Effect": "Deny", "Action": "...", "Resource": "*"}
{"tags": {"Environment": {"@@assign": ["Prod", "Dev"]}}}
Final Thought:AWS Organizations is your central nervous system for multi-account AWS environments. Master OUs, SCPs, and Tag Policies, and you’ll be the engineer who prevents outages, saves costs, and keeps auditors happy. ?
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.