Fatskills
Practice. Master. Repeat.
Study Guide: TECH **AWS Organizations: OUs, SCPs, and Tag Policies – Zero-Fluff Study Guide**
Source: https://www.fatskills.com/aws-certified-solutions-architect-associate/chapter/tech-aws-organizations-ous-scps-and-tag-policies-zero-fluff-study-guide

TECH **AWS Organizations: OUs, SCPs, and Tag Policies – Zero-Fluff Study Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

AWS Organizations: OUs, SCPs, and Tag Policies – Zero-Fluff Study Guide

For AWS Solutions Architect – Associate (SAA-C03) and Real-World Deployments


1. What This Is & Why It Matters

You’re a cloud engineer at a mid-sized company. Your CTO just handed you a spreadsheet with 50 AWS accounts—some for dev, some for prod, some for finance, some for legacy apps. Each account has different IAM policies, cost centers, and compliance requirements. Chaos is brewing.


  • Without AWS Organizations, you’d manually configure IAM, budgets, and security settings in each account. A single misconfiguration (e.g., an open S3 bucket in prod) could expose customer data.
  • With AWS Organizations, you centrally govern all accounts using Organizational Units (OUs), Service Control Policies (SCPs), and Tag Policies. This is your force multiplier for security, cost control, and compliance.

Real-world scenario:
You inherit a multi-account AWS environment where: - Dev accounts have unrestricted EC2 instance types (cost overruns).
- Prod accounts lack encryption requirements (compliance violations).
- Finance accounts can’t be tagged properly (cost allocation is a mess).

Your mission: Use OUs, SCPs, and Tag Policies to enforce guardrails without breaking existing workloads.


2. Core Concepts & Components


? AWS Organizations

  • Definition: A central governance service to manage multiple AWS accounts under a single "management account."
  • Production insight: If you don’t use Organizations, you’re stuck with manual IAM policies per account—a security and compliance nightmare.

? Management Account

  • Definition: The root account of your organization (e.g., [email protected]). This is where you create OUs, SCPs, and Tag Policies.
  • Production insight: Never deploy workloads here. Treat it like a break-glass admin account—only for organization-wide governance.

? Organizational Units (OUs)

  • Definition: Logical containers to group AWS accounts (e.g., Prod, Dev, Finance).
  • Production insight: OUs let you apply SCPs and Tag Policies hierarchically (e.g., block public S3 buckets for all Prod accounts).

? Service Control Policies (SCPs)

  • Definition: JSON-based policies that deny or allow AWS actions at the OU or account level.
  • Production insight: SCPs do not grant permissions—they restrict what IAM policies can do. Think of them as "guardrails" (e.g., "No one can disable CloudTrail in prod").

? Tag Policies

  • Definition: Enforce consistent tagging across all AWS resources (e.g., Environment=Prod, CostCenter=Finance).
  • Production insight: Without Tag Policies, cost allocation reports are useless—you won’t know which team owns which resources.

? AWS Accounts (Member Accounts)

  • Definition: Individual AWS accounts under the management account (e.g., dev-team-1, prod-db).
  • Production insight: Never use the root user in member accounts—always delegate IAM roles.

? Consolidated Billing

  • Definition: Single payer account for all member accounts (simplifies cost tracking).
  • Production insight: Enables volume discounts (e.g., Reserved Instances apply across all accounts).


3. Step-by-Step Hands-On: Deploying OUs, SCPs, and Tag Policies


Prerequisites

AWS Management Account (root) with admin IAM permissions.
At least 2 member accounts (e.g., dev, prod). If you don’t have them, create them here.
AWS CLI installed and configured (aws configure).


Step 1: Enable AWS Organizations

aws organizations create-organization --feature-set ALL

Verify:


aws organizations describe-organization

Expected output:


{
  "Organization": {
"Id": "o-1234567890",
"Arn": "arn:aws:organizations::123456789012:organization/o-1234567890",
"FeatureSet": "ALL" } }

Why this matters: ALL enables SCPs and Tag Policies (not just consolidated billing).


Step 2: Create OUs (Prod, Dev, Finance)

# Create OUs
aws organizations create-organizational-unit --parent-id o-1234567890 --name "Prod"
aws organizations create-organizational-unit --parent-id o-1234567890 --name "Dev"
aws organizations create-organizational-unit --parent-id o-1234567890 --name "Finance"

Verify:


aws organizations list-organizational-units-for-parent --parent-id o-1234567890

Expected output:


{
  "OrganizationalUnits": [
{
"Id": "ou-1234-abcdefgh",
"Arn": "arn:aws:organizations::123456789012:ou/o-1234567890/ou-1234-abcdefgh",
"Name": "Prod"
},
{
"Name": "Dev"
},
{
"Name": "Finance"
} ] }


Step 3: Move Accounts into OUs

# List accounts to get their IDs
aws organizations list-accounts

# Move an account (e.g., prod-db) into the Prod OU
aws organizations move-account \
  --account-id 987654321098 \
  --source-parent-id o-1234567890 \
  --destination-parent-id ou-1234-abcdefgh

Verify:


aws organizations list-accounts-for-parent --parent-id ou-1234-abcdefgh


Step 4: Create an SCP to Block Public S3 Buckets (Prod OU)

Policy (deny-public-s3.json):


{
  "Version": "2012-10-17",
  "Statement": [
{
"Effect": "Deny",
"Action": "s3:PutBucketPublicAccessBlock",
"Resource": "*",
"Condition": {
"Bool": {
"s3:x-amz-acl": "public-read|public-read-write|authenticated-read"
}
}
} ] }

Apply the SCP to the Prod OU:


aws organizations create-policy \
  --content file://deny-public-s3.json \
  --description "Block public S3 buckets in Prod" \
  --name "DenyPublicS3" \
  --type SERVICE_CONTROL_POLICY

# Attach the SCP to the Prod OU
aws organizations attach-policy \
  --policy-id p-12345678 \
  --target-id ou-1234-abcdefgh

Verify:


aws organizations list-policies-for-target --target-id ou-1234-abcdefgh --filter SERVICE_CONTROL_POLICY

Why this matters:
- Security: Prevents accidental public S3 buckets in prod.
- Compliance: Meets CIS AWS Foundations Benchmark (1.20: Ensure S3 buckets are not publicly accessible).


Step 5: Enforce Tagging with a Tag Policy

Policy (enforce-tags.json):


{
  "tags": {
"Environment": {
"tag_key": {
"@@assign": "Environment"
},
"tag_value": {
"@@assign": ["Prod", "Dev", "Staging"]
}
},
"CostCenter": {
"tag_key": {
"@@assign": "CostCenter"
},
"enforced_for": {
"@@assign": ["ec2:instance", "s3:bucket"]
}
} } }

Apply the Tag Policy:


aws organizations create-policy \
  --content file://enforce-tags.json \
  --description "Enforce Environment and CostCenter tags" \
  --name "EnforceTags" \
  --type TAG_POLICY

# Attach to the root OU (applies to all accounts)
aws organizations attach-policy \
  --policy-id p-87654321 \
  --target-id o-1234567890

Verify:


aws organizations list-policies-for-target --target-id o-1234567890 --filter TAG_POLICY

Why this matters:
- Cost tracking: Finance can now allocate costs by CostCenter.
- Automation: Tools like AWS Cost Explorer and AWS Config rely on tags.


4. ? Production-Ready Best Practices


Security

Least privilege SCPs: Start with deny-all, then whitelist allowed actions.
Never attach SCPs to the root OU unless absolutely necessary (risk of breaking everything).
Use IAM roles for cross-account access (not root users).

Cost Optimization

Tag all resources (Environment, Owner, Project) for cost allocation.
Use SCPs to block expensive instance types (e.g., deny p4d.24xlarge in dev).
Enable AWS Cost Anomaly Detection at the organization level.

Reliability & Maintainability

Standardize OU structure (e.g., Prod/DB, Prod/App, Dev/Sandbox).
Use AWS Config rules to audit SCP compliance.
Document SCPs (e.g., "This SCP blocks public S3 buckets in prod").

Observability

Enable AWS CloudTrail at the organization level (logs all API calls).
Set up AWS Budgets with alerts for each OU.
Monitor SCP violations with AWS Config and Amazon EventBridge.


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Attaching SCPs to the root OU All accounts lose permissions (e.g., can’t create IAM roles). Test SCPs in a single OU first.
Using Deny without Allow SCPs block all actions (even admin tasks). Always include Allow for essential actions (e.g., iam:*).
Not testing SCPs in a sandbox Prod workloads break after applying SCPs. Use AWS Organizations Sandbox (or a dev OU).
Inconsistent tagging Cost reports are useless. Enforce Tag Policies at the root OU.
Not enabling CloudTrail Can’t audit SCP violations. Enable CloudTrail in the management account.


6. ? Exam/Certification Focus (SAA-C03)


Typical Question Patterns

  1. "Which service enforces guardrails across multiple AWS accounts?"
  2. AWS Organizations + SCPs
  3. ❌ AWS IAM (only per-account)
  4. ❌ AWS Config (audits, doesn’t enforce)

  5. "How do you prevent dev accounts from launching expensive EC2 instances?"

  6. SCP denying ec2:RunInstances for non-approved instance types.
  7. ❌ IAM policy (only applies to one account).

  8. "How do you ensure all S3 buckets in prod have encryption enabled?"

  9. SCP denying s3:CreateBucket unless s3:x-amz-server-side-encryption is set.
  10. ❌ AWS Config (only audits, doesn’t enforce).

Key ⚠️ Trap Distinctions

Concept What It Does What It Doesn’t Do
SCP Restricts what IAM policies can do. Does not grant permissions.
IAM Policy Grants permissions to users/roles. Does not override SCPs.
Tag Policy Enforces tagging rules. Does not block untagged resources.


7. ? Hands-On Challenge (With Solution)

Challenge:
"You have a Dev OU with 5 accounts. You want to block all EC2 instances except t3.micro and t3.small. Write an SCP and apply it to the Dev OU."

Solution:


{
  "Version": "2012-10-17",
  "Statement": [
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": ["t3.micro", "t3.small"]
}
}
} ] }

Why it works:
- Denies ec2:RunInstances unless the instance type is t3.micro or t3.small.
- Applies to all accounts in the Dev OU.


8. ? Rapid-Reference Crib Sheet

Command/Concept Key Details
aws organizations create-organization --feature-set ALL Enables SCPs and Tag Policies.
aws organizations create-organizational-unit Creates an OU (e.g., Prod).
aws organizations attach-policy Attaches an SCP/Tag Policy to an OU.
SCP Structure {"Effect": "Deny", "Action": "...", "Resource": "*"}
Tag Policy Structure {"tags": {"Environment": {"@@assign": ["Prod", "Dev"]}}}
⚠️ Default SCP Allows all actions (no restrictions).
⚠️ SCPs don’t affect the management account Only member accounts.
⚠️ Tag Policies don’t block untagged resources Use AWS Config rules for enforcement.


9. ? Where to Go Next

  1. AWS Organizations User Guide (Official docs)
  2. AWS SCP Examples (Pre-built SCPs)
  3. AWS Tagging Best Practices (Cost allocation guide)
  4. AWS Well-Architected Framework (Multi-Account) (Production best practices)

Final Thought:
AWS Organizations is your central nervous system for multi-account AWS environments. Master OUs, SCPs, and Tag Policies, and you’ll be the engineer who prevents outages, saves costs, and keeps auditors happy. ?



ADVERTISEMENT