AWS Organisation and SCP policy

Manage multiple AWS accounts from one place under a single organization.

Global service
One management account (master) — full control, never restricted
All others are member accounts — can only belong to one organization at a time
Consolidated billing — one payment method for all accounts
Volume discounts — aggregated usage across all accounts gets better pricing on EC2, S3, etc.
Shared Reserved Instances and Savings Plans across all accounts
API available to automate account creation

Structure

Root OU  (the entire building)
    |
    |-- Management Account  (CEO — full control, SCPs never apply here)
    |
    |-- OU (Dev)            (a department/folder)
    |       |-- Member Account
    |       |-- Member Account
    |
    |-- OU (Prod)           (another department)
            |-- OU (HR)     (OUs can be nested)
            |-- OU (Finance)
                    |-- Member Account

Term	What It Is
Root	Top of the tree — one per organization. SCPs here affect everyone except Management Account
Management Account	The boss account. Never affected by SCPs. Has full power always
OU	Just a folder for grouping accounts. You apply policies at OU level
Member Account	A regular AWS account inside an OU. Can only be in one org

Ways to Organize OUs

Style	How
Business Unit	Sales OU, Retail OU, Finance OU
Environmental Lifecycle	Prod OU, Dev OU, Test OU
Project-Based	Project 1 OU, Project 2 OU, Project 3 OU

Why Multiple Accounts Instead of Multiple VPCs?

Separate accounts give:

Better security isolation — a breach in one account does not affect others
Clear billing visibility per team or project
Independent permission boundaries