• Root > Management account > OU’s > member accounts - an OU can include an OU
• OrganizationAccountAccessRole is created for every member account that allows admin actions - need to manually create for accounts that are invited into the ORG
• Feature Modes:
  • Consolidated billing: for volume discounts, RI’s - can turn off/on for specific account (must enable sharing on both account ) configure at the Cost and billing in the parent account
  • All features (default) - Billing + SCP’s and invite accounts to the ORG - can’t revert
• to migrate account : remove > invite > accept

SCP - Service Control Policy

Define allowlist or blocklist IAM actions , applies at the OUAccount level - not management

must have explicit allow - SCPs do not affect any service-linked role

aws:TagKeys condition key to validate the tags to a resource against an IAM policy,

ForAllValues to match all keys,

ForAnyValue to mach any key

Tag Policies - to standard tagging

Backup polices - define backup plan for the ORG

Service Catalog

Pre defined catalog of resources (CloudFormation templates) to deploy within an ORG.

Admins define Products (templates) that are grouped into Portfolio - control with IAM.

Users see Product list