AWS Organizations Security Features

AWS Organizations Security Features: A Comprehensive Guide

Why AWS Organizations Security Features Matter

AWS Organizations is a foundational service for managing multiple AWS accounts at scale. From a security perspective, it is critical because it provides centralized governance, policy enforcement, and access control across an entire enterprise's AWS footprint. Without proper organizational security controls, individual accounts can drift from compliance standards, accumulate excessive permissions, and create attack surfaces that are difficult to monitor. For the AWS Security Specialty exam, understanding AWS Organizations security features is essential because questions frequently test your ability to design and enforce security policies across multi-account environments.

What Are AWS Organizations Security Features?

AWS Organizations security features encompass a set of capabilities designed to centrally manage and enforce security policies across all member accounts in an organization. The key features include:

1. Service Control Policies (SCPs)
SCPs are the primary security mechanism within AWS Organizations. They define the maximum available permissions for member accounts. SCPs act as permission boundaries — they do not grant permissions, but rather restrict what actions IAM users and roles in member accounts can perform, even if those users have explicit IAM policies allowing the action.

Key characteristics of SCPs:
- SCPs affect all users and roles in attached accounts, including the root user of the member account
- SCPs do NOT affect the management account (formerly master account)
- SCPs do NOT affect service-linked roles
- SCPs use an allow list or deny list strategy
- The default SCP is FullAWSAccess, which allows all actions
- SCPs can be attached at the root, organizational unit (OU), or individual account level
- SCPs follow inheritance — policies attached to a parent OU are inherited by child OUs and accounts

2. Organizational Units (OUs)
OUs provide a hierarchical structure for grouping accounts. This hierarchy is fundamental to security governance because SCPs and other policies cascade through the OU tree. Common OU structures for security include:
- Security OU — houses security tooling accounts (e.g., GuardDuty delegated administrator, Security Hub)
- Sandbox OU — for experimentation with restrictive SCPs limiting network egress and sensitive services
- Production OU — tightly controlled with strict SCPs
- Suspended OU — for quarantining compromised or decommissioned accounts with a deny-all SCP

3. Delegated Administrator
AWS Organizations allows you to designate member accounts as delegated administrators for specific AWS services. This is a security best practice because it avoids concentrating all administrative activities in the management account. Services that support delegated administration include AWS Security Hub, Amazon GuardDuty, AWS Config, Amazon Macie, and AWS Firewall Manager.

4. AWS Organizations Integration with Security Services
Many AWS security services integrate natively with Organizations to provide organization-wide coverage:
- AWS CloudTrail — Organization trails log API activity across all member accounts to a central S3 bucket
- Amazon GuardDuty — Can be enabled organization-wide with auto-enable for new accounts
- AWS Security Hub — Aggregates findings across all member accounts
- AWS Config — Organization-wide config rules and conformance packs
- Amazon Macie — Organization-wide S3 data discovery
- AWS Firewall Manager — Centralized firewall policy management across accounts
- IAM Access Analyzer — Organization-level analyzer to detect external access
- AWS Backup — Organization-wide backup policies

5. Tag Policies
Tag policies help enforce standardized tagging across your organization. While not a direct security control, consistent tagging supports security operations by enabling accurate resource identification, cost attribution, and automated incident response.

6. AI Services Opt-Out Policies
These policies allow you to control whether AWS AI services can store and use your content for service improvement purposes. This is important for organizations with strict data privacy requirements.

7. Backup Policies
Organization-level backup policies ensure that all member accounts maintain appropriate backup configurations, which is a critical component of data protection and disaster recovery.

How AWS Organizations Security Features Work

SCP Evaluation Logic:
When an IAM principal in a member account makes an API call, the effective permissions are determined by the intersection of:
1. The SCPs attached at every level of the OU hierarchy (from root to the account)
2. The IAM policies (identity-based and resource-based) attached to the principal

The API call is allowed ONLY if it is permitted by SCPs at every level of the hierarchy AND by the IAM policies. This means SCPs create an upper boundary — they filter permissions but never grant them.

Example SCP evaluation flow:
- Root OU has SCP allowing all actions
- Production OU has SCP denying all actions except ec2:*, s3:*, and iam:*
- Account A (in Production OU) has an IAM user with a policy allowing lambda:*
- Result: The user CANNOT invoke Lambda functions because the Production OU SCP does not allow lambda:* actions

Allow List vs. Deny List Strategy:

Deny List (Default):
- Keep the default FullAWSAccess SCP attached
- Add additional SCPs with explicit Deny statements for actions you want to block
- Easier to manage; you only deny what you want to restrict

Allow List:
- Remove the default FullAWSAccess SCP
- Attach SCPs that explicitly allow only the services and actions you want
- More restrictive; requires you to explicitly allow every service needed
- Can be complex to manage but provides tighter control

Common Security-Focused SCP Examples:
- Prevent member accounts from leaving the organization
- Deny disabling of CloudTrail, GuardDuty, Security Hub, or AWS Config
- Restrict usage to approved AWS regions only
- Prevent deletion of critical S3 buckets or KMS keys
- Deny creation of IAM users with console access (enforce SSO only)
- Prevent disabling of S3 Block Public Access at the account level
- Restrict root user actions in member accounts
- Deny modification of specific IAM roles (e.g., security audit roles)

Trusted Access and Service Integration:
Trusted access allows AWS services to perform operations across all accounts in your organization. When you enable trusted access for a service (e.g., CloudFormation StackSets, AWS Config), the service creates service-linked roles in member accounts to perform its functions. This is managed through the Organizations console or API.

Management Account Security Considerations:
- The management account is NOT affected by SCPs — this is a critical security consideration
- Best practice: Use the management account ONLY for billing and organization management
- Do NOT deploy workloads in the management account
- Limit the number of users with access to the management account
- Enable MFA on the management account root user
- Use delegated administrators for security services instead of the management account


Exam Tips: Answering Questions on AWS Organizations Security Features

Tip 1: Remember that SCPs do NOT affect the management account.
If a question asks how to restrict the management account, SCPs are NOT the answer. You need IAM policies, permissions boundaries, or other controls for the management account itself.

Tip 2: SCPs do NOT grant permissions — they only restrict.
If a question involves granting access to a user in a member account, SCPs alone are never sufficient. The user still needs an IAM policy that grants the permission, AND the SCP must allow it.

Tip 3: SCPs affect the root user of member accounts.
This is a common exam topic. SCPs can restrict what the root user of a member account can do. This is one of the few mechanisms that can limit root user permissions.

Tip 4: SCPs do NOT affect service-linked roles.
Service-linked roles are used by AWS services to perform actions on your behalf. SCPs cannot restrict these roles. If a question involves blocking a service-linked role's actions, SCPs are not the answer.

Tip 5: Know the OU hierarchy and inheritance model.
SCPs are inherited from parent OUs. The effective SCP for an account is the intersection of all SCPs from the root down to the account. Questions may test whether you understand that a deny at any level in the hierarchy takes precedence.

Tip 6: Think "Suspended OU" for compromised accounts.
If a question describes an incident response scenario where an account is compromised, moving the account to a Suspended OU with a deny-all SCP is a valid containment strategy.

Tip 7: Delegated administrator is the best practice.
When questions ask about centralized security management, prefer the delegated administrator model over performing everything from the management account. This reduces the blast radius of the management account.

Tip 8: Organization-wide trails and aggregation.
For questions about centralized logging, remember that CloudTrail organization trails, Security Hub with organization integration, and GuardDuty with organization-wide enablement provide centralized visibility without needing to configure each account individually.

Tip 9: Distinguish between SCPs and IAM Permissions Boundaries.
Both restrict permissions, but SCPs apply at the account level across all principals, while permissions boundaries apply to individual IAM users or roles. Questions may test whether you choose SCP (broad account restriction) vs. permissions boundary (targeted user/role restriction).

Tip 10: Watch for "prevent" and "enforce" keywords.
When a question says "prevent all accounts from doing X," think SCP with a Deny statement. When it says "enforce a specific configuration," think AWS Config rules with organization-wide deployment or SCP depending on context.

Tip 11: Region restriction via SCPs.
A common exam scenario involves restricting AWS usage to specific regions. The correct approach is an SCP with a Deny statement that uses the aws:RequestedRegion condition key to block actions outside approved regions, with exceptions for global services like IAM, STS, CloudFront, and Route 53.

Tip 12: Remember the SCP size limit.
Each SCP can be a maximum of 5,120 characters. If a question involves very complex policies, you may need to use multiple SCPs or simplify the policy structure.

Summary:
AWS Organizations security features provide the backbone of multi-account security governance. SCPs are the most tested feature — understand their evaluation logic, limitations (management account, service-linked roles), and common use cases. Combine Organizations with integrated security services for comprehensive, centralized security management. Always remember that security in AWS is layered: Organizations provides the outermost boundary, followed by account-level controls, then IAM, then resource-level policies.