By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using Orgs to simulate Business Units

0

Can I use AWS Organizations to isolate resources created by one business unit from another?

Here's my scenario. We have one master account. Under that account we have accounts for several people. Each person belongs to group A or group B (these are their business units). I want both groups to have access to the full range of AWS offerings, but when group A spins up an EC2 instance (for example), I don't want anyone from group B to be able to modify, stop, or remove it. Likewise, when anyone from group B spins up an EC2 instance (or any other AWS service), I don't want anyone from group A to be able to modify it.

It seems that Organizations would be a good way to handle this, but so far all I'm finding is how to make Org #1 manage ALL EC2 instances under my master account, and Org #2 can manage all S3 activity, or something like that. It sounds so screwy I know I'm missing something here.

Can anyone here please educate me on this?

Topics
Management & Governance
Tags
AWS Organizations
Language
English
MatthewK
asked 5 years ago226 views
1 Answer
1

OK, I answered my own question. Putting the information here in case someone else has the same problem.
First, I needed to understand the difference between AWS accounts and IAM users. When dealing with AWS Organizations, it's almost never IAM users. You are dealing with root AWS accounts. So, I created an AWS account for the company, then additional AWS accounts for each business unit. We did nothing with IAM at this point. The company account created a default organization, then additional organizations under it to represent the business units. This makes the company account the "master" account. The company account then invited all the accounts for the business units to join its organization. I had to login to each business unit AWS account and accept the invitation. Then I used the master account to place each business unit account into its business unit Organization.
The end result is that each business unit can create resources, including additional IAM users, and no other business unit can touch them. The billing for all business units is consolidated and paid for by the master account. This gave us a single bill each month along with isolation between business units.

MatthewK
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content