Day 1: AWS Solutions Architect Professional Prep — Multi-Account Strategy & Governance
Today marks the start of my journey toward earning the AWS Solutions Architect Professional certification.
Each day, I’ll share study notes and real-world insights from my preparation — explained in simple, practical terms.
My goal isn’t just to pass the exam but to deepen my understanding of cloud architecture so I can design smarter, more secure, and cost-efficient systems on AWS.
Topic 1: Multi-Account Strategy & Governance
Today’s first topic is Multi-Account strategy and governance. These were my big questions on the topic:
- Why do organizations use multiple AWS accounts?
- What are the core capabilities of AWS Organizations?
- How do Service Control Policies differ from IAM policies?
- How does Control Tower help organizations scale?
- How can tagging improve cost visibility and control?
Why do Organizations Use Multiple AWS Accounts?
Having one account is like putting everything in one big room. Creating multiple accounts is like setting up a bunch of separate, locked rooms for specific purposes instead of putting everything important into one big room.
There are 3 primary factors that may move an organization to adopt a multi-account strategy: security, billing, and compliance.
Security: Creating separate accounts ensures blast radius containment. For example, a financial services company might keep their trading systems in a separate account from their customer-facing web applications to ensure that a vulnerability in the web app cannot access trading data.
Billing : Each account acts as its own cash register. This prevents one team from using up all the supplies (resource quotas) so the other teams don’t run out.
Compliance: Sometimes, laws require an organization to keep certain things completely separate. For example, there might be laws regarding Data Sovereignty (keeping customer data in specific countries) or Separation of Duties (auditors requiring different roles to handle different workloads). To demonstrate compliance, a healthcare company might keep patient data regulated by laws like HIPAA in one completely dedicated account, separate from their general company email systems.
What are the core capabilities of AWS Organizations?
AWS Organizations acts as the central nervous system for managing all the separate accounts. The accounts are like folders within your directory. Its core capabilities include:
Organizational Units (OUs): Think of OUs as folders within your directory. Similar accounts are grouped into these folders (e.g., we might have a “Security” folder, or a “North America” folder). Any rule that is set on a folder (OU) automatically applies to every account inside it.
Consolidated Billing: This provides a single bill for all accounts, and benefits like volume discounts, Reserved Instance sharing, and Savings Plans are shared across the organization
Account Management: It allows accounts to be programmatically created, and centrally managed, including being closed or suspended
How do Service Control Policies differ from IAM policies?
SCPs are the most powerful security tool in Organizations. They are essential “guardrails”.
If SCPs are like Speed Limits, then IAM Policies are like a Driver’s License.
Service Control Policies set the maximum speed limit on the “highway”, as it were, by defining the maximum boundary of what is allowed in an account or OU. They can be applied at the Organization, OU, or Account level. By design, they DENY actions and never GRANT permissions. SCPs can enforce governance by preventing account closure or restricting regions for data residency by denying access to all regions except approved ones.
On the other hand, IAM Policies GRANT permissions to users, groups, or roles. However, these permissions cannot exceed what SCPs allow. They operate within the SCP boundary. We might compare them to a “driver’s license”. They grant you the ability to drive (perform actions). However, the license is useless if the action you want to take (speeding) is already forbidden by the “speed limit” (the SCP)
How does AWS Control Tower help organisations scale smart?
Using Control Tower is like buying a pre-built model home instead of custom building one from scratch
Control Tower can set up foundational OUs and configure key accounts, including a centralized logging account and an audit account. The foundational multi-account environment it sets up based on AWS best practices is called a Landing Zone.
It includes the Account Factory, which is a self-service machine that lets teams quickly request a new account that is instantly built with all the standard organizational rules and settings already baked in.
It uses preventive guardrails (SCPs) or detective guardrails (Config rules that detect non-compliance).
In a multi-account environment, there are dedicated accounts to oversee everything else.
Centralized Logging Account: All CloudTrail logs from every account are sent here for immutability and compliance. Even if a source account is compromised, the logs remain intact in this dedicated, secure location
Centralized Security Account: This account gives the security team centralized visibility and better threat correlation across accounts. It houses master services like Security Hub (for findings) and GuardDuty Master (for threat detection). The goal of the centralized security account is one place to see all warnings and threats across the entire organization.
How can tagging improve cost visibility and control?
To track costs, a robust financial management strategy relies on Cost Allocation Tags.
Every resource (like a server or storage bucket) must be labeled with mandatory tags such as its CostCenter (which department pays), Environment (Prod/Dev), and Owner (who is responsible)
Organizations can use Tag Policies via AWS Organizations to enforce consistent tagging and define allowed values.
Cost Allocation Reports break down costs by any combination of these tags, enabling detailed chargeback to business units and accurate tracking of cost trends.
End of Day 1 Topic 1!
I’ll be sharing daily study notes here on Tech Zone with Nana and weekly reflections on my main page — follow along!