Organizations, OUs, and SCP Strategy

AWS Organizations lets you centrally manage many AWS accounts as one structure. Within it, Service Control Policies (SCPs) set permission ceilings, and Organizational Units (OUs) group accounts for policy targeting. Designing this hierarchy well is a core skill for the SCS-C02 exam's governance domain.

An organization has a management account (formerly master) at the top, a root container, and OUs that can nest to group member accounts. Policies attached at any level flow down to everything beneath. This tree lets you apply controls broadly or narrowly with one attachment.