Terminology and Concepts
Organization
An organization is a collection of Accounts that you can manage centrally and organize into a hierarchical tree-like structure a root at the top and organization units (OU) nested under the root. Each account can be directly in the root, or placed in one of the OUs in the hierarchy.
Each organization consists of:
- A management account
- Zero or more member accounts
- Zero or more organizational units (OUs)
- Zero or more policies.
Root
The root is the top most container in your organization hierarchy. Under this root your can create organizational units (OUs) to logically group your accounts and organize these OUs into a hierarchy that best matches your needs.
Organizational Unit
An Organizational Unit (OU) is a group of Accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy. For example, you can group all accounts that belong to the same department into a departmental OU.
Account
An account is a container for your AWS resources. You create and manage your AWS resources in an account, and the account provides administrative capabilities for access and billing.
There are two types of accounts in an organization: a single account that is designated as the management account and one or more member accounts.
Management Account
A management account is the AWS account you use to create your organization. From the management account, you can do the following:
- Create other accounts in your organization.
- Remove accounts from your organization.
The management account is the ultimate owner of the organization, having final control over security, infrastructure, and finance policies. This account has the role of a payer account and is responsible for paying all charges accrued by the accounts in its organization.
Member Account
A member account is an account, other than the management account, that is part of an organization. If you are an administrator of an organization, you can create member accounts in the organization and invite existing accounts to join the organization. You also can apply policies to member accounts.
Policies
A policy is a “document” with one or more statements that define the controls that you want to apply to a group of AWS accounts. AWS Organizations supports authorization policies and management policies.