10

I'm reading about AWS Identity and Access Management (IAM) and AWS Organizations.

Both of them give us the new account & applied policy:

  • AWS Organization: Apply policies to accounts.
  • IAM: Enables you to securely control access to AWS services and resources for your user.

Question:

  1. So what are the differences between them?

  2. What should I use the service over the other one?

I've read this post and that just gives me "OUs that can be used in AWS' consolidated billing feature"

Nguyễn Văn Phong
  • 13,506
  • 17
  • 39
  • 56

3 Answers3

15

AWS Organizations controls permissions of multiple AWS accounts from a "parent" AWS account. For example, if a company's IT department has an AWS account, and the Finance department has another AWS account, you can do things like limit what services can be used in those accounts, and monitor them for compliance, using AWS Organizations in a "parent" or "root" AWS account.

AWS IAM is used to provide permissions to access the AWS API. You would create IAM accounts within a specific AWS account to provide access to view/create/update/modify resources within that AWS account.

There is more to it when you start getting into cross-account IAM roles and AWS Single Sign-On, etc., but in general AWS Organizations is used to manage multiple AWS accounts, while IAM is used to manage access to resources within a single AWS account.

Nguyễn Văn Phong
  • 13,506
  • 17
  • 39
  • 56
Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Oh thanks for your answer. I'll mark it as an accepted answer. Happy day ^^! – Nguyễn Văn Phong Mar 19 '21 at 04:29
  • Thanks for your answer @MarkB. If the IT department has an AWS account, wouldn't it make sense for them to assign another IAM user called "Finance department" and allocate those resources rather than having a separate AWS account for the finance department? – BenKoshy May 19 '21 at 00:20
  • 4
    @BKSpurgeon no, that doesn't work well at all. It's very difficult in that scenario to split the costs up by department on the AWS bill, and it is also very difficult, and sometimes impossible, to separate the permissions of the different IAM users so only the finance user has access to finance AWS resources, etc. Splitting them into separate AWS accounts, under a parent account, solves those problems automatically. – Mark B May 19 '21 at 00:23
1

I'd like to give my own answer. Feel free to correct me If I'm mistaken.

Hopefully, This answer would helpful to you. Cheers ^^!

Updated

An IAM Group is to place certain IAM users with a specific set of policies (permissions ) to access certain resources; i.e: EC2, S3, etc. However, AWS Organization OU's are a way to manage multiple AWS accounts and apply specific policies to the group of accounts. So, these 2 are very different things and they achieve very different results. Some organizations can have 20, 30 or more AWS accounts, so managing them is best when placed in Organizational Units, OUs to simplify management.

  1. The main differences between them are:
  • AWS Organization: Create a new AWS account (Look like you register a new one without providing the Credit card, other info, etc..). As a result, You can use AWS' consolidated billing feature.
  • IAM: A user account under AWS Organization.

Imagine you have an IT company with a root account, AWS Organization is able to help you manage multiple departments like: Development, Tester, etc.

In this way, you can control the cost of each department along with protecting your data for each department separately.

  1. What should I use the service over the other one?

You can use both of them as your needs.

A more detailed description from https://aws.amazon.com/organizations/

AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts.

Nguyễn Văn Phong
  • 13,506
  • 17
  • 39
  • 56
1

There is something I feel should be added to complement the other answers.

Even if AWS treats with AWS organizations separately, this is by definition part of the IAM toolset, as it can be used to manage permissions and secure your environments across all your AWS accounts.

Alejandro Toledo Juan
  • 11
  • 2