Last-Minute Revision for the Solutions Architect Professional exam – AWS Organizations (Post 2/7)

April 3, 2026 Leave a comment

Welcome to the second post in our six-part revision series for the AWS Certified Solutions Architect – Professional (SAP-C02) exam.

If networking is the backbone (Post 1), then AWS Organizations is the blueprint for a multi-account structure — enforcing security, compliance, and cost controls across your entire cloud estate. For SAP-C02, you’re expected to understand governance deeply, especially what controls can and cannot do.

Let’s break down the core concepts using a UK-wide enterprise analogy: a Head Office in London, with regional branches in Manchester and Edinburgh.

1. Organisational Units (OUs) & Policy Inheritance

Think of your AWS Organization as a UK holding company.

ConceptAWS Key PointUK Corporate Analogy
HierarchyAWS Organizations use a hierarchy: Root → OU → Account. SCPs attached at any level flow down to all child OUs and accounts.London HQ defines company-wide rules that automatically apply to Manchester and Edinburgh offices beneath it.
Service Control Policies (SCPs)SCPs are guardrails, not permissions. They define the maximum permissions that IAM users and roles can have.Corporate policy caps what departments are allowed to do; individual job contracts (IAM policies) define day-to-day duties within that cap.
Effective PermissionsAn action is allowed only if it is permitted by every applicable SCP from Root → OU → Account. The most restrictive result always wins.If HQ bans one service, no regional office can use it — even if local management allows it.

SAP-C02 Critical Detail: SCPs only apply when All Features are enabled in AWS Organizations.

2. Accounts: Management vs Member

Management Account (HQ Admin)

The management account is special and should be treated accordingly.

  • Primary Use:
    • Billing
    • Creating and organising accounts/OUs
    • Applying organisation-wide policies (SCPs)
  • Best Practice:
    • Do not deploy application workloads here. Keep it clean and locked down.
  • Security Logging Exception:
    • It is best practice to enable AWS CloudTrail and store organisation-level logs in the management account.
    • Member accounts cannot delete or disable organisation trails stored here, protecting audit evidence.

Member Accounts (Regional Branches)

Accounts Created Within the Organization

  • When you create an account via AWS Organizations, AWS automatically creates an IAM role called: OrganizationAccountAccessRole
  • This role allows principals in the management account to assume administrator access into the member account.

Invited Accounts (Existing AWS Accounts)

  • When you invite an existing AWS account:
    • The management account does NOT automatically get admin access.
    • The OrganizationAccountAccessRole is NOT created automatically.
  • To gain admin access:
    • You must manually create the OrganizationAccountAccessRole in the invited account.
    • The role must trust the management account.

Exam Tip: This distinction between created vs invited accounts comes up frequently in SAP-C02 scenarios.

IAM Root User & SCPs

  • IAM policies cannot be attached to a root user.
  • SCP behaviour:
    • SCPs do apply to the root user of member accounts.
    • SCPs do NOT apply to the root user of the management account.

This is a common trap. Root users in member accounts are not immune to SCPs.

Feature ModeWhat You GetSCP SupportSAP-C02 Relevance
Consolidated Billing (Legacy)Centralised billing only❌ SCPs NOT supportedKnow this mode exists — and its limitations
All FeaturesFull governance: SCPs, tag policies, backup policies, RAM integration✅ SCPs supportedThis is what the exam assumes unless stated otherwise

3. Governance & Management Tools

Large organisations don’t manage accounts manually — they automate.

AWS ServiceFunction (SAP-C02 Focus)Analogy
AWS Control TowerAutomates creation of a secure multi-account environment using AWS best practices. Applies preventive and detective guardrails to reduce configuration drift.Automatically setting up a compliant Edinburgh branch that already follows London HQ’s governance standards.
AWS RAM (Resource Access Manager)Securely shares AWS resources (e.g. Transit Gateways, subnets) across accounts or OUs.Sharing a single high-speed network link from London HQ with Manchester, instead of building a new one.
CloudFormation StackSetsDeploys the same CloudFormation stack across multiple accounts and regions from a single operation.Rolling out standard IAM roles or security tooling to every UK office in one go.

Important Clarification:
AWS Control Tower does not automatically create IAM users or grant permissions inside member accounts. It governs the environment, not day-to-day access.

Quick Revision Checklist

  • Management Account:
    • Governance and billing in
    • Application workloads out
  • SCPs:
    • Define maximum permissions
    • Do not grant access
    • Apply to member account root users
    • Do not affect the management account
  • Invited Accounts:
    • Must manually create OrganizationAccountAccessRole
  • AWS RAM:
    • Used for sharing central resources like Transit Gateways and subnets

A solid grasp of AWS Organizations is foundational for solving multi-account, enterprise-scale scenarios in the SAP-C02 exam.

In the next post, we’ll move on to Data Storage and Database Solutions — where cost, performance, and durability trade-offs really start to bite.

References

Catch up on the series:

  1. Last-Minute Revision for the Solutions Architect – Professional exam – Introduction
  2. AWS Organisations – this post
  3. Policies and Encryptions
  4. Data Storage
  5. Networking
  6. Serverless
  7. Final

I would like to hear your thoughts