Management Account
The AWS Organizations management (root) account provides centralized identity, security, and governance for all workload accounts.
Account Responsibilities
Organizations Hub
- Organization creation and account enrollment
- Service Control Policies (SCPs) for guardrails
- Consolidated billing aggregation
- Cross-account role assumption authority
IAM Identity Center (Workforce Identity)
- Workforce SSO via Entra ID federation
- User and group synchronization
- Permission set assignment across accounts
- MFA enforcement and session management
Central Security
- CloudTrail organization trail (all accounts)
- AWS Config central aggregator
- Security Hub findings aggregation
- Centralized log archive
Billing and Cost Management
- Consolidated AWS bill
- Cost allocation tags
- AWS Cost Explorer for cross-account analysis
- Budget policies and spending limits
Resource Configuration
# Organizations setup
resource "aws_organizations_organization" "main" {
aws_service_access_principals = [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
"securityhub.amazonaws.com",
"sso.amazonaws.com"
]
feature_set = "ALL" # All features including SCPs
}
# IAM Identity Center instance
resource "aws_ssoadmin_instances" "main" {
# Automatically present once Identity Center is enabled in console
}
# Service Control Policy (guardrail)
resource "aws_organizations_policy" "deny_unsupported_regions" {
type = "SERVICE_CONTROL_POLICY"
content = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Deny"
Action = "*"
Resource = "*"
Condition = {
StringNotEquals = {
"aws:RequestedRegion" = ["us-east-1", "us-west-2"]
}
}
}]
})
}
Key Design Decisions
| Decision | Rationale |
|---|---|
| Entra ID Federation | Single workforce identity source across AWS, Azure, and Okta |
| Identity Center (not IAM users) | Temporary credential rotation, MFA, audit trail via CloudTrail |
| Central CloudTrail | All account API calls logged to management account archive |
| SCPs (not IAM policies) | Preventive guardrails that override permission policies |
Workload Account Access Pattern
- Operator logs to Identity Center start URL
- Selects workload account and permission set
- Receives temporary IAM credentials (15 min default)
- Assumes cross-account role in target account
- All actions audit-logged to central CloudTrail
Compliance Implications
- APRA CPS 234: Management account owns API audit trail (CloudTrail)
- SOC 2: Centralized security findings (Security Hub) via management account
- PCI DSS: SCPs enforce encryption, MFA, region constraints
- ISO 27001: User onboarding/offboarding via Identity Center lifecycle
Cost Considerations
- No compute costs (Organizations, CloudTrail, Identity Center are metadata-layer)
- Consolidated billing provides 2-5% EA discounts across accounts
- CloudTrail storage: ~5-10 GB/month per 100 active accounts
Source Reference
Account configuration: terraform-aws/accounts/management-account/
Related modules:
modules/sso/— Identity Center permission sets and group assignmentsmodules/organizations/— Organization policies and account enrollment