Cloud/ AWS / AWS Certified Solutions Architect โ€” Professional (SAP-C02) / SAP-C02 Multi-Account Strategy: Organizations, Control Tower & SCPs

AWS Amazon Web Services Professional Step 1 of 5 106 guides ยท updated 2026

Hands-on guides to compute, storage, databases, networking, and serverless on the world's most widely adopted cloud platform.

Step 1 โ€” Multi-Account Strategy

If you passed the Associate exam, you already know how to secure a single account: IAM policies, MFA, maybe a bucket policy or two. The Professional exam throws that mental model out and replaces it with a harder question โ€” how do you run governance, networking, and security consistently across fifty accounts instead of one? This step is about that shift in altitude. Nothing here is a new service exactly; itโ€™s the same primitives applied at a scale where manual processes collapse.


Why a Single Account Stops Working

A single AWS account is a blast radius. Put your production database, your dev sandbox, and your data science teamโ€™s experimental Lambda functions in the same account, and a misconfigured IAM policy in one workload can expose another. Enterprises separate accounts along a few common boundaries: environment (prod/staging/dev), business unit, compliance scope (PCI, HIPAA), and blast-radius isolation for anything customer-facing versus internal.

The problem multi-account strategy actually solves isnโ€™t technical isolation โ€” you could get some of that with VPCs and IAM inside one account. Itโ€™s billing isolation, policy isolation, and API rate-limit isolation. A runaway Lambda in one account canโ€™t exhaust another accountโ€™s service quotas. A compromised credential in the marketing account canโ€™t touch the payments account. Thatโ€™s the entire argument, and the exam expects you to reason from it rather than recite it.


AWS Organizations and the Account Hierarchy

AWS Organizations is the root construct. It gives you a management account (never run workloads here โ€” this is a lesson every organization learns the hard way, usually after an audit) and an organizational unit (OU) tree beneath it.

Management Account (billing + org policies only)
โ”‚
โ”œโ”€โ”€ OU: Security
โ”‚ โ”œโ”€โ”€ Log Archive Account
โ”‚ โ””โ”€โ”€ Audit / Security Tooling Account
โ”‚
โ”œโ”€โ”€ OU: Infrastructure
โ”‚ โ”œโ”€โ”€ Network Account (Transit Gateway, Direct Connect)
โ”‚ โ””โ”€โ”€ Shared Services Account (AD, CI/CD tooling)
โ”‚
โ”œโ”€โ”€ OU: Workloads
โ”‚ โ”œโ”€โ”€ OU: Production
โ”‚ โ”‚ โ”œโ”€โ”€ Payments-Prod
โ”‚ โ”‚ โ””โ”€โ”€ Catalog-Prod
โ”‚ โ””โ”€โ”€ OU: Non-Production
โ”‚ โ”œโ”€โ”€ Payments-Dev
โ”‚ โ””โ”€โ”€ Catalog-Dev
โ”‚
โ””โ”€โ”€ OU: Sandbox
โ””โ”€โ”€ Individual dev sandbox accounts (auto-expiring)

Notice the pattern: OUs mirror how you want to apply policy, not how your org chart looks. If Payments-Prod and Catalog-Prod need identical SCPs, they belong in the same OU regardless of which team owns them. Getting this backwards โ€” modeling OUs after team structure โ€” is the single most common real-world (and exam) mistake.


Control Tower: Landing Zones Without the Manual Toil

AWS Control Tower automates what used to be a bespoke โ€œlanding zoneโ€ build: it stands up the Organizations structure, the Log Archive and Audit accounts, baseline SCPs called guardrails, and an Account Factory for provisioning new accounts in minutes rather than weeks.

Guardrails come in two flavors, and the exam loves testing which is which:

Guardrail TypeMechanismExampleCan be bypassed?
PreventiveImplemented as an SCPDeny disabling CloudTrailNo โ€” enforced at the API level
DetectiveImplemented as an AWS Config ruleAlert if S3 bucket becomes publicYes โ€” it flags after the fact, doesnโ€™t block

A subtlety worth internalizing: Control Tower does not replace AWS Organizations, it sits on top of it and manages it declaratively. If your organization already has a hand-rolled multi-account setup, Control Tower can adopt existing OUs and accounts through enrollment, but the exam will test whether you know some legacy configurations (custom SCPs that conflict with mandatory guardrails) need to be reconciled first.

Account Factory for Terraform (AFT) extends this further for teams that want infrastructure-as-code account provisioning rather than the built-in console-based Account Factory โ€” expect this to appear as the answer when a question specifies a customer already standardized on Terraform.


Service Control Policies: The Permission Ceiling

SCPs are the single most misunderstood concept coming from the Associate exam, because Associate-level IAM never needed to discuss ceilings โ€” only grants. An SCP attached to an OU does not grant any permission. It defines the maximum permissions available to every account beneath it, including the management accountโ€™s own IAM policies layered on top.

Effective Permission = SCP allows it AND Identity policy allows it
(ceiling) (grant)

If the ceiling says no, no identity policy in that account โ€” not even one written for the root user of the account โ€” can grant it back. This trips people up because they assume โ€œroot user can do anything.โ€ Root can do anything the SCP ceiling permits, full stop.

Common SCP patterns tested on the exam:

One frequent exam trap: SCPs never affect the management account. If you need a guardrail to apply everywhere including the management account, you must design compensating controls (IAM permission boundaries, resource policies) because SCPs simply donโ€™t reach that account.


Multi-Account Networking: Transit Gateway and RAM

Once you have dozens of accounts, each with its own VPCs, you need them to talk to each other and to on-premises without building a mesh of VPC peering connections that becomes unmanageable past a handful of VPCs (peering doesnโ€™t transit, so a full mesh of N VPCs needs N(N-1)/2 connections).

Transit Gateway (TGW) is the hub-and-spoke answer:

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Transit Gateway โ”‚
โ”‚ (Network Account) โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ โ”‚ โ”‚ โ”‚ โ”‚
โ”Œโ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ” โ”Œโ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”โ”Œโ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”โ”Œโ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ” โ”Œโ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”
โ”‚ VPC-A โ”‚ โ”‚ VPC-B โ”‚โ”‚ VPC-C โ”‚โ”‚ VPC-D โ”‚ โ”‚ Direct โ”‚
โ”‚ (Prod) โ”‚ โ”‚ (Dev) โ”‚โ”‚(Shared)โ”‚โ”‚(Sandboxโ”‚ โ”‚ Connect โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ (on-prem)โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

TGW route tables let you segment traffic โ€” production VPCs might only route to the Shared Services VPC and Direct Connect, never directly to Sandbox, even though they all attach to the same gateway. This is the multi-account equivalent of subnetting: the physical hub is shared, but logical reachability is controlled per route table association.

Resource Access Manager (RAM) is what makes this cross-account without duplicating infrastructure. You create the Transit Gateway once, in the Network account, and share the attachment permission via RAM to every other account in the Organization. Those accounts then attach their own VPCs to a TGW they donโ€™t own and never had to have created for them individually. RAM also shares subnets (VPC sharing), License Manager configurations, and Route 53 Resolver rules โ€” any exam question about โ€œavoid duplicating this resource in every accountโ€ should make you think RAM first.

For global footprints, TGW peering (now inter-Region peering) connects Transit Gateways across Regions, and this is how a โ€œmulti-Region, multi-accountโ€ network gets built without Direct Connect or VPN in every Region pair.


Centralized Logging and Security Baseline

A landing zone isnโ€™t complete without a place where security signal actually lands. The standard pattern centralizes three things into the Security OUโ€™s dedicated accounts:

The delegated administrator pattern deserves attention: rather than every account independently enabling GuardDuty and nobody actually reading the findings, you designate one account (usually in the Security OU) as the GuardDuty/Security Hub administrator. Every member accountโ€™s findings automatically flow there. This is how a security team of five people monitors an organization of three hundred accounts without opening three hundred consoles.

An organization-wide CloudTrail trail, once created from the management account with the โ€œapply to organizationโ€ flag, cannot be turned off or modified by member accounts โ€” this pairs directly with the โ€œdeny disabling CloudTrailโ€ SCP guardrail mentioned earlier, giving you both a policy-level and a technical-level lock on audit continuity.


Exam Focus: What Questions Test From This Step