[rukenshia]

I love that AWS is starting to care more about providing these services. For context, we have basically been building this for 2 years in our company internally to provide hundreds of “compliant by default” accounts. Every company seems to do it themselves.

What I personally find very frustrating is the lack of being able to migrate any existing organisations into this. I’d love to get rid of some of our account provisioning but this would basically mean starting over with a brand-new AWS Organization which is impossible for us.

It still is quite a hassle to manage many accounts (and resources you need in them) so I hope this service will sooner or later help us with this.

PS: if anyone is over at re:Inforce and wants to talk about anything AWS Orgs & accounts, feel free to mail me (profile)!

[joseph]

I also worked on a team that built something similar, and I've seen it done in other companies. With services like this, and others like Transit Gateway, it's getting a lot easier to manage multiple accounts and VPCs. I haven't tried AWS Control Tower yet, but I am hoping it gives easy visibility into all the accounts in one place. With Amazon accounts, once you assume a role into an account, you can't see other accounts without switching back into them.

This is one area where I think GCP got it right. By using organizations and projects within one account instead of having parent and child accounts, it's quite a bit easier to see what's going on. And a parent account has a very different role from child accounts, so it makes sense to treat them as separate things.