AWS Account Management Policy Comparison - AWS Organizations vs IAM Switch Role

Tadashi Shigeoka ·  Tue, January 26, 2021

I’ll introduce the benefits and drawbacks of AWS Organizations and IAM Switch Role for AWS account management policies.

AWS

Background: AWS Organizations vs IAM Switch Role - Which Should You Use?

Depending on the scale of your development project, you might wonder: “Should I use AWS Organizations or IAM Switch Role?” This article summarizes what I learned from SRE experts regarding this question.

AWS Organizations Benefits and Drawbacks

Benefits - AWS Organizations

✅ Centralized permission management

You can centrally manage login users. You can also set which accounts each user can log into and perform fine-grained permission management.

✅ Centralized billing management

✅ Hierarchical AWS management

Think of it like making GCP projects work like AWS accounts.

Drawbacks - AWS Organizations

❌ Complex setup makes design challenging

  • Requires significant development effort
  • Even with multi-account setup, it's not suitable for simple production/staging level separation
  • Designed for large-scale use, so without enough developers to justify centralized user management (e.g., bulk adding ○○-san's IAM user to 10 AWS accounts), the cost-performance ratio is poor

IAM Switch Role Benefits and Drawbacks

Benefits - IAM Switch Role

✅ Multi-account setup with minimal effort

By preparing Switch Roles for each account, you can immediately enable multi-account management.

Drawbacks - IAM Switch Role

❌ Need to configure Switch Role for each account

❌ Cannot manage accounts

Billing cannot be consolidated.

❌ Fine-grained permission management seems difficult

You cannot grant permissions to specific users when using Switch Role.

That’s all from understanding AWS account design, management, and operational best practices from the Gemba.

Reference Information