IAM Advanced

Organization

Let you manage multiple AWS account at the same time. There is one main account that's the management account, other account are member accounts.

Billing will all be sent to the management account. You get pricing benefits from using all services across the member accounts which is nice.

Share reserved instances and savings plans across accounts. Member account creation can be automated.

Organization unit

You first have Root organization unit (This is the most outer OU) in which your management account lives in. Then you can create other organization unit within the root one, kinda like sub groups. And within those subgroups that's where you can place member accounts. You can nest the organization unit within each other.

Benefit

You can enable CloudTrail for all accounts and have a central logging S3 account. Central CloudWatch logs as well.

Service control policies (SCP). IAM policies applied to OU or account to restrict users and roles. Applies to everything but the management account, so even if you deny a certain resource to the management account it will not apply. For SCP you can specify an allow list or block list. Allow list you explicitly allow actions while denying everything. Block list you allow everything then you deny certain actions.

You would apply SCP to each OU, and the account would have they inherit from their parent OU unless there is an explicit deny, even if there was an authorize. An deny would be a NO regardless if there is an authorize to that specific account.