AWS Organizations can be set up using both the AWS Management Console as well as the AWS CLI. In this section, we will be exploring simple steps using which you can get started with your own organization in a matter of minutes:

1. From the AWS Management Console, filter out AWS Organizations using the Filter option or alternatively navigating to this URL https://console.aws.amazon.com/organizations/.
2. Since this is the first time we are setting up an AWS Organization here, this particular account will now be transformed into the master account. Any other AWS accounts added or created to this master account will be termed as member accounts. Click on Create organization to get started.

3. At the time of creating an organization, you can opt to select either to Enable all features or Enable only Consolidated Billing based on your requirements. For this scenario, select Enable all features and click on Create organization once completed.
4. With the organization created, you should see your existing account listed on the accounts page as shown in the following screenshot. Select the Add account option to add a new AWS account to our organization:

5. As mentioned before, AWS Organizations allows you to add existing AWS accounts into a new organization as well as create new accounts as a part of your master account itself. For this particular scenario, let us go ahead and create a new account called sandbox. Select the Create account option on the Add account page.
6. Provide a suitable name and email address for your new account in the Full name and Email fields respectively. The email that you provide has to be globally unique so provide an email address that has not been used so far with AWS here.
7. Next, in the IAM role name filed, provide a suitable role name for your account. This role will enable you to access the new member account when signed in as an IAM user in the master account. Once completed, click on Create to complete the process.

Here is a snippet of the IAM Role that is created by AWS. The role grants full access to all AWS services and resources present in the new account:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": "*", 
            "Resource": "*" 
        } 
    ] 
}

The account creation process takes a few minutes to complete. Once done, you should see a new account created with the name Sandbox and a new Account ID as well in the Accounts page of AWS Organizations. Select the sandbox account to view its associated ARN and ID in the adjoining pane.

With your account created, the next step involves creation of one or more OUs and moving the newly created account into an OU. For this particular scenario, let us go ahead and create an OU called Sandbox:

1. Select the Organize accounts tab from the AWS Organizations dashboard to view the current hierarchical setup of the organization. From the Organizational Units section, select the + New Organization Unit option to get started.
2. In the Create organizational unit dialog box, provide a suitable name for the new OU in the Name of organization unit field as shown in the following screenshot. Click on Create organizational unit once done:

3. With the OU created, the final step in the process is to move the account into the newly created OU. To do so, from the same Organize accounts page, select the Sandbox account and click on Move.
4. This will bring up a simple interface using which you will need to select the new OU to which you want to move the Sandbox account. Select the Sandbox OU and click on Move to compete the process.

With this step, you should have a new OU and a new account listed within it. You can use the same steps to create multiple OUs and accounts based on your requirements and needs. You can additionally provide restricted access to the services present in your new account by creating and assigning a new SCP to it as well:

1. To create a new SCP, select the Policies tab on the AWS Organization dashboard. You should see a default policy with the name FullAWSAccess already present there. This is a default policy that is created by AWS the first time you create an AWS Organization. The sandbox environment too is currently referenced to the same policy.
2. To create a new SCP, select the Create policy option. AWS Organization provides you with two options when it comes to creating new SCPs. You can choose to leverage the Policy generator to select specific services and actions from a list and build your custom policy or alternatively, choose to Copy an existing SCP and edit the same manually. For this case, select the Policy generator option.
3. Next, provide a Policy name and Description followed by selecting the Effect the policy should have on the applied AWS account.

AWS Organizations allows you to either whitelist (allow) or blacklist (deny) services based on your requirements. Blacklisting services will cause all services listed in the policy to be blocked by default, whereas whitelisting services will block all service APIs that are not listed in the policy. Let us go ahead and create a simple policy for our sandbox OU that allows EC2, S3, and RDS services while explicitly blocking AWS CloudTrail.

4. In the Choose Overall Effect section, select Allow to first create the whitelist of services. Use the Statement builder to select the correct service and its appropriate action as well. Once done, click on Add statement to add further services and actions as shown in the following screenshot:

5. Once you are done with adding the required statements, simply select the Create policy option to complete the process.
6. With the policy created, you can attach the same to an existing account, OU, or even root by simply selecting the policy from the Policies page and selecting either of the root, accounts, or organization units options as required. However, before you proceed further, you will first need to enable SCP policy types for your root account. To do so, select the Root option from the Organize accounts tab. In the adjoining details pane, select enable next to the Service control policies section.
7. With this completed, you can now proceed with attaching the newly created policy to an entity within your organization. Remember, by attaching the policy to the root domain, you effectively propagate the policy down to its members as well. This includes the sub OUs and accounts that you may have created. For this particular case however, select the Accounts option and click the Attach option below the listed Sandbox environment.

There you have it! A simple way using which you can create and manage your AWS accounts with utmost ease. Next, we will look at how you can achieve the same results by leveraging the AWS CLI as well.

Creating and managing AWS accounts, OUs and SCPs using the CLI has its own bit of advantages. For example, you can easily automate the entire account creation process and make it faster and easier to on-board new teams within your organization, and so on:

1. The first step involved in this exercise is to create the organization and set it to use all features, just as we performed with the AWS Management Console. To do so, type in the following command as shown:

# aws organizations create-organization --feature-set ALL

2. With the organization in place, let us go ahead and create an AWS account for our organization, but before we do that, we need to execute just one command that will provide us with the organization's root's ID. The ID will be in the form of r-<XY00>. Make a note of the same for later steps:

# aws organizations list-roots

3. With the root ID noted type in the following command to create a new account. In this case, we are going to create a new account with the name of prod. Remember to substitute the <EMAIL_ID> field with a globally unique value:

# aws organizations create-account
--email <EMAIL_ID>
--account-name prod

Here is a snapshot of the command's output. Make a note of the new account's status ID in the format car-<UNIQUE_ID> as shown in the following screenshot:

4. You can use this status ID to check whether the account creation has completed successfully or not by typing in the following command. Replace the car-<UNIQUE_ID> with the value copied from the earlier step:

# aws organizations describe-create-account-status
--create-account-request-id car-<UNIQUE_ID>

5. Once the new account is created, we can proceed to create a new OU and move the account over to the new OU. In this case, we are naming the new OU as production. Substitute the value of r-<XY00> with the root ID that we made a note of from our earlier steps:

# aws organizations create-organizational-unit
--parent-id r-<XY00>
--name production

The output of this command yields two important values, first is the ARN of the new OU and the second is the OU's ID which is in the form of ou-<XY00>-<UNIQUE_ID>. Make a note of the same for the next steps.

6. Now that the account and OU are created, we simply have to move the account into the new OU. To do so, type in the following command while substituting the correct values for the account-id, parent-id, and the OU-id:

# aws organizations move-account
--account-id <NEW_ACCOUNT_ID>
--source-parent-id r-<XY00>
--destination-parent-id ou-<XY00>-<UNIQUE_ID>

That's it! You have just created a brand new AWS account and moved it into a new OU as well with a few simple commands! It's that easy! However, you can take things a bit further by creating a new SCP and attaching the same to our newly created OU. Let us assume for a moment that the particular OU that we have created can only allow certain AWS services to run as a part of the production environment. To do so, we first need to create a new SCP as shown in the following code block:

{ 
  "Version": "2012-10-17", 
  "Statement": [{ 
    "Effect": "Allow", 
    "Action": [ 
      "ec2:*", 
      "rds:*", 
      "dynamodb:*" 
    ], 
    "Resource": "*" 
  }] 
} 

In this case, the SCP is whitelisting EC2, RDS, and DynamoDB however feel free to modify to suit your own requirements:

1. Paste the SQP into a new file named as policy.json and save it. Next, type in the following command to create it:

# aws organizations create-policy
--content file://policy.json
--name AllowProductionServices
--type SERVICE_CONTROL_POLICY
--description "This policy allows only certain production services"

2. With the policy created, you should receive a policy ID in the form of p-<UNIQUE_ID>. Make a note of the same. Next, use the following command to attach the newly created policy to our OU:

aws organizations attach-policy
--policy-id p-<UNIQUE_ID>
--target-id ou-<XY00>-<UNIQUE_ID>

That's it! You have just successfully attached a new policy to your OU. You can use the same syntax to attach the policy directly to each individual account as well.