I want to understand the reasoning behind why AWS Organizations is helpful, and why it is recommended.
Currently my team and I have three different accounts where we build applications: prod, dev, and qa. When we build a new application into one of these accounts, we must first execute a series of CloudFormation templates-- whereas one of them includes the IAM policies / roles needed for the new application.
As you can imagine, we will end up having the same exact same policies and roles defined in each account. We DO NOT want to have cross-account roles / policies for security purposes.
Now my question is, can AWS Organizations be leveraged to where we define 1 centralized policy that can be used in each account, i.e., the template is there for the policy but it allows for a local copy to be stored in each account. The benefit to this would be so that we could make 1 change to the policy and it would replicate that change across the accounts of our choosing. Prod could still be no version #1 of that policy, while dev could be on version #2.
If this is NOT the intended feature of AWS Organizations, then can someone please provide me a use case of the benefit of AWS Organizations?
AWS Organizations does not allow you to set IAM policies at the org level for child AWS accounts to use. It allows you to set up Service Control Policies (SCPs) at org level. SCPs dictate which AWS services/actions a child AWS account may use (SCPs are filters on IAM policies in child accounts, allowing the SCP to override any/all child-level permissions).
Also see the broader set of features of AWS Organizations.