Organizational Structure
An effective AWS Organizational structure is essential for managing security, governance, and resources at scale. The Nuvibit Terraform Collection (NTC) provides a strategic approach to organizing your AWS accounts through well-defined Organizational Units (OUs).
What is AWS Organizations?
AWS Organizations is a service that enables you to centrally manage and govern multiple AWS accounts as a single unit. It provides a hierarchical structure for organizing accounts, applying consistent policies, and simplifying billing.
Key features of AWS Organizations include:
- Consolidated Billing: Combine usage across all accounts for volume pricing discounts and simplified payments
- Hierarchical Management: Group accounts into Organizational Units (OUs) for easier administration
- Policy-Based Control: Apply Service Control Policies (SCPs) and Resource Control Policies (RCPs) to enforce security, compliance, and resource standards
- Centralized Services: Enable AWS services across multiple accounts from a central location
- Automated Account Management: Programmatically create and manage AWS accounts
AWS Organizations helps enterprises implement a multi-account strategy, which is a recommended best practice for isolating workloads, managing permissions at scale, and enforcing separation of duties.
What are Organizational Units (OUs)?
Organizational Units (OUs) are containers for AWS accounts within your AWS Organization. They allow you to:
- Organize accounts logically based on business function, environment, or compliance requirements
- Manage security permissions at scale by applying Service Control Policies (SCPs) to groups of accounts
- Establish consistent resource governance with Resource Control Policies (RCPs) that apply to all accounts in the OU
NTC Recommended OU Structure
At Nuvibit we recommend the following hierarchical OU structure to maximize security and operational efficiency:
This structure is designed based on Nuvibit's experience implementing AWS Organizations for enterprises with diverse needs and compliance requirements.
Management Account
The Management Account is placed directly under the root and serves as the central administrative account for your AWS Organization:
- The account that created the organization
- Controls the organization structure and policies
- Should be used only for organizational management tasks
Core OU
The Core OU contains foundational accounts that provide centralized services and management for your entire organization:
- Connectivity Account: Transit gateways, DNS management, and central networking components
- Security Account: Centralized security monitoring, logging, and compliance services
- Log Archive Account: Central storage for logs and audit information from all accounts
- Monitoring Account: Centralized operational monitoring, observability, dashboards, and alarms
- Backup Account: Centralized data protection for backup management and isolated backup storage
Workloads OU
The Workloads OU contains your application and business function accounts, organized by environment that matches your Software Development Lifecycle ( SDLC ) processes:
- Prod OU: Contains accounts running production workloads
- Dev OU: Contains accounts for development environments
- Test OU: Contains accounts for testing and QA environments. (Optionally recommended based on your SDLC processes )
This structure allows you to apply consistent policies across all workload accounts while differentiating between production and non-production environments.
Sandbox OU
The Sandbox OU contains accounts for experimentation and learning. These accounts typically have:
- More permissive policies than production
- Limited connectivity to other organizational resources
- Stricter budget controls to prevent unexpected costs
Suspended OU
The Suspended OU is used for accounts that have been closed through the AWS account closure process.
- Maintain organizational control over closed accounts
- Apply restrictive policies to prevent activity in these accounts
- Preserve any needed information for compliance or reference purposes
Transitional OU
The Transitional OU serves as a temporary location for accounts undergoing significant changes:
- Accounts migrating between environments (e.g., from Development to Production)
- Accounts undergoing major restructuring or resource changes
- Accounts in any other transitional state
This OU helps isolate accounts during transition periods, minimizing the impact on other accounts while changes are being implemented. Accounts typically stay in this OU only temporarily until their transition is complete.
Provisioning Organizational Units
The NTC Organizations Building Block makes it easy to define and implement your organizational structure using infrastructure as code. You can specify your entire OU hierarchy in a single configuration:
module "ntc_organizations" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations?ref=X.X.X"
# Define your organizational unit structure
organizational_unit_paths = [
"/root/core",
"/root/sandbox",
"/root/suspended",
"/root/transitional",
"/root/workloads",
"/root/workloads/prod",
"/root/workloads/dev",
"/root/workloads/test"
]
}
The organizational_unit_paths parameter allows you to define your entire OU structure, including nested OUs up to 5 levels deep. Each path represents an OU in your hierarchy, with the path components indicating the nesting structure:
- Top-level OUs: Defined with paths like
/root/coreor/root/workloads - Nested OUs: Defined with extended paths like
/root/workloads/prod
The NTC Organizations Building Block automatically handles the creation of this entire structure, managing dependencies to ensure parent OUs are created before their children.
Best Practices for OU Design
When designing your OU structure, follow these best practices:
- Separation of Concerns: Place accounts with similar functions or security requirements in the same OU
- Environment Segregation: Maintain separate OUs for production and non-production workloads
- Consistent Naming: Use clear, consistent naming conventions for all OUs and accounts
- Future-Proof Structure: Design your OU hierarchy to accommodate future growth
- Limit OU Depth: Keep your OU hierarchy to 5 levels or less for easier management
- Start with Security: Implement restrictive SCPs at the root and become more permissive as needed
- Delegate Administration: Use delegated administrator functionality to minimize management account usage
Migrating Between OUs
As your organization grows and evolves, moving accounts between OUs may become necessary. It's essential to plan these migrations carefully to avoid disruptions:
- Review all SCPs that will apply to the account in its new location
- Ensure IAM roles and users have appropriate permissions in the new OU
- Test the migration with a non-critical account if possible
- Schedule migrations during low-traffic periods
- Have a rollback plan ready if issues arise
Conclusion
A well-designed OU structure is the foundation of effective AWS governance, security, and compliance. By implementing the Nuvibit recommended structure, you'll create a scalable, secure, and easily manageable multi-account AWS environment that aligns with both Nuvibit best practices and AWS recommendations.
This organizational structure not only helps with day-to-day governance (how you manage and control your AWS environment) but also enhances compliance readiness (your ability to meet industry regulations and standards).
While governance focuses on operational control and decision-making, compliance ensures adherence to external requirements such as HIPAA, PCI DSS, ISO 27001, and other regulatory frameworks. The clear separation of accounts, consistent policy application, and centralized logging enabled by this structure significantly reduces the effort required to demonstrate compliance during audits.