Establishing Enterprise Architecture on AWS
AWS Whitepaper

Organizational Model

AWS Organizations lets you arrange your AWS accounts into groups called Organizational Units (OUs) that reflect your business organizational model. Within and across those OUs you can define centrally managed policies and apply them in a uniform manner. You can also define how accounts are created and removed from the organization. With AWS Organizations, you can:

  • Replicate your organizational structure in your cloud environment

  • Give your business units autonomy while maintaining a global governance

  • Manage your cloud landscape (the creation and deletion of accounts) and global expenditure

Replicate Your Organizational Structure in Your Cloud Environment

In AWS Organizations, the root is the parent container for all the accounts for your organization. OUs are nested under the root. You can define OUs to reflect your existing or target organizational model. OUs can contain accounts or other OUs, and you can create tiers of OUs.

The following figure shows an example of an organization that consists of 14 AWS accounts (Ax) that are organized into 9 OUs under the root.

Organizations reflect an enterprise’s organizational model

Figure: Organizations reflect an enterprise’s organizational model

In this example, the OUs represent the enterprise’s global Human Resources (HR), Security, and Finance departments, New York and London locations, and four business units (BUx). This maintains an AWS Cloud account structure that reflects the enterprise’s organizational model.

Business Units and Autonomy

Giving your business units autonomy while maintaining a global governance practice, and giving departments and teams autonomy to explore new technologies and techniques while still maintaining an overview of the organization are a couple of the challenges with enterprise architecture governance. You can address these challenges with Service Control Policies (SCPs).

SCPs are policies that specify the services and actions that users and roles can use in the accounts that the SCP affects. You can apply SCPs at any layer in the organization. Using the same organization example, the following figure shows policies applied to the root and to HR, Security, London, and BU1 OUs:

Service control policies applied to organizations in the enterprise organizational model

Figure: Service control policies applied to organizations in the enterprise organizational model

If you apply a policy to the root, it applies to all OUs and accounts in the organization. For example, the SCP applied at the root level of a healthcare enterprise might deny the use of any non-HIPAA-compliant AWS service or, in a financial organization, it could deny access to services that are not compliant to PCI-DSS financial standards. No OU can use a non-compliant service that is defined in an SCP applied at the root level. Once a service becomes compliant in an AWS Region, you can add it to the policy.

Likewise, you can attach SCPs throughout the organizational hierarchy as appropriate to the business function. For example, as shown in Figure 4, you can attach policies based on different functions (HR and Security), local markets (London), and local business units (BU1).

When you attach a policy to one of the nodes in the hierarchy, it affects all the OUs and accounts beneath it. The SCPs associated with the HR, Security, and London OUs are enforced in all child OUs. An SCP associated with a child AWS account or OU cannot change this behavior—it can only work within the bounds of that policy.

Applying SCPs to your OUs gives your business units autonomy while maintaining a global governance.

You can also add new and existing AWS accounts to an OU and remove accounts from an OU. You can also specify the OU that new accounts can be created in. These accounts will inherit the previously defined policies and behaviors of that OU.

Manage Your Cloud Landscape and Global Expenditure

Enterprise architects are also concerned about the total cost of ownership of the organization’s IT landscape. AWS Organizations supports you in this activity.

AWS Organizations lets you set up a single payment method for all the AWS accounts in your organization through consolidated billing. With consolidated billing, you can see a combined view of charges incurred by all your accounts, as well as take advantage of pricing benefits from aggregated usage, such as volume discounts for Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service (Amazon S3).