Step 2b. Configure your organizational units (OUs)
If you accept the default names of these OUs, there's no action you need to take for setup to continue. To change the names of the OUs, enter the new names directly in the form field.
-
Foundational OU – AWS Control Tower relies upon a Foundational OU that is initially named the Security OU. You can change the name of this OU during initial setup and afterward, from the OU details page. This Security OU contains your two shared accounts, which by default are called the log archive account and the audit account.
-
Additional OU – AWS Control Tower can set up one or more Additional OUs for you. We recommend that you provision at least one Additional OU in your landing zone, besides the Security OU. If this Additional OU is intended for development projects, we recommend that you name it the Sandbox OU, as given in the Guidelines to set up a well-architected environment. If you already have an existing OU in AWS Organizations, you may see the option to skip setting up an Additional OU in AWS Control Tower.