Infrastructure OU - Organizing Your AWS Environment Using Multiple Accounts

Infrastructure OU

The Infrastructure OU is a foundational OU that is intended to contain infrastructure services. The accounts in this OU are also considered administrative and your infrastructure and operations teams should own and manage this OU, any child OUs, and associated accounts.

The Infrastructure OU is used to hold AWS accounts containing AWS infrastructure resources that are shared, utilized by, or used to manage accounts in the organization. This includes centralized operations or monitoring of your organization. No application accounts or application workloads are intended to exist within this OU.

Common use cases for this OU include accounts to centralize management of resources. For example, a Network account might be used to centralize your AWS network, or an Operations Tooling account to centralize your operational tooling.

Note

For guidance on where to contain non-infrastructure shared services, refer to Workloads OU.

In most cases, given the way most AWS Organization integrated services interact with the accounts within the Infrastructure OU, it does not generally make sense to have production and non-production variants of these accounts within the Infrastructure OU. In situations where non-production accounts are required, these workloads should be treated like any other application and placed in an account within the appropriate Workloads OU corresponding with the non-production phase of the SDLC (Dev OU or Test OU).

Backup account

The Backup account serves as a dedicated and centralized hub for backup and disaster recovery management. It provides a unified platform to orchestrate, monitor, and enforce backup policies across AWS accounts within the AWS Organization.

By consolidating backup processes in a central account, organizations can achieve several benefits. It simplifies backup management by eliminating the need to configure and maintain backup settings separately in each member account, streamlining operational efficiency and reducing the potential for errors. It ensures consistent and comprehensive data protection across the entire AWS infrastructure, regardless of the specific AWS services and resources in use. This approach also enhances compliance and governance efforts by enabling centralized auditing and reporting on backup and recovery activities, making it easier to track data protection metrics and maintain necessary records for compliance purposes.

AWS service Implementation Details Control Tower Enabled
AWS Backup

Register the Backup account as the delegated administrator in the AWS Backup console.

No

AWS Organizations: AWS Backup policy administration

Delegate AWS Backup Policy administration to the Backup account by enabling delegation of AWS Organizations in the managment account and configure a policy that allows the Backup account to create Backup Policies.

No

Additional Services and Functionalities

Common examples of security capabilities that can be centrally accessed and managed using the Backup account includes::

  • Leverage centralized AWS KMS customer managed keys for AWS Backup service within the Backup account to centrally manage the encryption for backup operations across accounts.

  • 3rd party backup tools that require resources can be created and managed in the Backup account.

Identity account

The Identity account serves as a centralized identity federation account isolated from all other management and workload activities within the AWS Organization. Federated identity management grants you the ability to efficiently manage the access to the accounts in the AWS Organization and authorization to integrated applications. By managing your identities and controlling access to your environment centrally, you can quickly create, update, and delete the permissions and policies you need to meet your business requirements.

AWS service Implementation Details Control Tower Enabled
IAM Identity Center

You can delegate administration of IAM Identity Center to this account which will allow you to administer IAM Identity Center outside of the management account.

Enabled - Yes

Delegated - No

IAM Access Analyzer

An IAM Access Analyzer can be configured to detect resources that are shared outside of the organization (organization zone of trust). By default, this is managed from the management account. This can be delegated to a member account. This can be delegated to the Identity account or a Security Tooling account depending on who is responsible for auditing external access (Identity Team or Security Team).

No

Additional Services and Functionalities

Common examples of security capabilities that can be centrally accessed and managed using the Identity account includes:

  • AWS Directory Services - If you are using an AWS-hosted directory or AWS AD Connector, you can create and managed them in your Identity account alongside of AWS IAM Identity Center.

  • SAML 2.0 custom managed applications - With IAM Identity Center, you can create or connect workforce users and centrally manage their access across all their AWS accounts and applications.

Network account

The Network account serves as the central hub for your network within your AWS Organization. You can manage your networking resources and route traffic between accounts in your environment, your on-premises, and egress/ingress traffic to the internet. Within this account, your network administrators can manage and build security measures to protect network traffic across your cloud environment.

AWS service Implementation Details Control Tower Enabled
AWS Network Manger

Centrally manage and monitor your global networks with transit gateways and their attached resources in multiple AWS accounts within your organization.

No

IPAM

Delegated to a single account for your entire AWS Organization. IPAM will inventory and track all active IPs across your AWS Organization.

No

VPC Reachability Analyzer

Trace paths across accounts in your organizations. You can assign multiple delegated admin accounts as needed.

No

Additional Services and Functionalities

Common examples of network capabilities and AWS services that can be centrally accessed and managed via the Network account include:

  • Amazon VPC - If you plan to implement centralized networking in your AWS environment, we recommend managing your VPCs within your network account, and sharing resources across your accounts within your AWS organization.

  • Share your AWS Transit Gateway - Create an AWS Transit Gateway resource in the networking account and share it across the accounts within your AWS Organization using AWS Resource Access Manager (RAM).

  • Share your Amazon Route 53 Endpoint Resolvers - If you plan to use a centralized transitive network with Amazon RouteĀ 53 Public Data Plane in your AWS Organization, we recommend managing and sharing your Route 53 Endpoint Resolvers in your network account within your AWS organization.

  • Share your IPAM pools with your organization - When you delegate an IPAM account, IPAM enables other AWS Organizations member accounts in the organization to allocate CIDRs from IPAM pools that are shared using AWS Resource Access Manager (RAM).

  • Build centralize AWS Site-to-Site VPN connections - Using a transitive network architecture centralized in your Network account, a site-to-site VPN can be established and routing enabled across your cloud environment.

  • Centralize AWS Direct Connect - Create and attach AWS Direct Connect to your transitive network with AWS Transit Gateway.

  • Centralized network inspection point - Build inbound and outbound network traffic inspection points routing through the Network account.

AWS Solutions

The following AWS Solutions are commonly deployed or related to the functional operations of the Network account:

AWS Solution Description
Network Orchestration for AWS Transit Gateway

Automates the process of setting up and managing transit networks in distributed AWS environments. This solution allows customers to visualize and monitor their global network from a single dashboard rather than toggling between Regions from the AWS console. It creates a web interface to help control, audit, and approve transit network changes.

Automations for AWS Firewall Manager

Allows you to centrally configure, manage, and audit firewall rules across all your accounts and resources in AWS Organizations. This solution is a reference implementation to automate the process to set up AWS Firewall Manager security policies.

Security Automations for AWS WAF

Automatically deploys a set of AWS WAF (web application firewall) rules that filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL).

Operations Tooling account

Operations Tooling accounts can be used for day-to-day operational activities across your organization. The operations tooling account hosts tools, dashboards, and services needed to centralize operations where monitoring and metric tracking are hosted. These tools help the central operations team to interact with their environment from a central location.

AWS service Implementation Details Control Tower Enabled

AWS Account Management

Manage alternate contact information for all of the accounts in your organization. Delegation is done on one region and for one account within your AWS Organizations.

No

AWS Application Migration Service (AMG)

AWS Application Migration Service simplifies, expedites, and reduces the cost of migrating applications to AWS. By integrating with Organizations, you can use the global view feature to manage large-scale migrations across multiple accounts.

No

Amazon DevOps Guru

You can integrate with AWS Organizations to manage insights from all accounts across your entire organization. You delegate an administrator to view, sort, and filter insights from all accounts to obtain organization-wide health of all monitored applications.

No

AWS Health

Get visibility into events that might affect your resource performance or availability issues for AWS services. You can register up to 5 member accounts in your organization as a delegated administrator.

No

AWS License Manager

If you are planning to use a centralized model to buy and share licenses across your organization, we recommend you specify one of your Shared Services accounts as the delegated administrator for AWS License Manager.

No

AWS Systems Manager Change Manager

You can delegate administration for Systems Manager to the Operations Tooling account to perform administrative tasks for Change Manager, Explorer, and Ops Center.

No

AWS Systems Manager Explorer

No

AWS CloudFormation Stacksets

You can register multiple delegated administrator accounts in your AWS Organizations. CloudFormation Stackset delegatation will give the AWS account full aministrative access to deploy resources in other AWS accounts in your Organization. Delegation needs to be done only at the home region.

No

VPC Reachability Analyzer

Trace paths across accounts in your organizations. VPC Reachability Analyzer can have multiple delegated admin accounts.

AWS Solutions

The following AWS Solutions are commonly deployed or related to the functional operations of the Operations Tooling account:

AWS Solution Description

Account Assessment for AWS Organizations

Presented in a web UI, this AWS Solution runs configurable scans on all AWS accounts in your AWS Organizations to help you identify dependencies in your underlying resource-based policies.

Instance Scheduler on AWS

Automates the starting and stopping of Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Relational Database Service (Amazon RDS) instances.This solution helps reduce operational costs by stopping resources that are not in use and starting them when they are needed. The cost savings can be significant if you leave all of your instances running at full utilization continuously.

Cost Optimizer for Amazon WorkSpaces

Analyzes all of your Amazon WorkSpaces usage data and automatically converts the WorkSpace to the most cost-effective billing option (hourly or monthly), depending on your individual usage. You can use this solution with a single account, or with AWS Organizations across multiple accounts, to help you monitor your WorkSpace usage and optimize costs.

Workload Discovery on AWS

Workload Discovery on AWS (formerly called Amazon Personalize) is a tool to visualize AWS Cloud workloads. Use Workload Discovery on AWS to build, customize, and share detailed architecture diagrams of your workloads based on live data from AWS .

Monitoring account

An AWS monitoring account can be used to monitor resources, applications, log data, and performance in other AWS accounts. AWS offers a number of tools and services that can be used to manage and monitor resources and workloads in an AWS account, including CloudWatch, Amazon Managed Service for Prometheus, Amazon Managed Grafana, and Amazon OpenSearch. These tools can be used to monitor resource and application usage, performance, review log data, and identify potential issues within the infrastructure or application.

Note

Depending on your business requirements and team structures, you may choose to manage your monitoring resources and services in a single account with your other Operational Tooling services or as a dedicated Monitoring account. The core concept of the Monitoring account is to only give read-only functionality. The account in itself is not intended to have the abilitiy to make changes across account your AWS Organization.

AWS service Implementation Details Control Tower Enabled

AWS Health

Configure the Monitoring account as the delegated admin for AWS health (in the Management account) for ongoing visibility into your resource performance and the availability of your AWS services and accounts within your organization.

No

Amazon S3 Storage Lens

Register the Monitoring account as the delegated admin for Amazon S3 storage Lens (in the Management account) for organization-wide visibility into object-storage usage and activity. You can use S3 Storage Lens metrics to generate summary insights, such as finding out how much storage you have across your entire organization or which are the fastest-growing buckets and prefixes.

No

Additional Services and Functionalities

Common examples of monitoring capabilities that can be centrally accessed and managed using the Monitoring account includes:

  • AWS CloudWatch - Configure AWS CloudWatch Cross Account observability and configure as the "monitoring account" or hub account.

  • CloudWatch dashboards that are created at the account level can be shared with the monitoring account which allows for distributed management with centralized monitoring.

  • 3rd party monitoring tools (such as ElasticSearch, Splunk, Prometheus, Grafana) that require resources can be created and managed in the Monitoring account.

  • Customer created automations and reports can be run from and stored in the Monitoring account.

  • Log Archive log analysis. In order to analyze Log data stored in the Log Archive account, Amazon Managed Grafana or Amazon QuickSight can be used in the Monitoring account to analyze Log data in an S3 bucket in the Log Archive account by connecting to Amazon Athena in the Log Archive account.

  • Amazon OpenSearch Service can be deployed and managed in the Monitoring account to analyze logs, monitor applications, and analyze clickstreams.

  • Amazon QuickSight can be deployed and managed in the Monitoring account and cross account data sources can be used to centrally monitor or report organization data.

  • Amazon Managed Grafana can be deployed into the monitoring account for centralized monitoring of resources, containers, CloudWatch logs, and applications by connecting to data sources in different accounts or to centralized CloudWatch metrics, logs, and traces.

AWS Solutions

The following AWS solutions are commonly deployed or related to the functional operations of the Monitoring account:

AWS Solution Description

Centralized Logging on AWS

Helps organizations collect, analyze, and display Amazon CloudWatch Logs in a single dashboard. This solution consolidates, manages, and analyzes log files from various sources, such as such as audit logs for access, configuration changes, and billing events. You can also collect Amazon CloudWatch Logs from multiple accounts and AWS Regions.

Centralized Logging with OpenSearch

Helps organizations collect, ingest, and visualize log data from various sources using Amazon OpenSearch Service. This solution provides a web-based console, which you can use to create log ingestion pipelines with a few clicks.

DevOps Monitoring Dashboard on AWS

Automates the process of ingesting, analyzing, and visualizing continuous integration/continuous delivery (CI/CD) metrics. These metrics are displayed in Amazon QuickSight dashboards to help DevOps leaders measure the impact of their DevOps initiatives and make data-driven decisions to drive continuous improvement in their development teams.

Application Monitoring with Amazon CloudWatch

Automates the process of setting up Amazon CloudWatch dashboards for your Apache, NGINX, and Puma workloads running on Amazon EC2. This solution uses several features of Amazon CloudWatch and speeds up the getting started experience.

Shared Services accounts

A Shared Services account is an AWS account created and dedicated to hosting and managing centralized IT services and resources that are shared across multiple other AWS accounts within an AWS Organization. The primary purpose of a Shared Services account is to consolidate similar shared services to give a single access point to manage, interface and consume. You may create multiple Shared Service accounts depending on your need to securely isolate the functionality of the grouped services in the account.

Note

AWS account workload isolation is a best practice for enhancing security and operational efficiency in cloud environments. It involves grouping AWS resources and workloads into separate AWS accounts based on their functionality and security requirements. A Shared Service account should contain resources and workloads that can be grouped together to help ensure security, compliance, and operational separation of duties.

AWS service Implementation Details Control Tower Enabled

AWS Service Catalog

Create and manage catalogs of IT services that are approved for use on AWS.

No

AWS Compute Optimizer

AWS Compute Optimizer can be delegated to one AWS account in your AWS Organization. It is recommended to deploy to a Shared Services account or the Monitoring account.

No

Additional Services and Functionalities

Common examples of security capabilities that can be centrally accessed and managed using the Shared Services account includes:

  • EC2 Image Builder - EC2 Image Builder integrates with AWS Resource Access Manager (AWS RAM) to allow you to share certain resources with any AWS account or through AWS Organizations.

Example structure

The following example structure represents the recommended Infrastructure OU at a basic level. For general guidance on separating production and non-production workloads, refer to Organizing workload-oriented OUs.

This image shows an example structure of a infrastructure OU.

Example structure of Infrastructure OU