Infrastructure OU
The Infrastructure OU is a foundational OU that is intended to contain infrastructure services. The accounts in this OU are also considered administrative and your infrastructure and operations teams should own and manage this OU, any child OUs, and associated accounts.
The Infrastructure OU is used to hold AWS accounts containing AWS infrastructure resources that are shared, utilized by, or used to manage accounts in the organization. This includes centralized operations or monitoring of your organization. No application accounts or application workloads are intended to exist within this OU.
Common use cases for this OU include accounts to centralize management of resources. For example, a Network account might be used to centralize your AWS network, or an Operations Tooling account to centralize your operational tooling.
Note
For guidance on where to contain non-infrastructure shared services, refer to Workloads OU.
In most cases, given the way most AWS Organization integrated services interact with the accounts within the Infrastructure OU, it does not generally make sense to have production and non-production variants of these accounts within the Infrastructure OU. In situations where non-production accounts are required, these workloads should be treated like any other application and placed in an account within the appropriate Workloads OU corresponding with the non-production phase of the SDLC (Dev OU or Test OU).
Backup account
The Backup account serves as a dedicated and centralized hub for backup and disaster recovery management. It provides a unified platform to orchestrate, monitor, and enforce backup policies across AWS accounts within the AWS Organization.
By consolidating backup processes in a central account, organizations can achieve several benefits. It simplifies backup management by eliminating the need to configure and maintain backup settings separately in each member account, streamlining operational efficiency and reducing the potential for errors. It ensures consistent and comprehensive data protection across the entire AWS infrastructure, regardless of the specific AWS services and resources in use. This approach also enhances compliance and governance efforts by enabling centralized auditing and reporting on backup and recovery activities, making it easier to track data protection metrics and maintain necessary records for compliance purposes.
Recommended AWS Organization Integrated Service Delegation
| AWS service | Implementation Details | Control Tower Enabled |
|---|---|---|
| AWS Backup |
Register the Backup account as the delegated administrator in the AWS Backup console. |
No |
| AWS Organizations: AWS Backup policy administration |
Delegate AWS Backup Policy administration to the Backup account by enabling delegation of AWS Organizations in the managment account and configure a policy that allows the Backup account to create Backup Policies. |
No |
Additional Services and Functionalities
Common examples of security capabilities that can be centrally accessed and managed using the Backup account includes::
-
Leverage centralized AWS KMS customer managed keys for AWS Backup service within the Backup account to centrally manage the encryption for backup operations across accounts.
-
3rd party backup tools that require resources can be created and managed in the Backup account.
Identity account
The Identity account serves as a centralized identity federation account isolated from all other management and workload activities within the AWS Organization. Federated identity management grants you the ability to efficiently manage the access to the accounts in the AWS Organization and authorization to integrated applications. By managing your identities and controlling access to your environment centrally, you can quickly create, update, and delete the permissions and policies you need to meet your business requirements.
Recommended AWS Organization Integrated Service Delegation
| AWS service | Implementation Details | Control Tower Enabled |
|---|---|---|
| IAM Identity Center |
You can delegate administration of IAM Identity Center to this account which will allow you to administer IAM Identity Center outside of the management account. |
Enabled - Yes Delegated - No |
| IAM Access Analyzer |
An IAM Access Analyzer can be configured to detect resources that are shared outside of the organization (organization zone of trust). By default, this is managed from the management account. This can be delegated to a member account. This can be delegated to the Identity account or a Security Tooling account depending on who is responsible for auditing external access (Identity Team or Security Team). |
No |
Additional Services and Functionalities
Common examples of security capabilities that can be centrally accessed and managed using the Identity account includes:
-
AWS Directory Services - If you are using an AWS-hosted directory or AWS AD Connector, you can create and managed them in your Identity account alongside of AWS IAM Identity Center.
-
SAML 2.0 custom managed applications - With IAM Identity Center, you can create or connect workforce users and centrally manage their access across all their AWS accounts and applications.
Network account
The Network account serves as the central hub for your network within your AWS Organization. You can manage your networking resources and route traffic between accounts in your environment, your on-premises, and egress/ingress traffic to the internet. Within this account, your network administrators can manage and build security measures to protect network traffic across your cloud environment.
Recommended AWS Organization Integrated Service Delegation
| AWS service | Implementation Details | Control Tower Enabled |
|---|---|---|
| AWS Network Manger |
Centrally manage and monitor your global networks with transit gateways and their attached resources in multiple AWS accounts within your organization. |
No |
| IPAM |
Delegated to a single account for your entire AWS Organization. IPAM will inventory and track all active IPs across your AWS Organization. |
No |
| VPC Reachability Analyzer |
Trace paths across accounts in your organizations. You can assign multiple delegated admin accounts as needed. |
No |
Additional Services and Functionalities
Common examples of network capabilities and AWS services that can be centrally accessed and managed via the Network account include:
-
Amazon VPC - If you plan to implement centralized networking in your AWS environment, we recommend managing your VPCs
within your network account, and sharing resources across your accounts within your AWS organization. -
Share your AWS Transit Gateway - Create an AWS Transit Gateway
resource in the networking account and share it across the accounts within your AWS Organization using AWS Resource Access Manager (RAM). -
Share your Amazon Route 53 Endpoint Resolvers - If you plan to use a centralized transitive network with Amazon RouteĀ 53 Public Data Plane
in your AWS Organization, we recommend managing and sharing your Route 53 Endpoint Resolvers in your network account within your AWS organization. -
Share your IPAM pools with your organization - When you delegate an IPAM account, IPAM enables other AWS Organizations member accounts in the organization to allocate CIDRs from IPAM pools that are shared using AWS Resource Access Manager (RAM).
-
Build centralize AWS Site-to-Site VPN connections - Using a transitive network architecture centralized in your Network account, a site-to-site VPN can be established and routing enabled across your cloud environment.
-
Centralize AWS Direct Connect
- Create and attach AWS Direct Connect to your transitive network with AWS Transit Gateway . -
Centralized network inspection point - Build inbound and outbound network traffic inspection points routing through the Network account.
AWS Solutions
The following AWS Solutions are commonly deployed or related to the functional operations of the Network account:
| AWS Solution | Description |
|---|---|
|
Network Orchestration for AWS Transit Gateway |
Automates the process of setting up and managing transit networks in distributed AWS environments. This solution allows customers to visualize and monitor their global network from a single dashboard rather than toggling between Regions from the AWS console. It creates a web interface to help control, audit, and approve transit network changes. |
|
Automations for AWS Firewall Manager |
Allows you to centrally configure, manage, and audit firewall rules across all your accounts and resources in AWS Organizations. This solution is a reference implementation to automate the process to set up AWS Firewall Manager security policies. |
|
Security Automations for AWS WAF |
Automatically deploys a set of AWS WAF (web application firewall) rules that filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL). |
Operations Tooling account
Operations Tooling accounts can be used for day-to-day operational activities across your organization. The operations tooling account hosts tools, dashboards, and services needed to centralize operations where monitoring and metric tracking are hosted. These tools help the central operations team to interact with their environment from a central location.
Recommended AWS Organization Integrated Service Delegation
| AWS service | Implementation Details | Control Tower Enabled |
|---|---|---|
|
Manage alternate contact information for all of the accounts in your organization. Delegation is done on one region and for one account within your AWS Organizations. |
No |
|
|
AWS Application Migration Service simplifies, expedites, and reduces the cost of migrating applications to AWS. By integrating with Organizations, you can use the global view feature to manage large-scale migrations across multiple accounts. |
No |
|
|
You can integrate with AWS Organizations to manage insights from all accounts across your entire organization. You delegate an administrator to view, sort, and filter insights from all accounts to obtain organization-wide health of all monitored applications. |
No |
|
|
Get visibility into events that might affect your resource performance or availability issues for AWS services. You can register up to 5 member accounts in your organization as a delegated administrator. |
No |
|
|
If you are planning to use a centralized model to buy and share licenses across your organization, we recommend you specify one of your Shared Services accounts as the delegated administrator for AWS License Manager. |
No |
|
|
You can delegate administration for Systems Manager to the Operations Tooling account to perform administrative tasks for Change Manager, Explorer, and Ops Center. |
No |
|
|
No |
||
|
You can register multiple delegated administrator accounts in your AWS Organizations. CloudFormation Stackset delegatation will give the AWS account full aministrative access to deploy resources in other AWS accounts in your Organization. Delegation needs to be done only at the home region. |
No |
|
|
Trace paths across accounts in your organizations. VPC Reachability Analyzer can have multiple delegated admin accounts. |
AWS Solutions
The following AWS Solutions are commonly deployed or related to the functional operations of the Operations Tooling account:
| AWS Solution | Description |
|---|---|
|
Presented in a web UI, this AWS Solution runs configurable scans on all AWS accounts in your AWS Organizations to help you identify dependencies in your underlying resource-based policies. |
|
|
Automates the starting and stopping of Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Relational Database Service (Amazon RDS) instances.This solution helps reduce operational costs by stopping resources that are not in use and starting them when they are needed. The cost savings can be significant if you leave all of your instances running at full utilization continuously. |
|
|
Analyzes all of your Amazon WorkSpaces usage data and automatically converts the WorkSpace to the most cost-effective billing option (hourly or monthly), depending on your individual usage. You can use this solution with a single account, or with AWS Organizations across multiple accounts, to help you monitor your WorkSpace usage and optimize costs. |
|
|
Workload Discovery on AWS (formerly called Amazon Personalize) is a tool to visualize AWS Cloud workloads. Use Workload Discovery on AWS to build, customize, and share detailed architecture diagrams of your workloads based on live data from AWS . |
Monitoring account
An AWS monitoring account can be used to monitor resources, applications, log data, and performance in other AWS accounts. AWS offers a number of tools and services that can be used to manage and monitor resources and workloads in an AWS account, including CloudWatch, Amazon Managed Service for Prometheus, Amazon Managed Grafana, and Amazon OpenSearch. These tools can be used to monitor resource and application usage, performance, review log data, and identify potential issues within the infrastructure or application.
Note
Depending on your business requirements and team structures, you may choose to manage your monitoring resources and services in a single account with your other Operational Tooling services or as a dedicated Monitoring account. The core concept of the Monitoring account is to only give read-only functionality. The account in itself is not intended to have the abilitiy to make changes across account your AWS Organization.
Recommended AWS Organization Integrated Service Delegation
| AWS service | Implementation Details | Control Tower Enabled |
|---|---|---|
|
Configure the Monitoring account as the delegated admin for AWS health (in the Management account) for ongoing visibility into your resource performance and the availability of your AWS services and accounts within your organization. |
No |
|
|
Register the Monitoring account as the delegated admin for Amazon S3 storage Lens (in the Management account) for organization-wide visibility into object-storage usage and activity. You can use S3 Storage Lens metrics to generate summary insights, such as finding out how much storage you have across your entire organization or which are the fastest-growing buckets and prefixes. |
No |
Additional Services and Functionalities
Common examples of monitoring capabilities that can be centrally accessed and managed using the Monitoring account includes:
-
AWS CloudWatch - Configure AWS CloudWatch Cross Account observability and configure as the "monitoring account" or hub account.
-
CloudWatch dashboards that are created at the account level can be shared with the monitoring account which allows for distributed management with centralized monitoring.
-
3rd party monitoring tools (such as ElasticSearch, Splunk, Prometheus, Grafana) that require resources can be created and managed in the Monitoring account.
-
Customer created automations and reports can be run from and stored in the Monitoring account.
-
Log Archive log analysis. In order to analyze Log data stored in the Log Archive account, Amazon Managed Grafana or Amazon QuickSight can be used in the Monitoring account to analyze Log data in an S3 bucket in the Log Archive account by connecting to Amazon Athena in the Log Archive account.
-
Amazon OpenSearch Service can be deployed and managed in the Monitoring account to analyze logs, monitor applications, and analyze clickstreams.
-
Amazon QuickSight can be deployed and managed in the Monitoring account and cross account data sources can be used to centrally monitor or report organization data.
-
Amazon Managed Grafana can be deployed into the monitoring account for centralized monitoring of resources, containers, CloudWatch logs, and applications by connecting to data sources in different accounts or to centralized CloudWatch metrics, logs, and traces.
AWS Solutions
The following AWS solutions are commonly deployed or related to the functional operations of the Monitoring account:
| AWS Solution | Description |
|---|---|
|
Helps organizations collect, analyze, and display Amazon CloudWatch Logs in a single dashboard. This solution consolidates, manages, and analyzes log files from various sources, such as such as audit logs for access, configuration changes, and billing events. You can also collect Amazon CloudWatch Logs from multiple accounts and AWS Regions. |
|
|
Helps organizations collect, ingest, and visualize log data from various sources using Amazon OpenSearch Service. This solution provides a web-based console, which you can use to create log ingestion pipelines with a few clicks. |
|
|
Automates the process of ingesting, analyzing, and visualizing continuous integration/continuous delivery (CI/CD) metrics. These metrics are displayed in Amazon QuickSight dashboards to help DevOps leaders measure the impact of their DevOps initiatives and make data-driven decisions to drive continuous improvement in their development teams. |
|
|
Automates the process of setting up Amazon CloudWatch dashboards for your Apache, NGINX, and Puma workloads running on Amazon EC2. This solution uses several features of Amazon CloudWatch and speeds up the getting started experience. |
Shared Services accounts
A Shared Services account is an AWS account created and dedicated to hosting and managing centralized IT services and resources that are shared across multiple other AWS accounts within an AWS Organization. The primary purpose of a Shared Services account is to consolidate similar shared services to give a single access point to manage, interface and consume. You may create multiple Shared Service accounts depending on your need to securely isolate the functionality of the grouped services in the account.
Note
AWS account workload isolation is a best practice for enhancing security and operational efficiency in cloud environments. It involves grouping AWS resources and workloads into separate AWS accounts based on their functionality and security requirements. A Shared Service account should contain resources and workloads that can be grouped together to help ensure security, compliance, and operational separation of duties.
Recommended AWS Organization Integrated Service Delegation
| AWS service | Implementation Details | Control Tower Enabled |
|---|---|---|
|
Create and manage catalogs of IT services that are approved for use on AWS. |
No |
|
|
AWS Compute Optimizer can be delegated to one AWS account in your AWS Organization. It is recommended to deploy to a Shared Services account or the Monitoring account. |
No |
Additional Services and Functionalities
Common examples of security capabilities that can be centrally accessed and managed using the Shared Services account includes:
-
EC2 Image Builder - EC2 Image Builder integrates with AWS Resource Access Manager (AWS RAM) to allow you to share certain resources with any AWS account or through AWS Organizations.
Example structure
The following example structure represents the recommended Infrastructure OU at a basic level. For general guidance on separating production and non-production workloads, refer to Organizing workload-oriented OUs.
Example structure of Infrastructure OU
