Appendix E: How does AWS Control Tower establish your multi-account environment?
Topics
Establish your multi-account environment with AWS Control Tower
When you set up your multi-account environment using AWS Control Tower, it creates two OUs.
Security OU - Within this OU, AWS Control Tower creates two accounts:
-
Log Archive
-
Audit (This account corresponds to the Security Tooling account discussed previously in the guidance.)
-
Sandbox OU - This OU is the default destination for accounts created within AWS Control Tower. It contains accounts in which your builders can explore and experiment with AWS services, and other tools and services, subject to your team’s acceptable use policies.
AWS Control Tower allows you to create, register, and manage additional OUs to expand the initial environment to implement the guidance.
The following diagram shows the OUs initially deployed by AWS Control Tower. You can expand your AWS environment to implement any of the recommended OUs included in the diagram, to meet your requirements.
OUs initially deployed by AWS Control Tower
Next steps for setting up your multi-account environment
To get started with AWS Control Tower, visit the Getting Started with AWS Control Tower documentation page. We recommend that you review the pre-requisites and next steps required to establish your multi-account environment on AWS.
For complete guidance on establishing your multi-account environment, you can review the guidance included in this whitepaper.
