Appendix E: How does AWS Control Tower establish your multi-account environment? - Organizing Your AWS Environment Using Multiple Accounts

Appendix E: How does AWS Control Tower establish your multi-account environment?

Establish your multi-account environment with AWS Control Tower

When you set up your multi-account environment using AWS Control Tower, it creates two OUs.

  • Security OU - Within this OU, AWS Control Tower creates two accounts:

    • Log Archive

    • Audit (This account corresponds to the Security Tooling account discussed previously in the guidance.)

  • Sandbox OU - This OU is the default destination for accounts created within AWS Control Tower. It contains accounts in which your builders can explore and experiment with AWS services, and other tools and services, subject to your team’s acceptable use policies.


        This image shows an example of default destination for accounts created within AWS Control Tower.

AWS Control Tower allows you to create, register, and manage additional OUs to expand the initial environment to implement the guidance.

The following diagram shows the OUs initially deployed by AWS Control Tower. You can expand your AWS environment to implement any of the recommended OUs included in the diagram, to meet your requirements.


        This image shows shows the OUs initially deployed by AWS Control Tower.

Example: Workloads in a flat OU structure

AWS Control Tower supports a flat OU structure. To implement the OU structure described earlier in the guidance, we recommend the naming convention of including an underscore (“_”) in the names of OUs that are nested. Here is a possible implementation of a flat OU structure.


        This image shows shows the flat OU structure that is supported by AWS Control Tower.

In AWS Control Tower, the Security Read-Only account and the Security Break-Glass account should be placed in a secondary Security OU (Security_Prod), which must be registered with AWS Control Tower. A secondary Security OU (Security_Prod) is needed because AWS Control Tower does not permit additional accounts to be added to the primary Security OU.

In the following diagram, you will see how AWS recommends the categorization of accounts within the Workloads_Prod and Workloads_Test OUs, as well as in the Security_Prod OU, to accommodate the flat OU structure in AWS Control Tower.


        This image shows shows the recommended categorization of accounts within the Workloads_Prod and Workloads_Test OUs.

Next Steps for setting up your multi-account environment

To get started with AWS Control Tower, visit the Getting Started with AWS Control Tower documentation page. We recommend that you review the pre-requisites and next steps required to establish your multi-account environment on AWS.

For complete guidance on establishing your multi-account environment, you can review the guidance included in this whitepaper.