Multi-Account Landing Zone network architecture - AMS Advanced Onboarding Guide

Multi-Account Landing Zone network architecture

About Multi-Account Landing Zone network architecture

Before starting the onboarding process, it is important to understand the baseline architecture, or landing zone, that AMS creates on your behalf, its components, and functions.

AMS multi-account landing zone is a multi-account architecture, pre-configured with the infrastructure to facilitate authentication, security, networking, and logging.

The following diagram outlines at a high level the account structure and how infrastructure is segregated into each of the accounts:

Service region

All resources within an AMS multi-account landing zone are deployed within a single AWS Region of your choice, due to current cross region limitation with Active Directory and Transit Gateway.

Organizational units

A typical AMS multi-account landing zone consists of three top-level organizational units (OUs):

  • The core Organizational unit (OU) (used to group accounts together to administer as a single unit)

  • The applications OU

  • The customer managed OU

AMS-managed multi-account landing zone also enables you to create custom OUs for grouping and organizing AWS Accounts and to associate custom SCPs with them; for examples on doing this, see Management account | Create Custom OUs and Management account | Create Custom SCP (review required), respectively. AMS provides three existing OUs under which new OUs and accounts can be requested: application > managed, application > development, and customer managed.

  • Application > managed OU:

    In this sub organizational unit of the Application OU, accounts are fully managed by AMS including all operational tasks. The operational tasks include service request management, incident management, security management, continuity management, patch management, cost optimization, monitoring and event management. These tasks are carried out for your infrastructure's management. Multiple child OUs can be created as needed, until a maximum limit of nested OUs is reached for AWS organizations. For details, see Quotas for AWS Organizations.

  • Application > development OU:

    Under this sub-OU of the application OU in AMS-managed landing zone, accounts are Developer mode accounts that provide you with elevated permissions to provision and update AWS resources outside of the AMS change management process. This OU also supports the creation of new children OU as needed.

  • Customer Managed OU:

    This is a top-level OU in AMS multi-account landing zone. Accounts under this OU are provisioned by AMS with an RFC. In these accounts, the operations of workloads and AWS resources are your responsibility. This OU also supports the creation of new children OU as needed.

As a best practice, we recommend that accounts under these OUs and custom-requested sub-OUs be grouped based on their functionalities and policies.

Service control policies and AWS Organization

AWS provides service control policies (SCPs) for permissions management in an AWS Organization. SCPs are used to define additional guardrails for what actions users can perform in which OUs. By default, AMS provides a set of SCPs deployed in management accounts which provide protections at different default OU levels. For SCP restrictions, please contact your CSDM.

You can also create custom SCPs and attach them to specific OUs. They can be requested from your Management account using change type ct-33ste5yc7hprs. AMS then reviews the custom SCPs requested before applying them to the target OUs. For examples, see Management account | Create Custom OUs and Management account | Create Custom SCP (Review Required).