Organizational units - AMS Advanced Onboarding Guide

Organizational units

A typical AMS multi-account landing zone consists of three top-level organizational units (OUs):

  • The core Organizational unit (OU) (used to group accounts together to administer as a single unit)

  • The applications OU

  • The customer managed OU

AMS-managed multi-account landing zone also enables you to create custom OUs for grouping and organizing AWS Accounts and to associate custom SCPs with them; for examples on doing this, see Management account: Creating a custom OU and Management account: Creating a custom SCP, respectively. AMS provides three existing OUs under which new OUs and accounts can be requested: application > managed, application > development, and customer managed.

  • Application > managed OU:

    In this sub organizational unit of the Application OU, accounts are fully managed by AMS including all operational tasks. The operational tasks include service request management, incident management, security management, continuity management, patch management, cost optimization, monitoring and event management. These tasks are carried out for your infrastructure's management. Multiple child OUs can be created as needed, until a maximum limit of nested OUs is reached for AWS organizations. For details, see Quotas for AWS Organizations.

  • Application > development OU:

    Under this sub-OU of the application OU in AMS-managed landing zone, accounts are Developer mode accounts that provide you with elevated permissions to provision and update AWS resources outside of the AMS change management process. This OU also supports the creation of new children OU as needed.

  • Customer Managed OU:

    This is a top-level OU in AMS multi-account landing zone. Accounts under this OU are provisioned by AMS with an RFC. In these accounts, the operations of workloads and AWS resources are your responsibility. This OU also supports the creation of new children OU as needed.

As a best practice, we recommend that accounts under these OUs and custom-requested sub-OUs be grouped based on their functionalities and policies.