Architecture design Security OU Infrastructure Platform OU Additional OUs

OU design: phase 1

For the multinational pharmaceutical company in our example, the initial design of the organizations and OUs in AWS Organizations closely followed AWS recommendations for setting up AWS Control Tower. For an example, see the Landing Zone Accelerator on AWS for Healthcare. AWS Control Tower initially provisioned a simple OU structure with common foundational OUs, as described in the blog post Best Practices for Organizational Units with AWS Organizations, including the Security OU, the Platform Infrastructure OU, and company-specific OUs.

Architecture design

The following diagram shows the initial OU architecture.

Security OU

The Security OU broadly groups AWS accounts related to security functionality together and uses two accounts (Audit and Log Archive) to store security operational data for central logging and auditing access to the environment. AWS core security services such as Amazon GuardDuty and AWS Security Hub reside in the Audit account.

Infrastructure Platform OU

The Infrastructure Platform OU groups together AWS accounts that provide the infrastructure foundation. Initially deployed within this OU are the AWS accounts for the central networking components (gateways, firewalls, central networking hub, and similar services).

Additional OUs

Other, company-specific OUs (such as a Clinical OU) augment the foundational OUs within a low-level hierarchy. Workloads are implemented with a multi-account structure and with separate environments within those OUs.

Several considerations drove this initial design:

Nested OUs were not available at that time in AWS Control Tower and required extensive customization.
Initial workloads designated for the cloud focused on particular aspects of the company such as clinical trials or manufacturing equipment analytics (functional views).
The company differentiates between five workload environments (development, validation, integration, training, and production). The company needed a playground for developing applications without the strict governance by AWS controls that production workloads required. Development OUs such as the Manufacturing-Dev OU were assigned for this purpose.
Workload automation was part of each application’s ecosystem and did not need separation.
Infrastructure qualification (IQ) and GxP compliance processes did not require a distinction of AWS controls at the OU level.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Overview

OU design: phase 2