AWS organization and account structure of the AWS SRA - AWS Prescriptive Guidance

AWS organization and account structure of the AWS SRA

The following diagram captures the high-level structure of the AWS SRA without displaying specific services. It reflects the dedicated accounts structure discussed in the previous section, and we include the diagram here to orient the discussion around the primary components of the architecture:

  • All accounts that are shown in the diagram are part of a single AWS organization.

  • At the upper left of the diagram is the Org Management account, which is used to create the AWS organization.

  • Below the Org Management account is the Security OU with two specific accounts: one for Security Tooling and the other for Log Archive.

  • Along the right side is the Infrastructure OU with the Network account and Shared Services account.

  • At the bottom of the diagram is the Workloads OU, which is associated with an Application account that houses the enterprise application.

For this discussion, all accounts should be considered production (prod) accounts that operate in a single AWS Region. When a regional service such as Amazon Simple Storage Service (Amazon S3), Amazon GuardDuty, or AWS Key Management Service (AWS KMS) is shown inside an account, that service is configured and managed from within that account.


          High-level structure of the AWS SRA (without services)