AWS organization and account structure of the AWS SRA - AWS Prescriptive Guidance

AWS organization and account structure of the AWS SRA

The following diagram captures the high-level structure of the AWS SRA without displaying specific services. It reflects the dedicated accounts structure discussed in the previous section, and we include the diagram here to orient the discussion around the primary components of the architecture:

  • All accounts that are shown in the diagram are part of a single AWS organization.

  • At the upper left of the diagram is the Org Management account, which is used to create the AWS organization.

  • Below the Org Management account is the Security OU with two specific accounts: one for Security Tooling and the other for Log Archive.

  • Along the right side is the Infrastructure OU with the Network account and Shared Services account.

  • At the bottom of the diagram is the Workloads OU, which is associated with an Application account that houses the enterprise application.

For this discussion, all accounts are considered production (prod) accounts that operate in a single AWS Region. When a regional service such as Amazon S3, Amazon GuardDuty, or AWS Key Management Service (AWS KMS) is shown inside an account, that service is configured and managed from within that account. 

When hosting an AWS organization with a large set of accounts, it’s beneficial to have an orchestration layer that facilitates account deployment and account governance. AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment. The AWS SRA code samples in the GitHub repository demonstrate how you can use the Customizations for AWS Control Tower (CfCT) solution to deploy AWS SRA recommended structures.

        High-level structure of the AWS SRA (without services)