Dedicated accounts structure - AWS Prescriptive Guidance

Dedicated accounts structure

An AWS account provides security, access, and billing boundaries for your AWS resources, and enables you to achieve resource independence and isolation. By default, no access is allowed between accounts.

When designing your OU and account structure, start with security and infrastructure in mind. Most enterprises have centralized teams that serve the security and infrastructure needs of the entire business. We recommend creating a set of foundational OUs for these specific functions, split into Infrastructure and Security OUs. These OU and account recommendations capture a subset of our broader, more comprehensive guidelines for AWS Organizations and multi-account structure design. For a full set of recommendations, see Organizing Your AWS Environment Using Multiple Accounts in the AWS documentation and the blog post Best Practices for Organizational Units with AWS Organizations.

The AWS SRA utilizes the following accounts to achieve effective security operations on AWS. These dedicated accounts help ensure separation of duties, support different governance and access policies for different sensitives of applications and data, and help mitigate the impact of a security event. In the discussions that follow, we are focused on production (prod) accounts and their associated workloads. Software development lifecycle (SDLC) accounts (often called dev and test accounts) are intended for staging deliverables and can operate under a different security policy set from that of production accounts.

Account OU Security role

Management

Central governance and management of all AWS Regions and accounts. The AWS account that hosts the root of the AWS organization.

Security Tooling

Security

Dedicated AWS accounts for operating broadly applicable security services (such as Amazon GuardDuty, AWS Security Hub, and AWS Config), monitoring AWS accounts, and automating security alerting and response.

Log Archive

Security

Dedicated AWS accounts for ingesting and archiving all logging and backups for all AWS Regions and AWS accounts. This should be designed as immutable storage.

Network

Infrastructure

The gateway between your application and the broader internet. The Network account isolates the broader networking services, configuration, and operation from the individual application workloads, security, and other infrastructure.

Shared Services

Infrastructure

This account supports the services that multiple applications and teams use to deliver their outcomes. Examples include directory services (Active Directory), messaging services, and metadata services.

Application

Workloads

AWS accounts that host the AWS organization’s applications and perform the workloads. (These are sometimes called workload accounts.) Application accounts should be created to isolate software services instead of being mapped to your teams. This makes the deployed application more resilient to organizational change.