Add organizational units

Establishing the proper organization structure is critical to setting up a multi-account environment. Because you use service control policies (SCPs) to define the maximum permissions for an OU and the accounts within it, your organization structure must be logical from a management, permissions, and financial reporting perspective. For more information about the structure of an organization, including organizational units (OUs), see Terminology and concepts (AWS Organizations documentation).

In this section, you customize the landing zone by creating nested OUs that help you segment and structure your environments, such as production and non-production. These recommended best practices are designed to segment your landing zone to separate production and non-production resources and separate infrastructure from workloads.

For more information about how to create OUs, see Managing organizational units (AWS Organizations documentation).

Best practices

Within the Workloads OU that you created in Create a landing zone, create the following nested OUs:
- Prod – Use this OU for AWS accounts that store and access production data, including customer data.
- NonProd – Use this OU for AWS accounts that store non-production data, such as development, staging, or testing environments

Under the organization root, create an Infrastructure_Prod OU. Use this OU to host a centralized networking account.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create a landing zone

Add initial users