AWS Account Management and Separation
We recommend that you organize workloads in separate accounts and group accounts based on function, compliance requirements, or a common set of controls rather than mirroring your organization’s reporting structure. In AWS, accounts are a hard boundary, zero trust container, for your resources. For example, account-level separation is strongly recommended for isolating production workloads from development and test workloads.
Separate workloads using accounts: Start with security and infrastructure in mind to enable your organization to set common guardrails as your workloads grow. This approach provides boundaries and controls between workloads. Account-level separation is strongly recommended for isolating production environments from development and test environments, or providing a strong logical boundary between workloads that process data of different sensitivity levels, as defined by external compliance requirements (such as PCI-DSS or HIPAA), and workloads that don’t.
Secure AWS account: There are a number of aspects to
securing your AWS accounts, including the securing of, and not using the root user, and
keeping the contact information up to date. You can use AWS Organizations
Manage accounts centrally: AWS Organizations automates AWS account creation and management, and control of those accounts after they are created. When you create an account through AWS Organizations, it is important to consider the email address you use, as this will be the root user that allows the password to be reset. Organizations allows you to group accounts into organizational units (OUs), which can represent different environments based on the workload’s requirements and purpose.
Set controls centrally: Control what your AWS accounts can do
by only allowing specific services, Regions, and service actions at the appropriate
level.
AWS Organizations allows you to use service control policies (SCPs) to apply permission
guardrails at
the organization, organizational unit, or account level, which apply to all AWS Identity and Access Management
Configure services and resources centrally: AWS Organizations helps
you configure AWS services