Benefits of using Organizational Units (OUs) - Organizing Your AWS Environment Using Multiple Accounts

Benefits of using Organizational Units (OUs)

The following benefits of using OUs helped shape the Recommended OUs and Patterns for organizing your AWS accounts.

Group similar accounts based on function

When you have multiple accounts that perform either similar or related functions, you can benefit from grouping these accounts into distinct top-level OUs. Prudent use of top-level OUs can help your teams better understand the overall structure of your AWS accounts.

For example, these best practices recommend a set of top-level OUs to help you organize different sets of related accounts. At a minimum, the top-level OUs are used to distinguish between overall functions of accounts.

Apply common policies

OUs provide a way for you to organize your accounts so that it’s easier to apply common overarching policies to accounts that have similar needs. Policies in AWS Organizations enable you to apply additional types of management to the accounts in your organization.

By attaching policies to OUs rather than to individual accounts, you can simplify management of policies across groups of similar accounts. As the number of accounts in your environment grows, simplifying policy management by attaching policies to OUs becomes more important.

AWS Organizations supports use of authorization and management policies. For a complete list of policy types, see Managing AWS Organizations policies.

Authorization policies

AWS Organizations service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization.

SCPs are a means of implementing guardrails in your AWS organization. Your use of SCPs can help ensure that your accounts stay within your access control guidelines. For example, you can use SCPs to constrain the set of AWS services and actions allowed on resources.

Although you can apply SCPs to the root of your organization, you typically associate SCPs with underlying OUs. For example, based on the nature of the workloads deployed in accounts within an OU, you may choose to restrict the set of AWS services and AWS Regions that are allowed to be used by accounts in the OU.

You only apply an SCP at the root when you have an overarching security policy that applies across your entire organization and set of OUs. For example, you might apply an SCP at the root of the organization to deny AWS Organizations member accounts from attempting to leave the organization of their own accord.

Management policies

You can also apply tag policies to your parts of your organization to help you monitor and ensure compliance with your cloud resource tagging standards.

You can use Artificial Intelligence (AI) services opt-out policies, which enable you to control data collection for AWS AI services for all of your organization's accounts.

Backup policies help you centrally manage and apply backup plans to the AWS resources across your organization's accounts.

Share common resources

OUs provide a means for you to organize your accounts so that it’s easier for you to share centrally managed resources across similar accounts.

AWS services have been introducing support for sharing their resources through AWS Resource Access Manager (AWS RAM) and AWS Organizations. For example, with AWS RAM, you can use OUs as the basis for sharing centrally managed network resources such as Amazon Virtual Private Cloud (Amazon VPC) subnets.

Provision and manage common resources

Sometimes you need to deploy common, centrally managed resource configurations to groups of related accounts. In cases where resource sharing doesn’t apply, you can use a variety of AWS services and third-party tools that work with OUs to automatically roll out and update your own custom resources.

For example, you can use OUs as a basis for targeting automation to deploy and update your own sets of IAM roles and customer managed IAM policies that help establish common baseline and/or workload-specific security controls to groups of related accounts.