Extended workload-oriented OU structure
An extended form of the workload-oriented OU structure can be used to support cases in which you need to either organize workloads for visibility and management purposes or apply different security and operational policies to either a workload or group of related workloads.
When workloads have diverse security and operational policy requirements, you cannot effectively manage guardrails and other controls at the level of the workload-oriented OU. By adding child OUs to a workload-oriented OU, you can group related workloads in the same child OU. You can then apply distinct security and operational policies to the child OUs.
For example, a workload or a group of related workloads might benefit from having a distinct allow list of AWS services that is implemented via a service control policy (SCP). This policy might be different than the requirements associated with other workloads. Rather than applying the SCP to each of the related workload accounts, it is recommended that you apply the SCP to an OU that groups the related accounts.
Grouping related workloads
When you have groups of related workloads that require the same overall set of security and operational policies, you can create a child OU for each group of workloads.
For example, if you manage a series of database services that are shared across your organizations and have common security and operational policy requirements, you might find value in grouping those data services under a common child OU.
The following example represents a shared backup capability you can provide across your AWS environment. If this capability requires a set of security and operational policies that are distinct from other infrastructure workloads, then you can allocate a distinct OU for this workload.
Separating business units with significantly different policies
If you have largely autonomous business units (BUs) that manage workloads in your common AWS organization and the BUs have significantly different security and operational policies, you can create a child OU under your Workloads OU for each BU.
In the following example, each BU is provided with its own OU so that different SCPs and/or operational policies can be applied independently from the other OUs.