OU structure for non-production environments - Organizing Your AWS Environment Using Multiple Accounts
Option A: Common guardrails across non-production environmentsOption B: Different guardrails across non-production environmentsWorksheets to help decide on workload-oriented OUs

OU structure for non-production environments

You can use OUs to organize your non-production environments in a couple ways.

Option A: Common guardrails across non-production environments

When non-production workloads require the same set of overall access policies or benefit from being operationally managed together, you can define a single NonProd OU to contain all the accounts that support non-production forms of your workloads.

The following example shows the Workloads OU where a Prod child OU contains production accounts and workloads, and a NonProd child OU combines both development and test accounts and workloads.

This image shows an example workloads OU with common policies across a nonprod child OU.

Example Workloads OU with common policies across a NonProd child OU

Option B: Different guardrails across non-production environments

Sometimes your process for developing and testing changes involves workload environments that have fundamentally different access policies or ways in which you manage and apply foundational resources. In these cases, it makes sense to create distinct OUs to support these diverse requirements.

For example, you want to support development environments that provide teams with more freedom to experiment, iterate, and develop largely on their own (rather than more formally managed and controlled production-like test environments). In this case, overall access policies and management of baseline resources for the development environments is significantly different than those used to support test environments. It makes sense for you to create a distinct OU for development work and another OU for your test workloads.

The following example represents a simple form of this structure where Test and Dev OUs reside adjacent to the recommended Prod OU.

This image shows an example workloads OU with different policies for Test and Dev child OUs.

Example Workloads OU with different policies for Test and Dev child OUs

The preceding example shows two different approaches to scoping development environment accounts. One approach is where development environments are aligned with the same groupings of workloads as used in test and production OUs. The other approach is one in which development environments are aligned based on teams.

Worksheets to help decide on workload-oriented OUs

The following appendices include a set of worksheets and example considerations for identifying your overall types of workload environments and supporting OUs:

Appendix B helps you identify the overall types of work you perform from design through production and helps you identify the corresponding workload environments in which you expect to perform work and house workloads.

Appendix C helps you further refine the overall types of workload environments by identifying key distinguishing access and management attributes of each overall type of workload environment.

By understanding commonalities of, and contrasts between, your overall types of workload environments, you can make an informed decision about the set of child OUs that can best support your workload-oriented OUs.