Production starter organization - Organizing Your AWS Environment Using Multiple Accounts

Production starter organization

This pattern represents a minimal starter environment in which the primary focus is on supporting a workload in a production environment.

For example, you might have an Amazon S3-backed on-premises backup solution that you simply need to test and deploy to production. Similarly, you might have a static web site that depends on Amazon CloudFront as a content delivery network (CDN) and uses a private bucket in Amazon S3 to manage the web content.

In these scenarios, you might not need sandbox and development environments. The following figure shows an example of this type of minimal starter production environment.

        This image shows an example production starter organization.

Example production starter organization

In this example, the organization’s management account uses AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) to help provide your human users with federated access to the AWS accounts in your organization.

The Security OU and accounts contains a log-archive-prod account to act as the consolidation point in the organization for log data that is gathered from all of the accounts—not just other production environments—and primarily used by your security, audit, and compliance teams.

The Security OU also contains a security-tooling-prod account where you manage recommended security tools and service resources.

Since the capabilities provided in the log-archive-prod and security-tooling-prod accounts are expected to be of production quality, these accounts are contained in a Prod OU under the Security OU. The -prod suffix in these example account names emphasizes the production quality of their resources and workloads. The suffix is not intended to suggest that these accounts and their resources apply only to production accounts.

In future configurations, you can introduce non-production or test OUs and accounts associated with your Security OU. Where it’s feasible to test changes inside the same organization, these non-production environments can help you develop and test changes for your production quality capabilities before promoting those changes to your production environments.

In cases where you cannot easily test certain changes that are foundational to your AWS environment in the same AWS organization, you might benefit from using a separate AWS organization to test such foundational changes. See Multiple AWS organizations for more information.

A Workloads OU along with Prod and Test OUs contain the workload-a-test and workload-a-prod accounts.

Production starter organization with AWS Control Tower

When you use AWS Control Tower to establish your AWS environment, it automatically creates the Audit and Log archive accounts under a Core OU. The Log archive account plays the same role as the Log archive account described in the Security OU and accounts. The Audit account is intended to provide your security team with cross-account access to other member accounts in your organization.

AWS Control Tower also automatically sets up IAM Identity Center in the organization’s management account. The following figure shows this configuration.

          This image shows an example production starter organization with AWS Control

Example production starter organization with AWS Control Tower

In this example, a Security OU and accounts is created by the AWS Control Tower Account Factory feature to contain a security-tooling-prod account where recommended security tools and service resources are managed.

Two Workloads OUs house the production and test environments for a workload.

Since AWS Control Tower currently supports a single level of OUs, the names of the security and workloads OUs include underscores to represent the desired hierarchy. For example: Security_Prod, Workloads_Prod, and Workloads_Test.