Organization

We use Organization Units (OUs) in AWS to segregate workloads and its guardrails based on environments. OUs help us implement consistent security controls, manage access permissions, and ensure compliance across our AWS infrastructure. In our basic setup, we've established the following OU hierarchy:

Structure

OU Hierarchy

Our AWS Organization structure follows a logical hierarchy:

Root

Root - The default top-level OU in any AWS Organization

Second Level

Workloads - Contains the customers software development lifecycle (SDLC) environments
Shared Services - Houses infrastructure shared across environments
Security - Manages centralized security services
Suspended - Holds accounts scheduled for decommissioning

Workloads Branch

Production - Production workloads and customer-facing services
Staging - Pre-production testing environment
Development - Development and integration testing

Shared Services Branch

Connectivity - Network resources and connectivity services
Management - Infrastructure hosting support services (ArgoCD, Trivy, Falco, etc.)

Security Branch

Auth - AWS Identity Center and centralized authentication solutions
Logs - Aggregated logging services (VPC logs, etc.)

Account Placement

All accounts are placed at the botton of the tree of the OU hierarchy to ensure proper policy inheritance and access segregation. Multiple accounts can exist within a single OU when they serve similar purposes and require identical guardrails.

Service Control Policies (SCPs)

Service Control Policies (SCPs) are attached to OUs to enforce constraints on resources within that OU hierarchy. They act as guardrails by either:

Limiting which actions can be performed
Restricting which AWS services can be accessed

Default Policies

We apply these three foundational SCPs to the Root OU by default:

1. Deny Accounts Leaving the Organization

Purpose: Prevents accounts from being removed from the organization.

Benefits:

Ensures centralized management of all accounts
Maintains consistent policy enforcement
Prevents account administrators from removing organizational oversight

Applied at the Root OU to affect all accounts.

Implementation

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "organizations:LeaveOrganization",
      "Resource": "*"
    }
  ]
}

2. Deny Usage of Root User Account

Purpose: Restricts usage of the powerful root user account.

Benefits:

Prevents unauthorized access to the most privileged user in AWS accounts
Enforces usage of IAM roles for administrative tasks
Creates audit trail for all administrative actions

Applied at the Root OU to affect all accounts.

Implementation

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

3. Deny Regions

Purpose: Restricts resource creation to approved AWS regions only.

Benefits:

Ensures compliance with data residency requirements
Simplifies resource management by consolidating to specific regions
Controls cloud spend by preventing resource sprawl

Applied at the Root OU to affect all accounts.

Implementation

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRegions",
      "Effect": "Deny",
      "NotAction": [
        "wellarchitected:*",
        "wafv2:*",
        "waf:*",
        "waf-regional:*",
        "trustedadvisor:*",
        "support:*",
        "sts:*",
        "shield:*",
        "s3:PutAccountPublic*",
        "s3:ListMultiRegionAccessPoints",
        "s3:ListAllMyBuckets",
        "s3:GetAccountPublic*",
        "route53domains:*",
        "route53:*",
        "route53-recovery-readiness:*",
        "route53-recovery-control-config:*",
        "route53-recovery-cluster:*",
        "pricing:*",
        "organizations:*",
        "networkmanager:*",
        "mobileanalytics:*",
        "kms:*",
        "importexport:*",
        "iam:*",
        "health:*",
        "globalaccelerator:*",
        "fms:*",
        "ec2:DescribeVpnGateways",
        "ec2:DescribeTransitGateways",
        "ec2:DescribeRegions",
        "directconnect:*",
        "cur:*",
        "config:*",
        "cloudfront:*",
        "chime:*",
        "ce:*",
        "budgets:*",
        "aws-portal:*",
        "aws-marketplace:*",
        "aws-marketplace-management:*",
        "acm:*",
        "a4b:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "eu-north-1",
            "us-east-1"
          ]
        }
      }
    }
  ]
}

PreviousIAM Identity Center NextAzure

Last updated 10 months ago

Was this helpful?

hashtagStructure

hashtagOU Hierarchy

hashtagRoot

hashtagSecond Level

hashtagWorkloads Branch

hashtagShared Services Branch

hashtagSecurity Branch

hashtagAccount Placement

hashtagService Control Policies (SCPs)

hashtagDefault Policies

hashtag1. Deny Accounts Leaving the Organization

hashtag2. Deny Usage of Root User Account

hashtag3. Deny Regions

Structure

OU Hierarchy

Root

Second Level

Workloads Branch

Shared Services Branch

Security Branch

Account Placement

Service Control Policies (SCPs)

Default Policies

1. Deny Accounts Leaving the Organization

2. Deny Usage of Root User Account

3. Deny Regions