Infrastructure Ou

Foundational OUs - Infrastructure #

AWS Documentation

Accounts, workloads, and data residing in the foundational OUs are typically owned by your centralized Cloud Platform or Cloud Engineering teams made up of cross-functional representatives from your Security, Infrastructure, and Operations teams.

Infrastructure OU #

The Infrastructure OU is a foundational OU that is intended to contain infrastructure services. The accounts in this OU are also considered administrative and your infrastructure and operations teams should own and manage this OU, any child OUs, and associated accounts.

The Infrastructure OU is used to hold AWS accounts containing AWS infrastructure resources that are shared, utilized by, or used to manage accounts in the organization. This includes centralized operations or monitoring of your organization. No application accounts or application workloads are intended to exist within this OU.

Common use cases for this OU include accounts to centralize management of resources. For example, a Network account might be used to centralize your AWS network, or an Operations Tooling account to centralize your operational tooling.

In most cases, given the way most AWS Organization integrated services interact with the accounts within the Infrastructure OU, it does not generally make sense to have production and non-production variants of these accounts within the Infrastructure OU. In situations where non-production accounts are required, these workloads should be treated like any other application and placed in an account within the appropriate Workloads OU corresponding with the non-production phase of the SDLC (Dev OU or Test OU).

We recommend that you create the following accounts in the Infrastructure OU:

  • Backup account
  • Identity account
  • Network account
  • Operations Tooling account
  • Monitoring account
  • Shared Services accounts

Backup account #

The Backup account serves as a dedicated and centralized hub for backup and disaster recovery management. It provides a unified platform to orchestrate, monitor, and enforce backup policies across AWS accounts within the AWS Organization.

By consolidating backup processes in a central account, organizations can achieve several benefits. It simplifies backup management by eliminating the need to configure and maintain backup settings separately in each member account, streamlining operational efficiency and reducing the potential for errors. It ensures consistent and comprehensive data protection across the entire AWS infrastructure, regardless of the specific AWS services and resources in use. This approach also enhances compliance and governance efforts by enabling centralized auditing and reporting on backup and recovery activities, making it easier to track data protection metrics and maintain necessary records for compliance purposes.

Identity account #

The Identity account serves as a centralized identity federation account isolated from all other management and workload activities within the AWS Organization. Federated identity management grants you the ability to efficiently manage the access to the accounts in the AWS Organization and authorization to integrated applications. By managing your identities and controlling access to your environment centrally, you can quickly create, update, and delete the permissions and policies you need to meet your business requirements.

Network account #

The Network account serves as the central hub for your network within your AWS Organization. You can manage your networking resources and route traffic between accounts in your environment, your on-premises, and egress/ingress traffic to the internet. Within this account, your network administrators can manage and build security measures to protect network traffic across your cloud environment.

Operations Tooling account #

Operations Tooling accounts can be used for day-to-day operational activities across your organization. The operations tooling account hosts tools, dashboards, and services needed to centralize operations where monitoring and metric tracking are hosted. These tools help the central operations team to interact with their environment from a central location.

Monitoring account #

An AWS monitoring account can be used to monitor resources, applications, log data, and performance in other AWS accounts. AWS offers a number of tools and services that can be used to manage and monitor resources and workloads in an AWS account, including CloudWatch, Amazon Managed Service for Prometheus, Amazon Managed Grafana, and Amazon OpenSearch Service. These tools can be used to monitor resource and application usage, performance, review log data, and identify potential issues within the infrastructure or application.

Shared Services accounts #

A Shared Services account is an AWS account created and dedicated to hosting and managing centralized IT services and resources that are shared across multiple other AWS accounts within an AWS Organization. The primary purpose of a Shared Services account is to consolidate similar shared services to give a single access point to manage, interface and consume. You may create multiple Shared Service accounts depending on your need to securely isolate the functionality of the grouped services in the account.

Edit this page