LLD001-001 - Organization and Account Hierarchy
Introduction
Purpose
The purpose of this document is to outline the low-level design architecture for AWS Organization & Account Hierarchy, to set up and manage a secure, scalable, and compliant AWS environment.
Changelog
Revision | Date | Description |
|---|---|---|
| 28.06.2024 | Initial document |
Related documents
Background
Multi-account strategy provides a way to manage and organize multiple AWS accounts under single consolidated billing structure. It also helps to enhance security, resource isolation, and cost management.
Architecture diagram
Implementation Details
Organizational units
Security: Highly restricted environment for security tools and auditing.
Infrastructure: Fundamental environment for all accounts which server cloud infrastructure tools. The infrastructure OU can grow on customers' demand, but requires high security restrictions and detailed monitoring.
Workloads: Environment for all customer workloads. Accounts are constantly monitored by security tools to prevent security incidents.
Nested Workloads: Dedicated Organization Unit within Workloads OU for logical environment separation.
Sandbox: Separate environment for development, testing, and PoCs. The sandbox OU allows for innovation and experimentation without affecting the production environment and reduces the risk of unintended impact on other workloads.
Accounts
Shared Services PRD Account:
Purpose: For hosting shared resources like CLoudStore, build and deployment tools, etc.
Users: DevOps and Infrastructure teams.
Access: Grant necessary permissions based on resource requirements.
OU: Infrastructure
Shared Services TST Account:
Purpose: For development and testing shared resources like CloudStore, build and deployment tools, etc.
Users: DevOps and Infrastructure teams.
Access: Grant necessary permissions based on resource requirements.
OU: Infrastructure
Central Network Account:
Purpose: For hosting the central Ingress VPC, with NGFW and other central appliances.
Users: DevOps and Infrastructure teams.
Access: Grant necessary permissions based on resource requirements.
OU: Infrastructure
Shared Network Accounts (1 per workload environment):
Purpose: For hosting shared VPCs used by workload & application accounts.
Users: DevOps and Infrastructure teams.
Access: Grant necessary permissions based on resource requirements.
OU: Infrastructure
Monitoring Account:
Purpose: For hosting monitoring tools like OpenSearch, Prometheus, Grafana.
Users: DevOps and Infrastructure teams.
Access: Grant necessary permissions based on resource requirements.
OU: Infrastructure
Backup Account:
Purpose: For storing backup copies from entire environment.
Users: DevOps and Infrastructure teams.
Access: Grant necessary permissions based on resource requirements.
OU:Infrastructure
Root CA Account:
Purpose: For storing and managing Root certificate Authority.
Users: DevOps and Infrastructure teams.
Access: Grant necessary permissions based on resource requirements.
OU: Infrastructure
Remote Access Account:
Purpose: For hosting PAM solution.
Users: DevOps and Infrastructure teams.
Access: Grant necessary permissions based on resource requirements.
OU: Infrastructure
IAM Account:
Purpose: For storing and managing dedicated IAM users.
Users: DevOps and Infrastructure teams.
Access: Grant necessary permissions based on resource requirements.
OU: Infrastructure
Security Account:
Purpose: For centralizing security logs, monitoring, and incident response.
Users: Security teams.
Access: Limit access to security teams and grant permissions to required AWS services.
OU: Security
Log-Archive Account:
Purpose: For storing and managing logs from all other accounts.
Users: Security and audit teams.
Access: Limit access to required personnel and grant permissions to necessary AWS services.
OU: Security
Development (Workload) Account:
Purpose: For development and testing of applications.
Users: Developers and QA teams.
Access: Grant necessary permissions to required AWS services.
OU: Dev Workloads
Test (Workload) Account:
Purpose: For testing of applications.
Users: Developers and QA teams.
Access: Grant necessary permissions to required AWS services.
OU: TST Workloads
SIT (Workload) Account:
Purpose: For integration environments.
Users: QA and DevOps teams.
Access: Grant necessary permissions to required AWS services.
OU: SIT Workloads
NIT (Workload) Account:
Purpose: For integration environments.
Users: QA and DevOps teams.
Access: Grant necessary permissions to required AWS services.
OU: NIT Workloads
Pre-Production (Workload) Account:
Purpose: For Pre-Production environments.
Users: QA and DevOps teams.
Access: Grant necessary permissions to required AWS services.
OU: PREP Workloads
Production (Workload) Account:
Purpose: For running production workloads.
Users: DevOps teams and application support teams.
Access: Limit access to only necessary services and follow the principle of least privilege.
OU: PRD Workloads
Sandbox Account:
Purpose: For experimentation and learning.
Users: Developers and architects.
Access: Provide limited access to users to avoid resource misuse.
OU: Sandbox
Expected Outcomes
Secure setup of AWS environment.
Consistent governance and enforcement of security and compliance policies.
Improved visibility and control over user access.
Regular monitoring and reporting on the state of the environment.