AWS whitepapers documentation change
Summary
Restructured OU documentation with expanded descriptions, added new OU categories (Foundational, Application, Experimental, Procedural, Advanced), and removed individual links in favor of consolidated content
Security assessment
Added explicit security context for Security OU (applies security policies/compliance controls), Suspended OU (handles security-related account suspensions), and Policy Staging OU (tests policies before production). While these changes improve security documentation, there's no evidence they address a specific vulnerability.
Diff
diff --git a/whitepapers/latest/organizing-your-aws-environment/recommended-ous-and-accounts.md b/whitepapers/latest/organizing-your-aws-environment/recommended-ous-and-accounts.md index 90e7450ac..c60a66ea0 100644 --- a//whitepapers/latest/organizing-your-aws-environment/recommended-ous-and-accounts.md +++ b//whitepapers/latest/organizing-your-aws-environment/recommended-ous-and-accounts.md @@ -4,0 +5,2 @@ +Foundational OUsApplication OUs Experimental OUsProcedural OUs Advanced OUs + @@ -9 +11 @@ This section provides details on the recommended OUs and, when applicable, a set - + @@ -13 +15 @@ _Recommended OUs_ -Depending on your requirements, you might not need to establish all the recommended OUs. As you adopt AWS and learn more about your needs, you can expand the overall set of OUs. Refer to the _[Patterns for organizing your AWS accounts](./patterns-for-organizing-your-aws-accounts.html)_ for examples of how you might begin to organize your AWS accounts. +Depending on your requirements, you might not need to establish all the recommended OUs. As you adopt AWS and learn more about your needs, you can expand the overall set of OUs. Refer to the Patterns for organizing your AWS accounts for examples of how you might begin to organize your AWS accounts. @@ -19 +21,28 @@ The recommended OUs consist of: -###### Topics +## Foundational organizational units (OUs) + +Foundational OUs are used to group AWS accounts that support the management, governance, and common infrastructure of your AWS environment. + + * **Security OU:** Groups AWS accounts that apply security policies, governance and compliance controls across the organization. + + * **Infrastructure OU:** Groups AWS accounts that host and manage core infrastructure and networking services and resources that are shared across the organization. + + + + +## Application OUs + +Application OUs are used to group AWS accounts for production and nonproduction workload environments. + + * **Workloads OU:** Groups AWS accounts that host the organization's business-specific workloads, including both production and non-production environments. + + + + +## Experimental OUs + +Experimental OUs are used to group accounts for research and development environments. + + * **Sandbox OU:** Groups AWS accounts used for experimentation, testing and development activities, typically with limited access to production resources. + + + @@ -21 +50 @@ The recommended OUs consist of: - * [Security OU (Foundational)](./security-ou-and-accounts.html) +## Procedural OUs @@ -23 +52 @@ The recommended OUs consist of: - * [Infrastructure OU (Foundational)](./infrastructure-ou-and-accounts.html) +Procedural OUs are used to group accounts for process driven activities on AWS Accounts. @@ -25 +54 @@ The recommended OUs consist of: - * [Workloads OU (Application)](./workloads-ou.html) + * **Exceptions OU:** Groups AWS accounts that host workloads requiring specific configurations or policies that deviate from the organization's standard governance model. @@ -27 +56 @@ The recommended OUs consist of: - * [Sandbox OU (Experimental)](./sandbox-ou.html) + * **Transitional OU:** Temporary OU for housing AWS accounts during migration or restructuring processes, ensuring controlled management and gradual integration into the organization's standard governance structure. @@ -29 +58 @@ The recommended OUs consist of: - * [Exceptions OU (Procedural)](./exceptions-ou.html) + * **Suspended OU:** Groups AWS accounts that have been temporarily suspended or deactivated due to security concerns, policy violations or other administrative reasons. @@ -31 +60 @@ The recommended OUs consist of: - * [Transitional OU (Procedural)](./transitional-ou.html) + * **Policy Staging OU:** Hosts AWS accounts that are used to test and validate new or modified organizational policies before applying them to production environments. @@ -33 +61,0 @@ The recommended OUs consist of: - * [Policy Staging OU (Procedural)](./policy-staging-ou.html) @@ -35 +62,0 @@ The recommended OUs consist of: - * [Suspended OU (Procedural)](./suspended-ou.html) @@ -37 +63,0 @@ The recommended OUs consist of: - * [Individual Business Users OU (Advanced)](./individual-business-users-ou.html) @@ -39 +65 @@ The recommended OUs consist of: - * [Deployments OU (Advanced)](./deployments-ou.html) +## Advanced OUs @@ -41 +67 @@ The recommended OUs consist of: - * [Business Continuity OU (Advanced)](./business-continuity-ou.html) +Advanced OUs are used to group accounts for specific advanced use-cases. @@ -42,0 +69 @@ The recommended OUs consist of: + * **Individual Business Users OU:** Groups AWS accounts associated with individual employees or business units, ensuring appropriate access controls and compliance with organizational policies. @@ -43,0 +71 @@ The recommended OUs consist of: + * **Deployments OU:** Groups accounts that host services and resources used to orchestrate the deployment of applications, services and infrastructure across multiple AWS accounts within an organization. @@ -44,0 +73 @@ The recommended OUs consist of: + * **Business Continuity OU:** Houses resources and accounts specifically designed for disaster recovery, backup and ensuring continuous operations of critical business functions across the organization. @@ -46 +74,0 @@ The recommended OUs consist of: -The Security OU and the Infrastructure OU are categorized as foundational OUs. Foundational OUs are defined as OUs that contain accounts, workloads, and other AWS resources that provide common security and infrastructure capabilities to secure and support your overall AWS environment. @@ -48 +75,0 @@ The Security OU and the Infrastructure OU are categorized as foundational OUs. F -Accounts, workloads, and data residing in the foundational OUs are typically owned by your centralized cloud teams made up of cross-functional representatives from your Security, Infrastructure, and Operations teams. @@ -50 +76,0 @@ Accounts, workloads, and data residing in the foundational OUs are typically own -The majority of your accounts are contained in the other OUs. These OUs are intended to contain your business-related workloads. They also contain tools and services that support the entire lifecycle of your business-related services and data. @@ -58 +84 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Break glass access +Design principles for your multi-account strategy @@ -60 +86 @@ Break glass access -Security OU (Foundational) +Foundational OUs