Edit this page

Get Started > Establish Foundation for Development Environments > Establish the Initial Foundation for Development Environments > Use Organizational Units (OUs) to Structure Your AWS Accounts

Use Organizational Units (OUs) to Structure Your AWS Accounts

In this step your Security and Cloud Administrators will add an initial set of AWS Organizations Organizational Units (OUs) to help you organize your first set of AWS accounts.

This step should take about 10 minutes to complete.

1. Review Example OUs

The following diagram represents an example set of OUs and AWS accounts that can help you get started with your initial AWS environment in support of your first few production workloads. This initial set of OUs is intended to enable you to group AWS accounts that have similar security and management needs.

The development and workloads AWS accounts names shown in the diagram are examples. Depending on your needs, your AWS account names will vary. Refer to the initial AWS accounts for a description of the AWS accounts referenced in the diagram.

Foundational OUs

OU Name	Description
`Core`	Automatically created by AWS Control Tower. Includes several foundational AWS accounts.
`infrastructure_dev`	Includes the team development AWS account(s) for your Cloud Foundation teams. These AWS accounts will have more write access to AWS resources as compared to your standard team development AWS accounts. For example, the ability to create and manage foundational VPC resources.
`infrastructure_prod`	Includes foundation infrastructure related AWS accounts including the Network Production and Infrastructure Shared Services AWS accounts that you will create later in this guide. These accounts are managed by your Cloud Foundation team.

Business-oriented OUs

OU Name	Description
`workloads_dev`	Includes the bulk of your team development AWS accounts.
`workloads_test`	Includes the formal test environment AWS accounts for your business-oriented workloads.
`workloads_prod`	Includes the formal production environment AWS accounts for your business-oriented workloads.

Your OU design is not intended to reflect your company’s organizational structure: AWS Organizations OUs are not meant to be used to reflect your enterprise’s organizational structure. Instead, OUs are intended to provide a means to group AWS accounts that have similar security and operational requirements.

Your OU design will evolve: Since you have the ability to move AWS accounts between OUs and modify OUs, you don’t need to perform a complete OU design at this early stage. As you progress on your journey, you will evolve your OU design to suit your emerging needs. If you’d like to learn more about OUs, see AWS Organizations in Control Tower.

2. Add OUs

Using AWS Control Tower, add the OUs:

Sign in to the AWS SSO URL for your environment using the AWS Control Tower Administrator user.
Select the AWS master account.
Select Management console associated with the AWSAdministratorAccess role.
Select the appropriate AWS region.
Navigate to AWS Control Tower.
Select Organizational units.
Select Add an OU.
Follow the prompts to create a new OU based on the names listed in table above.