Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.2.2.1. AWS Account Structures & Best Practices

2.2.2.1. AWS Account Structures & Best Practices

A single AWS account is a single blast radius. One compromised credential, one misconfigured IAM policy ā€” and everything in that account is affected.

AWS recommended account structure:
  • Management account: Only for Organizations management and billing. No workloads.
  • Security account: Centralized CloudTrail, GuardDuty, Security Hub
  • Log archive account: Immutable storage for audit logs (S3 with Object Lock)
  • Shared services account: Active Directory, DNS, CI/CD pipelines
  • Workload accounts: Separate per environment (dev/staging/prod) per application

Organizational Units (OUs) group accounts for policy inheritance:

Root
ā”œā”€ā”€ Security OU          ā†’ Security + Log Archive accounts
ā”œā”€ā”€ Infrastructure OU    ā†’ Shared Services, Networking
ā”œā”€ā”€ Workloads OU
ā”‚   ā”œā”€ā”€ Production OU    ā†’ Strict SCPs, change management
ā”‚   ā”œā”€ā”€ Staging OU       ā†’ Moderate restrictions
ā”‚   ā””ā”€ā”€ Development OU   ā†’ Permissive, cost controls
ā””ā”€ā”€ Sandbox OU           ā†’ Experimental, auto-cleanup

Account vending: Control Tower's Account Factory automates new account creation with pre-configured guardrails, VPC settings, and SSO access. For custom provisioning, use Service Catalog with a CloudFormation template that calls organizations:CreateAccount.

Exam Trap: The management account cannot be restricted by SCPs ā€” SCPs only affect member accounts. Workloads should never run in the management account. To restrict actions in the management account, use IAM policies and permission boundaries, not SCPs.

Alvin Varughese
Written byAlvin Varugheseā€¢Founderā€¢15 professional certifications